Emergency Revocation

When a compromise is detected, every credential the affected agent has ever accessed must be revoked immediately. Not "soon." Not "after we investigate." Immediately. The investigation determines what happened. Revocation determines what happens next — which is: the attacker loses access to everything the compromised agent could reach.

1. Lease Revocation Revoke all active leases for the compromised agent identity. This is the fastest containment action — it removes all dynamically generated credentials in one operation. In a well-designed vault, this takes seconds.
2. Static Credential Rotation Any static credential the agent had access to must be rotated immediately. Even if the agent used just-in-time injection, the vault policy may have allowed access to static secrets. Rotate every secret the compromised identity could have accessed, whether or not there is evidence of actual access.
3. Propagation Verification Verify that revocation has propagated to all downstream systems. A revoked database credential must be rejected by the database, not just marked as revoked in the vault. Test the revoked credential against every system it protected. If any system still accepts it, the revocation is incomplete.