[zthrowaway]

True but there’s nothing stopping a webdev dropping an API key in some wiki somewhere in the corporate intranet and the agent quickly picking that up.

Can you scan for that? Sure. But it’s a race to see who wins, the scanner or agent.

[gizmo686]

Maybe I just haven't worked in enough start ups. But where I have worked, there are a lot of things stopping that. Most people don't have access to any production keys. For those that do, we have policies about how to manage them. Those policies go through audits. Our intranet goes through audits.

A production API key appearing on the wiki would be the second biggest security incident I have seen in almost a decade.

------

On the AI note, despite a massive investment in AI (including on-premesise models), we don't give the AI anything close to full access to the intranet because it is almost unimaginable how to square that with our data protection requirements. If the AI has access to something, you need to assume that all users of that AI have access to it. Even if the user themselves is allowed access with it, they will not be aware that the output is potentially tainted, and may share it with someone or thing that should not have access to it.