Secrets management in the age of AI agents — and why open governance matters to that story more than it used to. At PlatformCon Live Day London 2026 I sat down with Alex Scheel, founder of OpenBao, the Linux Foundation project that emerged after HashiCorp Vault’s relicensing.
Why OpenBao Exists
Alex led PKI work at HashiCorp before leaving to help IBM start the effort that became OpenBao. The project’s reason for existing is specifically about governance, not just a fork for its own sake: OpenBao’s governance sits fully in the open, under the Linux Foundation, which means companies and contributors gain real ownership in the community rather than depending on a single vendor’s licensing decisions to stay consistent. For platform teams that build secrets management into critical infrastructure, that governance model is not a philosophical nicety — it is a direct answer to the exact relicensing risk that created OpenBao in the first place.
Secrets Hygiene Is the On-Ramp to Agentic AI
The line from the conversation that stuck with me: strong identity and secrets hygiene today is what makes a smoother path to agentic AI tomorrow. That is a useful reframe for platform teams still treating secrets management as a compliance checkbox rather than as prerequisite infrastructure for what is coming next.
Alex’s concrete guidance for AI agents specifically:
- Use short-lived, fine-grained tokens rather than long-lived, broadly-privileged identities
- Scope permissions tightly per sub-task — an agent doing one narrow job should not hold credentials for the ten other things it theoretically could do
- Treat every agent identity the same way you would treat a human’s — least privilege, rotated, auditable
This is the same argument I made in AI governance and agent identity: an agent acting under an over-privileged, long-lived credential is functionally indistinguishable from a fast, confident impersonation attack. The fix is not exotic — it is the secrets management discipline OpenBao and Vault have both been building for years, applied consistently to non-human identities instead of being treated as an afterthought.
Where to Find the Project
OpenBao lives at openbao.org, with community activity on the Linux Foundation Zulip, mailing lists, and GitHub — worth a look for any platform team evaluating a Vault alternative with governance that cannot change out from under them again.
Related Reading
- PlatformCon London 2026: The AI Era Runs on Platforms
- AI Governance in Practice: Findings Remediation and Agent Identity
- Secrets Management: Vault vs External Secrets
- Kubernetes Secrets Management Best Practices
- GitOps Secrets Management: Sealed Secrets and SOPS
About the Author
I am Luca Berton, AI and Cloud Advisor. I work at the intersection of platform engineering, cloud security, and enterprise AI deployments. Book a consultation.



