AI Coding Agents and Secret Sprawl: What 28 Million Leaked Credentials Show in 2026

AI-assisted commits introduce hardcoded secrets at a rate of 3.2% — more than double the 1.5% baseline across all public GitHub commits — and in 2025 that structural leak rate helped push exposed credentials on public GitHub to 28.65 million, the largest single-year increase ever recorded. The problem is not developer carelessness. It is the gap between how AI coding agents generate code and how engineering organizations govern what reaches production.

28 Million Secrets and Counting: The 2025 Baseline

The GitGuardian State of Secrets Sprawl 2026 report analyzed 1.94 billion public GitHub commits made during 2025 — a 43% year-over-year increase driven by a 33% expansion of the active developer base — and documented 28.65 million new hardcoded secrets, a 34% year-over-year increase representing the fastest growth rate in the report's history. The fastest-growing single category was AI-service credentials: API keys for large language model providers, embedding services, and AI infrastructure platforms rose 81% year-over-year to 1,275,105 detected instances. Among those, 113,000 credentials for a single LLM provider were found exposed across public repositories in 2025 alone. AI-assisted commits specifically showed a 3.2% secret-leak rate compared to a 1.5% baseline — meaning AI-generated code roughly doubles the per-commit exposure risk.

Three Ways AI Coding Agents Amplify Credential Exposure

Context Windows as Credential Containers

AI coding agents work by ingesting large context windows that often include environment configuration files, scaffolding stubs, inline comments, and previously committed code. When those inputs reference real credentials — even temporarily, for local testing or scaffolding — the agent can reproduce them verbatim in generated output with no security awareness. The result is a commit where a secret appears not because a developer typed it, but because the agent inferred it from context. Standard diff review frequently misses this pattern because it looks like legitimate configuration that belongs in the file. Unlike a developer who knows a credential is sensitive, the agent treats it as a string to be preserved.

MCP Configuration Files — A New Exposure Surface

Model Context Protocol has emerged as the standard for connecting AI coding agents to external tools, databases, and APIs. With rapid adoption comes a new credential exposure surface: configuration files that define MCP server connections frequently include inline API keys and authentication tokens because official documentation has encouraged this pattern. GitGuardian found 24,008 unique secrets in MCP-related configuration files on public GitHub in 2025, with 2,117 verified as valid at the time of discovery — an 8.8% validity rate that reflects a documentation culture that has not yet caught up with the security implications of inline credential specification. The AI coding agent attack surface for DevSecOps teams is growing in proportion to MCP adoption, and credential hygiene in agent configuration files is one of the fastest-moving components of that surface.

CI/CD Runners Carry the Blast Radius

When an AI coding agent generates a commit that includes a secret, and that commit triggers an automated test pipeline, the compromised entity is typically not a developer laptop — it is a shared CI/CD runner. GitGuardian's Shai-Hulud 2 dataset found that 59% of compromised machines were CI/CD runners rather than personal workstations. Those shared runners are force multipliers: a single exposed credential entering a build environment can propagate to downstream jobs, artifact stores, and deployment pipelines before the source commit is identified. At scale, an AI agent producing dozens of commits per day across a large engineering org creates a continuous ingest path for secrets into the build layer.

Why Exposed Credentials Stay Live: The Four-Year Remediation Gap

Detection is not remediation. GitGuardian tracked credentials originally identified in public repositories in 2022 and found that 64% remained valid and actively exploitable as of January 2026 — a four-year window of live exposure for secrets that were technically already known. Part of the explanation is alert volume: as AI-assisted commit rates increase, so do detection events, and organizations lacking automated rotation workflows accumulate a remediation backlog they cannot clear manually. The report also notes that validation-only prioritization approaches miss 46% of critical secrets, meaning filters designed to reduce noise inadvertently deprioritize real exposure. Internal repositories compound this further: private repos are 6x more likely than public ones to contain hardcoded secrets, which means the public GitHub figures represent only the visible fraction of total organizational exposure.

