TL;DR: Roughly 98% of the company’s internal workforce now uses AI tooling, with AI Champions embedded across departments, as the company pairs rapid growth with more intentional in-person collaboration and sustainable work practices, according to 1Password. The deeper lesson is that identity and security programmes now depend on culture, trust, and AI fluency as much as on tooling.
At a glance
What this is: This is a culture and operating-model post about how 1Password is scaling internal AI use, collaboration, and employee experience while keeping security work moving.
Why it matters: It matters to IAM and security leaders because the same cultural conditions that shape human identity programmes also shape how teams adopt AI, govern access, and sustain control discipline as organisations grow.
By the numbers:
- roughly 98% adoption of AI tooling internally
👉 Read 1Password’s perspective on culture, AI enablement, and security growth
Context
Security culture becomes a governance issue when a company scales faster than its habits. In this case, the primary topic is not product capability but how a security organisation keeps people aligned while AI tools, remote work, and growth change the way decisions get made.
For IAM and identity practitioners, the useful lens is human identity and operating discipline. AI enablement only works when teams can trust how work is being done, how responsibility is assigned, and how access decisions are communicated across a growing organisation.
Key questions
Q: How should security teams govern AI use inside identity and access programmes?
A: Security teams should define where AI can assist, where human review is mandatory, and which data classes are off limits. The goal is not to ban AI use, but to make it predictable, reviewable, and aligned with security responsibilities. That keeps productivity gains from weakening accountability or introducing unreviewed judgment into identity decisions.
Q: Why does employee culture affect identity governance outcomes?
A: Because identity governance depends on people following process consistently. If teams are unclear, disconnected, or overloaded, access reviews, exception handling, and escalation paths become unreliable even when the policy is sound. Culture does not replace controls, but it determines whether the controls are used as designed.
Q: How can remote-first teams keep access decisions accountable?
A: By making ownership explicit, documenting approval paths, and ensuring exceptions are recorded where others can find them later. Remote work is not the problem. Hidden decision-making is. When identity teams can trace who approved what and why, they preserve accountability across time zones and working styles.
Q: What should identity leaders measure beyond policy compliance?
A: They should measure whether teams can actually execute the process without confusion, delay, or workarounds. Signals such as repeated exception handling, inconsistent approvals, and undocumented decisions show that governance is too dependent on informal culture. A policy that nobody can reliably follow is not a functioning control.
Technical breakdown
AI fluency as a human identity governance issue
AI adoption inside a security company is not just a productivity story. It changes how employees interact with tools, approvals, and knowledge sharing, which in turn affects how reliably people follow identity and access processes. AI Champions work as internal accelerators, but they also create a governance need: people need to understand when AI-assisted work is acceptable, when human review is required, and how privacy concerns are handled. In practice, AI fluency becomes part of operational identity maturity because the quality of access decisions depends on how consistently employees use the systems around them.
Practical implication: formalise AI usage expectations so human workflows remain auditable and consistent.
Remote-first collaboration and access trust
Remote-first operating models depend on explicit communication, durable documentation, and clear ownership. In identity terms, that means fewer assumptions about who knows what, fewer informal approvals, and more reliance on visible process. As organisations add in-person moments, they are not replacing remote work so much as creating stronger trust anchors for cross-team coordination. For security and IAM teams, this matters because access governance fails fastest when responsibilities are unclear or when exceptions live only in conversation. Collaboration design and access discipline are connected controls, not separate concerns.
Practical implication: reduce approval ambiguity by documenting decision paths and ownership across distributed teams.
Sustainable performance needs lifecycle discipline
The article links high performance with benefits, mentorship, wellness, and clarity. That may sound like a people topic, but it also maps to lifecycle governance: employees need enough support and structure to operate consistently, and organisations need enough process to keep access changes, role changes, and accountability changes under control. When growth accelerates, fatigue and ambiguity become governance risks because people stop following the intended process exactly. Identity programmes that ignore employee experience often see the same pattern: controls exist, but the organisation cannot reliably use them.
Practical implication: treat employee experience as an enabler of access governance, not a separate HR concern.
NHI Mgmt Group analysis
AI adoption inside security teams is now a human governance problem, not just a tooling decision. When 98% of a workforce is using AI tooling internally, the real question is whether employees understand the boundaries of acceptable use, review, and accountability. That shifts the burden from isolated tool rollout to programme-level behavioural governance. For IAM leaders, the practitioner conclusion is simple: AI fluency has become part of access discipline.
