Skip to main content
🎓 Claude Code Masterclass Learn AI-assisted development on Udemy — plus the companion book on Leanpub & Amazon. Start Learning
PlatformCon London 2026 conference floor
Platform Engineering

OpenBao Founder on Secrets Management for AI Agents

OpenBao founder Alex Scheel on why short-lived, fine-grained tokens matter more than ever once AI agents start holding credentials.

LB
Luca Berton
· 2 min read

Secrets management in the age of AI agents — and why open governance matters to that story more than it used to. At PlatformCon Live Day London 2026 I sat down with Alex Scheel, founder of OpenBao, the Linux Foundation project that emerged after HashiCorp Vault’s relicensing.

Why OpenBao Exists

Alex led PKI work at HashiCorp before leaving to help IBM start the effort that became OpenBao. The project’s reason for existing is specifically about governance, not just a fork for its own sake: OpenBao’s governance sits fully in the open, under the Linux Foundation, which means companies and contributors gain real ownership in the community rather than depending on a single vendor’s licensing decisions to stay consistent. For platform teams that build secrets management into critical infrastructure, that governance model is not a philosophical nicety — it is a direct answer to the exact relicensing risk that created OpenBao in the first place.

Secrets Hygiene Is the On-Ramp to Agentic AI

The line from the conversation that stuck with me: strong identity and secrets hygiene today is what makes a smoother path to agentic AI tomorrow. That is a useful reframe for platform teams still treating secrets management as a compliance checkbox rather than as prerequisite infrastructure for what is coming next.

Alex’s concrete guidance for AI agents specifically:

  • Use short-lived, fine-grained tokens rather than long-lived, broadly-privileged identities
  • Scope permissions tightly per sub-task — an agent doing one narrow job should not hold credentials for the ten other things it theoretically could do
  • Treat every agent identity the same way you would treat a human’s — least privilege, rotated, auditable

This is the same argument I made in AI governance and agent identity: an agent acting under an over-privileged, long-lived credential is functionally indistinguishable from a fast, confident impersonation attack. The fix is not exotic — it is the secrets management discipline OpenBao and Vault have both been building for years, applied consistently to non-human identities instead of being treated as an afterthought.

Where to Find the Project

OpenBao lives at openbao.org, with community activity on the Linux Foundation Zulip, mailing lists, and GitHub — worth a look for any platform team evaluating a Vault alternative with governance that cannot change out from under them again.

About the Author

I am Luca Berton, AI and Cloud Advisor. I work at the intersection of platform engineering, cloud security, and enterprise AI deployments. Book a consultation.

Free 30-min AI & Cloud consultation

Book Now