I like this direction.

Agents having direct access to credentials always felt a bit scary.

This seems cleaner, even if it just moves the trust somewhere else.