Honestly, best solution is to use native CSP solutions like AWS Secrets Manager, AWS SSM Parameter Store, GCP Secret Manager, Terraform Vault.

All these have native audit logs and access logs, which can help you pin point exactly when did your AI Agent requested and accessed your secrets at Runtime.