AI coding agents need credentials to do their jobs. The problem is that most builders have no visibility into when those credentials are read, by which agent, or how often.
What counts as credential access by an AI agent?
When an agent reads a file that contains secrets, that's a credential access event. This includes:
.envand.env.localfiles containing API keys or database passwords~/.aws/credentialsand similar cloud provider config files- Config files with embedded tokens (
config.yaml,settings.py,appsettings.json) - SSH private keys in
~/.ssh/ - Service account JSON files for Google Cloud, Firebase, and similar providers
Agents don't always need to access these files to do useful work, but they routinely do, and that's what makes monitoring valuable. GitGuardian's 2025 State of Secrets Sprawl report found 28.6 million secrets exposed that year, a 34% increase from the prior year. A significant share of that exposure starts with uncontrolled access on local machines and CI environments.
Why does credential access by AI agents matter?
Builders give agents broad filesystem access because it makes them more capable. The same agent that reads your source code can read your .env file. That's often fine. But you only know it's fine if you can see what happened.
Three scenarios where monitoring pays off:
Unexpected access happens when an agent reads your .env file during a task that shouldn't require credentials. You don't notice because nothing broke. But if that session was compromised through a prompt injection attack, the credentials may have been exfiltrated before you knew there was a problem.
Scope drift is subtler. Agents increasingly take multi-step actions. An agent configured to help with code review might browse to a settings file, notice a database URL, and make a connection to understand the schema. That may be benign, or it may be far outside what you intended.
Audit trails matter if you're working in a regulated environment or on a team. You may need to demonstrate that only authorized processes accessed production secrets, and agent activity logs fill that gap.
How do I monitor which agents are accessing credentials?
There are two main approaches: OS-level file monitoring and agent-layer monitoring.
OS-level monitoring works by watching the filesystem for access to files that match credential patterns. On Linux, auditd can be configured with watch rules:
# Watch .env files for any process reads
auditctl -w /home/youruser/.env -p r -k agent_credential_access
auditctl -w /home/youruser/.env.local -p r -k agent_credential_access
# View the log
ausearch -k agent_credential_access
On macOS, fs_usage captures real-time filesystem activity and can be filtered by process. The challenge with both tools is that raw output is noisy and hard to act on without further processing. They tell you a file was read, but correlating that to a specific agent session takes work.
Agent-layer monitoring handles correlation for you. AgentGuard360's Shield scan monitors filesystem activity system-wide and surfaces sensitive file access in a dashboard organized by file and process, showing whether the access came from a system process or an agent. When a file matching a credential pattern (.env, credentials, *.pem, *.key) is read, the event is logged and tagged with the process that triggered it.
For serious events — an agent reading a credential file during an unusual session, or accessing credentials outside a normal work window — AgentGuard360 sends email alerts so you're not dependent on checking a dashboard.
What are common mistakes to avoid?
Assuming .gitignore is enough is the most common one. .gitignore prevents files from being committed to version control, not from being read by processes running on your machine. Agents with filesystem access can read any file in your working directory regardless of .gitignore rules.
Only monitoring writes is another gap. Credential exposure usually starts with a read, not a write. File integrity tools that only watch for modifications miss the access events that matter most.
Having no baseline makes alerts hard to act on. If you don't know what normal credential access looks like for your agent workflows, you can't distinguish a drift event from routine behavior. Establishing a baseline before you need to investigate makes alerts actionable rather than just alarming.
Treating all agents the same overlooks real risk differences. A local file-editing agent and a browser automation agent have very different exposure profiles. Monitoring systems that surface per-agent breakdowns make it easier to apply the right level of scrutiny.
