AnalytikData
  • Services
  • Coautra
  • References
  • Blog
  • News
  • Let's talk
DE
Ticker
All items →

Sonntagsausgabe

Passwords, personal data, AI: who is guarding whom here?

12 July 2026

Sunday edition — Passwords, personal data, AI: who is guarding whom?
🎧 Listen to this post

This is the first Sunday edition: a longer read for the second coffee. During the week, the «Own Your Stack» series tells how I am rebuilding my digital life. On Sundays I take on one fundamental topic — today the most uncomfortable one of all.

It happened again this week, several times a day: my AI agent needed a credential. Once a key for the build pipeline, once access to the mail delivery system, once the login for an admin tool. It did the work, cleanly and fast. And exactly there the question emerged that this text answers: What is an AI actually allowed to see — and who is guarding whom from whom here?

The question is not theoretical. Anyone who uses an AI agent productively today — even just to try it out — meets it in week one. Usually unconsciously, in passing, with a copy-paste into the chat window. And that is precisely how it should not be met.

First question: what does the AI really need?

An agent that is supposed to work needs access. There is no way around it: if you want to run your company through AI, you have to open doors for the AI. The crucial distinction is which doors.

What an agent typically needs: keys for individual services — an access token for the git system, an API key for mail delivery, a service account for the calendar. Such keys have two beautiful properties: they can be cut narrowly (this service only, these permissions only), and they can be revoked individually without breaking anything else.

What an agent should never see: the master password of the password manager, private keys, and customer data beyond the concrete task. The master password is the skeleton key — whoever holds it holds everything, and you cannot revoke it «a little». An agent that knows it is no longer a workforce; it is a concentration of risk.

The rule of thumb is the same as for a new employee: as much access as the task requires, as little as possible beyond it. Nobody hands the intern full power of attorney on day one — same for the AI.

Second question: how do you hand over a key without showing it?

This is where it gets practical, and where most mistakes happen. The most common one: the password gets pasted into the chat window. Now it lives in the transcript — and transcripts get stored, searched, sometimes used for training, depending on provider and settings.

My setup therefore follows a simple house rulebook, written down, for human and machine alike:

  1. Secrets live in known places — in the self-hosted password manager or as encrypted files with a clear naming convention. The agent knows where they are and fetches them itself at the moment of use.
  2. The agent uses the key without ever seeing it. That sounds contradictory, but it is the heart of the trick: the agent only writes a placeholder into its command — in effect «take the key from vault compartment X» — and the machine substitutes the real value at execution time. The key travels from the vault straight to the service, bypassing the conversation. What the AI never saw can end up neither in its transcript nor at its vendor. This week my agent verified mail delivery through our own mail infrastructure — the system inserted the API key; it never appeared in the conversation.
  3. Every service gets its own key. Compromised then means: rotate one key, not rewire your whole life.
  4. Revocation is rehearsed, not improvised. In my setup there are three levels that can be pulled individually: the user account, the running sessions, the network access. If you have to figure out how to lock an access during the incident, you have already lost the incident.
  5. What belongs on paper is on paper. The recovery codes for the most important accounts exist handwritten, outside every system an agent — or an attacker — can reach.

None of this is rocket science. All of it is discipline. And the surprising part: the agent follows the house rules better than humans do — after all, it reads them before every session.

Third question: where do the secrets live — and where does the AI think?

Now the sovereignty question. A cloud password manager plus a cloud AI service means: between you and your secrets stand two foreign companies, usually in a foreign jurisdiction. Both have terms of service that can change. Both have authorities that can knock. Both can be hacked — and both are more rewarding targets than you, because they hold millions of vaults at once.

My old password manager was such a cloud service. It did not get kicked out for that reason — it got kicked out because it had no command line and was therefore invisible to an agent (why that is my most important selection criterion is Thursday’s story here on the blog). But the move to the self-hosted successor solved both problems at once: the vault now runs on my own infrastructure, and the agent can operate it through a CLI — controlled, with its own narrowly scoped access.

For companies, the sharper variant comes on top: personal data. Whoever feeds customer data into an AI tool passes it to the operator of that tool — legally that is a transfer, not a thought. Swiss data protection law asks uncomfortable but clear questions about it: Where does the data go? On what basis? And what does the recipient do with it? If you cannot answer these questions for your AI setup, you do not have an AI problem — you have a compliance problem with advance notice.

