OASB
v1.0
Controls/Credential Protection/5.3
L2 StandardManual verification

5.3 Credential Scope Limitation

5. Credential ProtectionHow do we protect secrets?

Description

Credentials MUST be scoped to minimum required access.

Rationale

If an agent is compromised, the blast radius is limited by credential scope.

Audit Procedure

1. List all credentials the agent can access
2. Document permissions granted
3. Compare against required permissions

Remediation

1. Create dedicated service accounts
2. Apply least privilege
3. Use fine-grained IAM policies

Framework Mappings

CIS Control 5.4CIS Control 6.8NIST PR.AC-4
Previous5.2 Context Window IsolationNext5.4 Credential Rotation