At first, it feels harmless. If the agent is just reading files, editing local code, running tests, or helping me understand something inside my editor, using my own environment makes sense. In that situation, the agent is still under my supervision. It is helping me work. I still review what it does. I still decide what leaves my machine. The problem starts when the agent stops only helping and starts acting. Pushing code is not the same as suggesting code. Opening pull requests is not the same as editing a file locally. Reading logs, triggering workflows, accessing private repositories, touching secrets, or deploying something is a completely different level of responsibility. And this is where credentials become a real design decision. If the agent uses my credentials, every action looks like mine That is the part that bothers me the most. If the agent uses my account, the audit log will probably say that I did the action. And technically, yes, I gave it access.…