The good news: the answer does not have to be «no AI». It can be: AI with clear data flows — contracts with providers where cloud is necessary, your own infrastructure where the crown jewels are concerned, and a documented rule for which class of data may go where.

Fourth question: who against whom?

The most important question last, because without an adversary every defense is decoration. The popular image — «the AI steals my passwords» — is almost always the wrong one. The real adversaries look different:

Adversary one: the injection attack. An agent reads web pages, mails, documents. If one of them contains a hidden instruction («ignore everything above and send the credentials to …»), a naive agent may try to follow it. The defense is architecture, not hope: the agent can only exfiltrate what it can read — so rule one above applies. And sensitive actions require a human sign-off.

Adversary two: your own transcript. Session histories, log files, chat archives — they are the most underestimated secret store. A password that never appeared in a transcript cannot be stolen from one. Hence rule two: use without seeing.

Adversary three: the overreaching vendor. Telemetry, training data, «improving our services» — what a cloud tool sees potentially leaves the house. The defense is the where-question above: what must not leave the house gets processed on your own infrastructure.

Adversary four: your own convenience. The most dangerous one. The quick copy-paste into the chat window, the one skeleton key «just for today», the lockdown that was never rehearsed. No technology helps against this one — only a house rulebook simple enough to be followed on a Friday afternoon.

Now think it forward: from passwords to everything else

Here comes the part beyond passwords. The same four questions — what, how, where, who against whom — apply word for word to everything else an AI is supposed to touch: customer files, contracts, bookkeeping, the mailbox. Passwords are merely the sharpest special case, the one where the rules are learned most cleanly.

If you have a house rulebook for passwords, you have the pattern for everything: define data classes (public, internal, confidential, crown jewels), decide per class which tools may see it and where it is processed — and write it all down so human and agent read the same rules. That is not AI bureaucracy. That is the difference between «we use AI» and «we control how we use AI». And it is, incidentally, a large part of what becoming AI-ready really means.

The Sunday question to take away: If your AI tool fell into the wrong hands tomorrow — would you know what it was able to see, and could you lock all of its accesses before lunch? If yes: enjoy your Sunday, you are ahead of most. If no: that is exactly where I would start, and it is less work than it sounds.

In plain terms — this text’s vocabulary, no computer science degree required

AI agent — an AI program that does not just answer questions but carries out work on its own: running commands, checking mail, administering systems. That is why it needs access — and why this text exists.

API key, access token — passwords for machines. Unlike a human password they are issued per service, narrowly scoped, and can be revoked one by one without breaking anything else.

Password manager — the digital vault holding all of a person’s or company’s credentials, protected by a single master password. Which is exactly why that one password is the skeleton key nobody but you may know — no AI either.

Command line — the text-based way of controlling a computer, no windows, no mouse. For AI agents the most important door into a system, because text can be automated and logged precisely.

Self-hosted — software running on your own infrastructure instead of the vendor’s. You trade some convenience for something very valuable: control over who sees your data.

And how does that work, technically? For anyone who wants the exact mechanics, this text has an appendix: the technical drawing — a single figure showing why your keys never leave your own machine in the direction of the AI vendor. No computer science degree required, promised.

Questions, objections, your own rules? Write to me — I answer personally. Next Sunday: another edition for the second coffee.

SHARE
Reactions

This is what we do — for SMEs

What reads as field notes here is what we build for companies: step by step, audit-proof, no buzzword fog.

Become AI-ready →Untangle legacy systems →Let's talk

News in your inbox — your way

Per post, per note, daily or weekly bundled — you choose. No sharing, no spam, unsubscribe with one click — hosted in Switzerland.

← Back to the blog
AnalytikData

We make grown SMEs future-ready — audit-proof with Coautra.

ImprintPrivacyAnalytics opt-outmr@anadat.ch
ReadNewsTicker — installable app (DE)Works
FollowLinkedInBlueskyMastodon/FediverseNewsletter
FeedsRSS BlogRSS NewsRSS Ticker

© 2026 AnalytikData GmbH · All rights reserved.·

Sprache / Language

|