The Cloud Security Alliance's State of Cloud and AI Security 2026 frames this dynamic as accumulating SDLC security debt — governance obligations that compound faster than engineering capacity can retire them. A separate CSA research note on AI-generated code security from March 2026 found that 65% of production applications built with heavy AI code generation had security issues, and 58% contained at least one critical vulnerability — indicating that credential exposure is one component of a broader quality debt that AI velocity creates when it outpaces governance.

What Credential Breaches Cost When Prevention Fails

The IBM Cost of a Data Breach 2024 Report placed the global average breach cost at $4.88 million — a 10% year-over-year increase and the highest in the study's 19-year history. Credential-based attack vectors showed the worst containment profile of any category: breaches involving stolen or compromised credentials took an average of 292 days to identify and contain. At that timeline, a credential committed to a feature branch in Q1 is still an active liability through Q4, long after the AI agent session that generated it has ended and the developer who approved the PR has moved on to other work.

Compromised credentials were also the single most common initial attack vector in the IBM study, accounting for 16% of all breaches analyzed. That combination — most frequent vector, longest containment time — makes credentials the category where front-loaded prevention has the clearest cost justification. Blocking a secret at the pull request costs nothing. Containing the breach it enables costs, on average, a third of a year of investigation and $4.88 million.

The Pull Request Boundary as the Primary Control Point

Every commit produced by an AI coding agent passes through a pull request before reaching a protected branch — making the PR the logical intervention point for credential exposure. Pre-commit hooks running on developer machines are an insufficient substitute: they are optional, can be bypassed, and execute before human context review. Automated secrets detection in AI-assisted pull requests catches credential exposure at the repository-side gate, where blocking a merge is still a zero-cost intervention — before the secret propagates into a CI/CD runner, an artifact store, or a deployment environment.

Research published in the AgenticFlict dataset — a large-scale study of merge conflicts in AI coding agent pull requests on GitHub published via Zenodo — documents the structural characteristics of AI-agent-authored PRs that make automated review non-optional. AI agent PRs exhibit distinct modification patterns in file scope and dependency changes that reduce the reliability of manual review as a sole quality gate. Credential scanning is the objective complement to subjective code review in that context: it does not depend on a reviewer noticing an unusual string buried in a configuration file.

For teams running AI coding agents in enterprise environments, the security risks that require governance at the enterprise level include credential propagation as a primary category — alongside context window leakage and permission scope. Addressing all three requires policy enforcement that operates at the merge boundary, not after code reaches staging or production.

When a credential does escape the PR gate, response sequencing determines whether containment time beats the 292-day average. An AI coding agent incident response playbook establishes the rotation, revocation, and audit steps needed to move containment time significantly below that average. The structural mitigation — reducing what AI agents can access in the first place — is covered in the least-privilege permissions guide for AI coding agents: an agent that cannot reach production credentials cannot commit them.

What re-entry.ai Does About This

re-entry.ai scores each pull request from an AI coding agent for risk before it merges — including signals for credential exposure, sensitive file modification, and configuration drift — so engineering teams catch at the PR boundary what pre-commit hooks and manual review miss. Visit re-entry.ai to see how automated risk scoring applies to your AI agent workflow.

What to Do Now

1. Audit your CI/CD runners for stored secrets. GitGuardian's data shows they represent 59% of compromised machine exposure — not developer laptops. Treat each runner as a potential credential store and inventory what it carries.

2. Add server-side secrets scanning to every PR from an AI coding agent. Pre-commit hooks on developer machines can be bypassed; enforcement must happen at the repository gate, blocking merge rather than advising the developer.

3. Enforce MCP configuration hygiene. Require environment variable injection rather than inline credential specification in any AI agent configuration file that reaches a shared repository. Review existing MCP config files for hardcoded keys.

4. Run a credential rotation audit on secrets older than 90 days. With 64% of credentials identified in 2022 still valid as of 2026, your oldest exposure events are likely still live and exploitable.

5. Scope AI coding agent permissions to least privilege at the environment and filesystem level. Agents that cannot access production credentials cannot commit them — reducing peak exposure risk per agent session regardless of what they generate.

Pull requests from AI coding agents arrive faster than teams can manually review for credential exposure. Automated risk scoring at the PR boundary is how governance keeps pace with velocity. See what re-entry.ai catches at re-entry.ai.