May 6, 2026
Posted by Refael Angel
That title is not a paraphrase. That is a near-direct quote from Gartner’s April 2026 Reference Architecture Brief on IAM for AI Agents and Other Workloads:
Gartner
“Every new static symmetric string, such as an API key, represents a failure of the IAM program and tooling.”
Gartner®, Reference Architecture Brief: IAM for AI Agents and Other Workloads, Erik Wahlstrom, 20 April 2026
If your AI agents authenticate to data sources, SaaS APIs, internal services, or LLM providers using hardcoded API keys — and most of them do — Gartner is telling you that you are accumulating IAM technical debt at the speed your AI program is expanding.
And Gartner is also telling you that the obvious answer, “rotate them more often,” does not work:
Gartner
“The rotation of secrets is widely assumed to be a standard practice, despite being practically impossible to implement at enterprise scale for most organizations… The 2025 Gartner Machine Identity Management in a Hybrid, Automated AI World Survey showed that 32% of organizations use mostly automated methods to manage credentials and only 1% use fully automated methods.”
Gartner®, Reference Architecture Brief: IAM for AI Agents and Other Workloads, Erik Wahlstrom, 20 April 2026
The Path Gartner Draws
Gartner’s prescription is unambiguous: stop trying to rotate secrets faster, and start eliminating the need for them. Use a Workload Identity Provider to mint short-lived credentials, on demand, from the workload’s own platform-native identity. Use workload federation to make those credentials work across cloud and on-premises domains. Govern everything from a single, centralized control plane.
This is the architecture we built Akeyless to deliver.
How Secretless AI™ Works
- An AI agent — running in EKS, AKS, GKE, on-prem Kubernetes, or directly on a VM — authenticates to Akeyless using its inherent platform identity. No client secret. No API key. No bootstrap credential to manage.
- The Akeyless Gateway, deployed inside your environment, validates that identity against the policy you have defined. The policy can include attributes like cluster, namespace, time of day, container posture, and the identity of the human the agent is acting on behalf of.
- If the policy allows the request, Akeyless mints a Just-in-Time, ephemeral credential — a temporary AWS IAM role, a temporary database user, an SSH certificate, an OAuth token — scoped to the exact privilege the agent needs.
- The credential lives for minutes or hours, not weeks or months. When the agent’s task is done, or the TTL expires, the credential is automatically revoked.
- Every issuance, every use, every revocation is logged at the item level and streamed to your SIEM.
What this changes:
| Without Secretless AI | With Akeyless SecretlessAI™ |
|---|---|
| AI agent has a long-lived API key embedded in code, environment variables, or a config file. | AI agent has no secrets. Authentication uses native platform identity. |
| Rotation is theoretical. In practice, the key is the same one it was last quarter. | Credentials are minted on demand, valid for the task duration only. |
| A leaked key is a breach. A credential hunt across repos, logs, and CI is required. | A leaked credential is already expired. There is nothing to harvest. |
| Audit trail tells you which workload had access. It does not tell you what the agent did with that access. | Audit trail captures the agent identity, the human owner, the policy decision, and the action — at the item level. |
| Privilege is whatever was provisioned six months ago. | Privilege is calculated at request time, with attribute-based access control and zero-standing-privilege as the default. |
This Is Exactly What Gartner Says You Need
Gartner’s reference architecture defines a Workload Identity Provider as a tool that issues “short-lived and ephemeral credentials such as JWTs,” supports workloads acting on their own behalf, on behalf of a human user, and on behalf of other workloads, and federates across security domains. That is the spec for Akeyless.
Gartner names Akeyless as an example technology for Workload Identity Management — the governance layer that discovers, inventories, and remediates the workload identities and credentials that already exist in your environment. We do that, too.
→ See a 15-minute demo of Secretless AI. Bring one AI agent that currently uses an API key. Leave with a working pattern for eliminating it.