Remote-first security organisations need explicit trust infrastructure to preserve decision quality. Distributed teams can work well, but only when approval paths, ownership, and documentation are visible enough to survive turnover and growth. Informal understanding does not scale, especially in security functions where exceptions and escalations matter. The practitioner conclusion is that collaboration design is now part of governance design.
Employee experience is a control surface in high-growth identity programmes. The article connects clarity, mentorship, support, and sustainability to performance, and that linkage is real for identity operations. When people are overloaded or unclear on expectations, identity processes become inconsistent even if the policy is sound. The practitioner conclusion is that control adoption depends on whether the organisation can sustain the humans operating the control.
Culture becomes a reliability multiplier when identity work depends on judgment. IAM, PAM, and NHI governance all rely on people making consistent decisions about access, escalation, and exception handling. In a fast-moving company, a culture that encourages feedback and shared purpose improves the odds that those decisions are made correctly. The practitioner conclusion is that governance maturity and culture maturity rise or fall together.
High-growth security teams cannot separate ambassadorship from internal trust. People only represent a company well when they understand its mission and believe its practices are coherent. That has direct implications for identity programmes because internal credibility drives compliance, adoption, and the willingness to follow process. The practitioner conclusion is that identity leaders should treat employee trust as a prerequisite for policy reliability.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, a gap that matters when AI-enabled work depends on distributed access chains.
- For a broader baseline on why lifecycle control matters, read Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
AI adoption becomes governance debt when it is not matched with explicit usage boundaries. With AI tooling now embedded across most of the workforce, the next programme risk is not experimentation itself but inconsistency in how employees apply it to sensitive work. Identity leaders should expect more demand for policy clarity, reviewability, and privacy guardrails as AI becomes a normal part of operations.
The practical signal for IAM and security programmes is that culture will increasingly show up in control reliability. Teams with clear ownership, documented approvals, and strong internal trust will be able to sustain access discipline through growth; teams without those traits will see exceptions and workarounds multiply.
Access governance now depends on employee enablement as much as process design. Organisations that invest in mentorship, clarity, and manager-led reinforcement are more likely to get repeatable execution from identity teams. That makes internal culture a measurable factor in whether governance scales with the business.
For practitioners
- Define AI use boundaries for security teams Document which tasks can use AI assistance, which require human review, and which remain restricted because they involve sensitive identity, customer, or privacy data.
- Map approval ownership across distributed teams Write down who approves access changes, who documents exceptions, and who is accountable when decisions happen across remote and in-person working patterns.
- Tie employee enablement to process consistency Use mentorship, onboarding, and manager expectations to reinforce how identity workflows should be followed so growth does not dilute control discipline.
- Review whether culture friction is slowing governance Look for symptoms such as unclear escalation paths, inconsistent review practices, and workarounds that appear when teams feel overloaded or disconnected.
Key takeaways
- The article shows that AI adoption, collaboration design, and employee experience are now part of identity governance, not separate HR topics.
- The clearest scale signal is 98% internal AI tooling adoption, which shows how quickly human workflows can shift inside a security organisation.
- Identity leaders should tighten role clarity, review paths, and AI usage boundaries before growth turns culture friction into control failure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Culture and accountability shape how governance oversight is actually carried out. |
| NIST SP 800-63 | Human identity trust and assurance depend on consistent, understandable processes. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Explicit ownership and decision paths support zero trust access governance. |
Make access decisions explicit, reviewable, and tied to known subjects and responsibilities.
Key terms
- AI fluency: AI fluency is the practical ability to use AI tools confidently while understanding their limits, risks, and appropriate uses. In security organisations, it includes knowing when AI output needs review, where privacy boundaries sit, and how AI-assisted work fits into accountable decision-making.
- Remote-first operating model: A remote-first operating model is a way of working where distributed collaboration is the default and in-person interaction is used intentionally. For identity and security teams, it increases the importance of documentation, visible ownership, and explicit approval paths because informal coordination is harder to rely on.
- Employee experience: Employee experience is the set of conditions that shape how people feel, perform, and stay engaged at work. In identity programmes, it matters because clarity, support, and sustainable workload directly influence whether teams follow access and governance processes consistently or drift into workarounds.
What's in the full article
1Password's full article covers the cultural and operating details this post intentionally leaves at a higher level:
- How the company is using AI Champions to build internal AI fluency across departments
- The specific employee experience investments that support sustainable performance during growth
- How in-person hubs and offsites are being used to reinforce collaboration in a remote-first model
- The internal leadership perspective behind how culture, trust, and customer experience are linked
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org