HashiCorp Vault Introduces Native AI Agent Support with Ephemeral Authorization and Identity Registry

HashiCorp today announced a major update to its Vault secrets management platform, adding native support for AI agent identities and authorization. The new capabilities include an agent registry, granular identity-based policies, and per-request ephemeral authorization controls designed to secure autonomous, non-deterministic AI workflows.

“Traditional IAM was built for deterministic users and workflows. AI agents operate autonomously and unpredictably, requiring a fundamentally new authorization model,” said Armon Dadgar, co-founder and CTO of HashiCorp. “Vault’s new agent features combine identity, delegation, runtime policy evaluation, and temporary authorization to reduce risk in AI deployments.”

Background

Organizations are rapidly adopting AI agents to automate complex tasks across their environments. These agents act on behalf of users, often making decisions without human intervention. Traditional identity and access management (IAM) systems, designed for predictable human and non-human identities, cannot handle the non-deterministic behavior of AI agents.

HashiCorp identified a growing demand from Vault customers for security controls tailored to autonomous systems. Key requirements include guardrails for unpredictable agent operations, fine-grained runtime authorization, clear attribution of actions, and a standardized approach across workflows. The new features directly address these gaps.

New Capabilities in Vault

Agent Registry

The agent registry introduces a new identity primitive in Vault, allowing developers to register and manage agent activity separately from human and traditional non-human identities (NHIs). This separation is critical for delegation flows, where an agent acts on behalf of a human user using an on-behalf-of (OBO) pattern.

By explicitly tracking delegations, the registry provides a dedicated framework for registration, authorization, credential management, and observability. It ensures that every agent action is tied to a verified identity and consent chain.

Granular Identity-Based Policies

Least privilege remains a top priority, especially for agents. Vault now offers a rich set of policy-based runtime controls that let administrators strictly govern agent activity. Since agent behavior can be non-deterministic, Vault applies deterministic guardrails and per-request access control.

When agents operate in delegation mode—carrying the authority of a human user—Vault evaluates trust across multiple dimensions. Policies ensure that secrets and credentials are only accessed within tightly scoped contexts, reducing the blast radius of any compromise.

Ephemeral Authorization

To further minimize risk, Vault introduces ephemeral authorization controls. These grant temporary access rights that expire after a specific task or time window. Each authorization is scoped to the exact transaction context of a request, providing temporary, tightly bound permissions.

This per-request approach prevents credential misuse and simplifies revocation. It aligns with the dynamic nature of AI agents, which require just-in-time access to complete their workflows.

What This Means

“These capabilities represent a fundamental shift in how organizations secure AI workloads,” Dadgar added. “By combining identity, delegation, runtime policies, and ephemeral permissions, we’re enabling safer, more auditable AI deployments without sacrificing speed.”

Select customers are currently evaluating the new features through an early access program. HashiCorp plans a broader public beta release for a future Vault update later this summer. Organizations looking to prepare can begin auditing their current AI agent integrations and identity practices.

For more details on the agent registry and policy controls, see the agent registry and identity policies sections. The full announcement is available on the HashiCorp blog.