Process-wide exposure
Once secrets are loaded into environment variables, they become part of the runtime context of the process. An agent may gain access to far more credential material than any single task requires.
The issue
For ordinary scripts, .env files are simple. For AI agents, they are a poor default.
They expose raw secrets to the process, provide little intent, and leak through many routine developer paths.
Weak semantic signal
Variable names are not a robust permission model. Names like PROD_API_KEY or SERVICE_TOKEN hint at purpose, but they do not give agents a reliable structured understanding of when a credential should or should not be used.
Easy leakage path
Env-based secrets frequently escape through debugging output, shell commands, crash dumps, copied example configs, support messages, and screen sharing.
Better model
Use context plus brokered access instead.
KeyLore replaces the flat env-file pattern with a broker model. Raw secret values are stored separately from AI-facing metadata. Agents use the metadata layer to discover the right credential for a task, then request brokered access instead of reading the token directly from process state.