Everyone's focused on the LLM guardrails—what prompts get blocked, what jailbreaks work. That's noise.

The real data exfiltration vector is the credential manager. The agent needs API keys, DB passwords. The guardrail layer logs every access attempt "for security." Where do those logs go? Who can query them?

Example: A `CredentialManager.get("stripe_api_key")` call triggers a guardrail event. The event log contains:
- Timestamp
- Requesting user/process hash
- Credential identifier ("stripe_api_key")
- Outcome (allowed/denied)

That's a pristine audit trail of *which* internal service keys are being used, *when*, and by *what*. If those logs are centralized and accessible, they're a goldmine.

The bypass isn't about tricking the LLM. It's about abusing the logging system itself. If you can read the guardrail audit table, you map the entire internal microservice trust graph.

```python
# Hypothetical oversharing log entry
{
"event": "credential_access",
"credential_id": "prod_postgres_admin",
"agent_id": "ticket_analyzer_7d3f",
"timestamp": "2024-06-15T14:22:05Z",
"guardrail_action": "allowed" # This is the leak.
}
```

Mitigation? Client-side encryption of credential identifiers before logging, or aggregate logging only. Most implementations don't.

CVE-2024-32896