A growing tension sits at the heart of enterprise AI deployments: organisations want agents to act autonomously, yet handing over passwords and API keys to automated systems represents a significant and largely unresolved security risk. Proton is now attempting to close that gap with the launch of Proton Pass for AI Agents, a capability that wraps credential sharing in a structured token framework built around the principle of least-privilege access.
Announced today, the feature introduces AI access tokens: dedicated permission sets that allow a user or administrator to grant an AI agent access to specific vault items inside Proton Pass, without exposing broader credential stores. Every token is read-only, scoped to designated items, and can be configured with an expiration date or revoked instantly.
The Credential Problem in Agentic Workflows
Many current AI agent implementations rely on ad-hoc credential sharing, passwords pasted into system prompts, API keys stored in plain-text configuration files, or tokens with overly broad permissions. Security practitioners have flagged these patterns as a systemic risk as agentic systems gain wider enterprise adoption.
A recent McKinsey survey found that while 62% of organisations are experimenting with AI agents, only 23% are scaling usage broadly, with security concerns cited as a primary barrier. Proton’s approach aims to give security teams a formal mechanism for authorising and monitoring what AI agents can access.
How Proton Pass AI Tokens Work
Each AI access token is generated within Proton Pass settings and tied to a specific vault or subset of vault items. The controls available to administrators and individual users include:
- Read-only access: Agents cannot create, edit, or delete credentials.
- Vault segmentation: Access is limited to designated items only.
- Mandatory access justification: The agent must provide a stated reason each time credentials are requested.
- Configurable expiration dates: Tokens automatically lapse after a defined period.
- Real-time audit logs: Every credential request is recorded and reviewable.
- Instant revocation: Tokens can be cancelled at any point.
The underlying data remains protected by Proton’s end-to-end encryption, meaning credential payloads are not exposed in transit or at rest in an unencrypted form.
“AI agents have the potential to dramatically improve productivity, but users should never have to sacrifice security or control,” said Son Nguyen Kim, Head of Proton Pass.
Enterprise Use Cases
Proton highlights a range of enterprise workflow scenarios where the token system is designed to provide secure automation, including:
- Authorising AI agents to summarise CRM interactions ahead of sales meetings.
- Delegating Jira ticket management to automated workflows.
- Enabling AI-driven analysis of operational or financial data.
- Granting controlled access to banking data for transaction categorisation tools.
The framework is explicitly designed to be composable. Users provide the token and associated setup instructions to whichever AI agent or automation platform they are working with, making it vendor-agnostic.
Availability and Pricing
AI access tokens are available immediately at no additional cost for subscribers on Proton Pass Plus, Pass Professional, Pass Family, Proton Unlimited, and Proton Workspace plans. Proton is positioning the feature as a standard component of enterprise-grade password management rather than a premium add-on.
More information is available via the Proton Blog. Security teams evaluating the capability can begin testing directly within the Proton Pass settings panel.
