--- title: Your coding agent holds a credential. The board question is which one you actually locked down slug: harness-coding-agent-credential-blast-radius-board-question date: 2026-06-24 excerpt: This week three harness vendors quietly shipped credential and permission fixes, not features. The board question underneath the patch notes is which single access your coding agent holds that nobody has reviewed. featured_image: "https://bbtxujdxvidaghmhxkqs.supabase.co/storage/v1/object/public/generated-images/blog-1782285272715-harness-coding-agent-credential-blast-radius-board-question.webp" featured_image_alt: A locked padlock icon sitting on top of a developer terminal window full of code, with a faint key outline behind it, representing a coding agent holding a credential. canonical_url: https://cerevisor.com/blog/harness-coding-agent-credential-blast-radius-board-question updated_at: 2026-06-24T07:14:33.942556+00:00 --- # Your coding agent holds a credential. The board question is which one you actually locked down I read three sets of release notes this week and none of them were exciting, which is exactly why they matter. On June 23, [Claude Code](/blog/harness-supervisory-engineer-org-chart-box) shipped v2.1.186 with a fix for subagent deny rules that were not actually being enforced. The same day, GitHub gave its Copilot app the ability to store model-provider keys in the local OS keychain, where the interface can never read them back. Two days earlier, Claude Code v2.1.181 quietly fixed an AWS credential bug that was refreshing those keys every single minute. None of that will make a headline. All of it is the same move. The harness vendors spent the week hardening the one thing that actually gets attacked: the credential a coding agent holds on the team’s behalf. TLDR This week's coding-agent releases were about containment, not capability: subagent permission enforcement, credential storage moving into the OS keychain, destructive-command blocking. The reason is that the real incidents this year did not break the model, they used the agent's own authorized access. The board question is not which harness is best. It is which single credential the agent holds that nobody has reviewed. ## What the release notes were actually telling you Here is the thing the patch notes do not say out loud. A coding agent is not really a code generator. It is a process running on a developer’s machine or in a CI pipeline, holding a GitHub token, an AWS key, an npm credential, and an MCP connection to who-knows-what, with permission to execute. The model is the part everyone talks about. The credential is the part that gets stolen. Back in late April, VentureBeat walked through six separate exploits that researchers landed against Codex, Claude Code, Copilot, and Vertex AI. The pattern was identical in every one. The attacker did not jailbreak the model. The agent simply held a credential, executed an authorized action, and authenticated to a production system with no human session anchoring the request. As the piece put it: “Enterprises believe they have approved AI vendors, but what they have actually approved is an interface, not the underlying system.” In one case, hidden instructions in a GitHub issue walked Copilot into checking out a malicious pull request and leaking a privileged token. Every step was allowed. That is why this week’s fixes look the way they do. When Anthropic changes background subagents to surface a permission prompt instead of silently auto-denying, and when GitHub moves keys into the keychain and out of the read path, they are shrinking the blast radius of a credential the agent was always going to hold. The capability is not the risk. The access is. 24,008 unique secrets GitGuardian found sitting in MCP configuration files on public GitHub And the config file is a real target, not a hypothetical one. GitGuardian’s State of Secrets Sprawl report, published in March, counted 24,008 unique secrets exposed in MCP configuration files on public GitHub. The reason is depressingly simple: a lot of popular MCP setup guides tell people to paste an API key straight into the config. When the official quickstart normalizes bad credential handling, sprawl follows. --- ## The three questions your board will actually ask If this lands in a [board meeting](/blog/ai-roi-where-returns-show-up-first), it will not arrive as a security advisory. It will arrive as someone asking whether the company is exposed. Here is how I would answer the three questions that follow. **“Could one of these incidents hit us?”** The honest answer is that the worst ones leave nothing to patch. When an agent does exactly what it is permitted to do, no CVE gets filed. So the real exposure is not patch cadence, it is the permission inventory. The question to redirect to: which credentials can each agent reach, and who decided that? **“Are we actually defended, or do we just think we are?”** This is where the most useful number this month comes in. An independent assessment of 100 production agents found the gap between believed and verified defense is enormous. > "Coding agents and computer agents rank as the top 2 highest attack surfaces, top 2 highest blast radius, and top 2 lowest defense controls." AIRQ (AI Risk Quadrant) independent assessment of 100 production agents, via Help Net Security, June 2026 In the same assessment, only 11% of production agents were adequately defended, 98% carried what researchers call the lethal trifecta, and 83% of claimed defenses had never been independently verified. The board does not need to memorize those numbers. It needs to internalize the one that matters: 83% of the controls people believe they have, nobody has checked. **“Who owns the answer?”** A coding-agent credential review is not the [security team](/blog/permissions-security-lock-down)’s side project. It is a named owner with a one-page inventory: which agent, which credential, which permission scope, last reviewed when. A 2026 survey of 235 CISOs and CIOs found 92% lack full visibility into their AI agent identities and 95% doubt they could detect or contain a compromised one. That is not a tooling problem anyone can buy their way out of. It is an ownership gap. > When an agent does exactly what it is permitted to do, no CVE gets filed. The exposure is not patch cadence, it is the permission inventory. ## The 60-second brief for the next board update With one minute on the clock, say this. Our coding agents hold real production credentials. The serious incidents this year did not break any model, they used access we granted. This week our vendors hardened that exact surface, which is good and also a reminder that the work is ours to finish. We have named an owner, we are building a one-page credential inventory per agent, and we are checking which controls are actually verified versus assumed. The metric I will report next quarter is the share of our agents whose credential scope and [kill switch](/blog/markets-who-holds-the-kill-switch-on-a-trading-agent) have been reviewed by a person. Key Insight Nobody can patch an authorized action. The only defense against a credential blast radius is shrinking the credential, scoping the permission, and verifying it with a human, before an attacker does the verifying instead. ## What to watch over the next quarter Watch for two things, both calmly. First, whether the harness vendors keep moving credentials out of the agent’s reach the way GitHub did this week. That direction is the right one and worth rewarding at renewal. Second, watch the MCP configs, because that is where the secrets quietly pile up. None of this is a fire drill. The harness is getting safer release by release. The part that stays with the team is knowing, on one page, exactly what each agent can touch. Get that page written, and the [board question](/blog/harness-patch-tuesday-board-question) answers itself. #### Sources - [Claude Code Updates by Anthropic - June 2026](https://releasebot.io/updates/anthropic/claude-code) - Releasebot (Anthropic Claude Code changelog), 2026-06-23 - [GitHub Copilot app support for BYOK](https://github.blog/changelog/2026-06-23-github-copilot-app-support-for-byok/) - GitHub Changelog, 2026-06-23 - [AI coding agents breached: attackers targeted credentials, not models](https://venturebeat.com/security/six-exploits-broke-ai-coding-agents-iam-never-saw-them) - VentureBeat, 2026-04-30 - [Only 11% of production agents pass the AI agent security bar](https://www.helpnetsecurity.com/2026/06/03/research-ai-agent-security-capability/) - Help Net Security, 2026-06-03 - [The State of Secrets Sprawl 2026](https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/) - GitGuardian, 2026-03-17 - [The Ungoverned Workforce: 92% Lack Visibility Into AI Identities](https://www.globenewswire.com/news-release/2026/04/21/3278155/0/en/The-Ungoverned-Workforce-Cybersecurity-Insiders-Finds-92-Lack-Visibility-Into-AI-Identities.html) - Cybersecurity Insiders / GlobeNewswire, 2026-04-21