TL;DR: Oracle Red Bull Racing describes how a $100 million Formula 1 breach pushed it toward zero trust, segmented systems, and tighter secret handling across a distributed operation, according to 1Password. The real lesson is that speed and security now depend on treating every credential, access path, and SaaS connection as governable identity surface, not background infrastructure.
At a glance
What this is: This is an independent analysis of how Formula 1 operations are reshaping identity security around zero trust, least privilege, and secret control.
Why it matters: It matters because high-speed, distributed environments expose the same IAM, NHI, and lifecycle weaknesses that most enterprises still leave implicit.
By the numbers:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.
👉 Read 1Password's analysis of Formula 1 identity security and secrets governance
Context
Formula 1 security is an identity problem as much as it is an operational one. In a distributed environment where engineering data, performance telemetry, and partner systems move across sites and race circuits, every access path becomes part of the attack surface.
The article uses Oracle Red Bull Racing to show how zero trust, least privilege, and credential governance become performance controls when the business cannot afford friction. That makes the case broadly relevant to NHI, privileged access, and governed human access in fast-moving enterprises.
Key questions
Q: How should security teams govern access in fast-moving operational environments?
A: They should treat access as a live control, not a one-time approval. That means segmenting access by task, verifying it at the point of use, and removing any standing entitlement that exists only for convenience. In environments with many sites, partners, and shared workflows, broad access becomes a hidden risk multiplier.
Q: Why do shared operational credentials create so much risk?
A: Shared credentials make ownership unclear, which weakens accountability and delays revocation when roles change. They also expand blast radius because one exposed token can reach multiple systems or teams. The safest pattern is to bind credentials to a clear owner, a narrow purpose, and a defined retirement trigger.
Q: What do teams get wrong about secrets management in pipelines and scripts?
A: They often treat the vault as the finish line. In practice, a secret can be copied into code, tickets, chat tools, and automation jobs, which means governance must include discovery, removal, and proof of cleanup. Rotation alone does not fix duplicate exposure.
Q: Who is accountable when access remains active after a role change or offboarding?
A: Accountability should sit with the system owner and the identity governance process, not with the departing user or the last person who used the access. If offboarding does not revoke every credential path, the organisation still owns the risk, even if the identity has left the business.
Technical breakdown
Zero trust in a high-speed operational environment
Zero trust is the operating model that assumes no user, device, or system should be trusted by default. In the article’s context, that matters because a racing organisation cannot rely on a static perimeter when data, staff, and third parties move across multiple sites. The control challenge is not just blocking access, but verifying it continuously without slowing operations. In identity terms, the model shifts decision-making from implicit trust to explicit verification at each access boundary.
Practical implication: map every high-value workflow to a verification step and remove any access path that cannot be justified continuously.
Least privilege and segmented access for distributed teams
Least privilege means giving each identity only the access required for the task at hand, for as long as it is needed. In distributed engineering environments, that usually requires segmentation by function, system, and business need rather than broad shared access. The article’s reference to moving from open access to tighter controls reflects a common governance shift: once data becomes a competitive asset, standing access becomes a liability. This is as true for human users as it is for service accounts and shared operational credentials.
Practical implication: replace broad team-level access with task-scoped entitlements and verify that shared access is being retired where ownership is clear.
Secret handling across scripts, pipelines, and SaaS
Secrets are credentials, tokens, API keys, and certificates used by systems and operators to authenticate. The article’s emphasis on secure developer workflows and managed SaaS governance points to the same underlying issue seen in many enterprises: secrets spread across scripts, pipelines, and collaboration tools faster than governance catches up. Once a secret is copied into multiple places, rotation alone does not restore control unless those copies are discovered and removed. That turns secrets management into a discovery and lifecycle problem, not just a vaulting problem.
Practical implication: inventory where secrets live, eliminate plaintext use in pipelines, and tie rotation to proof that duplicate copies have been removed.
Threat narrative
Attacker objective: The attacker seeks to steal or disrupt high-value performance and operational data in order to gain competitive advantage or cause operational harm.
- Entry typically begins through overly broad access or exposed information paths in a distributed environment, where the attacker can reach sensitive systems or data without first defeating strong perimeter controls.
- Escalation follows when standing access, shared credentials, or weakly segmented systems let the attacker move from one environment to another and reach higher-value information.
- Impact comes from theft, disruption, or race-day intelligence loss, which in this context can translate into competitive disadvantage, operational interference, and long-lived trust damage.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity security becomes a performance control when the business depends on distributed access. Formula 1 organisations cannot treat access governance as back-office compliance because the operational tempo is too high and the data too valuable. The practical shift is from protecting a perimeter to managing every access path as part of the performance system, which is exactly where IAM, PAM, and NHI governance converge.
Secret sprawl is the real multiplier in fast-moving environments. When credentials move through scripts, pipelines, support tools, and collaboration platforms, the organisation loses line of sight faster than it can rotate them. That is why secrets management must be treated as lifecycle governance, not a vaulting exercise. Practitioners should assume that copied secrets create invisible shadow access until proven otherwise.
Standing access is incompatible with environments that change weekly. The article shows a governance model moving from open access toward least privilege because operational speed and broad access no longer coexist safely. This is a familiar failure mode across NHI and human IAM programmes: access granted for convenience becomes persistent risk when the environment evolves faster than review cycles.
Shared operational access creates accountability drift. In environments where engineering, logistics, partners, and vendors all touch the same data plane, it becomes unclear who owns which credential, which approval, and which offboarding step. That makes lifecycle governance the control that determines whether access is actually temporary or merely undocumented. Practitioners should treat ownership clarity as a security control, not an admin detail.
Formula 1 exposes the same governance gap many enterprises still ignore: privileged access is only safe when its scope is continuously bounded. Once an identity can move across systems, sites, and tools without revalidation, the architecture has already drifted beyond least privilege. The implication is not simply to add more controls, but to redesign governance around where access is actually used.
From our research:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
- That is why lifecycle cleanup matters as much as discovery. See Guide to the Secret Sprawl Challenge for the governance patterns that turn secret sprawl into measurable risk.
What this signals
Secret sprawl is becoming a programme-wide control issue, not a point-in-time hygiene issue. When credentials are duplicated across code, tickets, and collaboration tools, rotation only shifts the problem unless discovery and deletion are part of the process. For many organisations, the next maturity step is not more vaulting, but better lifecycle proof across every place a secret can persist.
Access governance now has to cover the full operational chain, from human users to machine credentials. In distributed environments, a single weak link in ownership, offboarding, or entitlement scope can undermine the whole control model. Teams should expect auditors and internal risk owners to ask where access is used, who can revoke it, and how quickly lingering access is proven gone.
For practitioners
- Map every high-value data path Identify where telemetry, engineering data, and partner-access workflows move across sites, and require explicit ownership for each access path before it is allowed to persist.
- Eliminate plaintext secrets in operational workflows Replace script-embedded credentials and copied tokens with managed references, then verify that the same secret does not exist in collaboration tools, tickets, or code repositories.
- Rebase shared access on task-scoped entitlements Review broad team access to engineering and SaaS systems, break it into narrower roles, and revoke any standing access that is no longer tied to a current duty.
- Tie offboarding to credential revocation proof Make offboarding complete only when human and non-human credentials, tokens, and shared access paths are confirmed removed from every connected system.
Key takeaways
- Formula 1 security shows that access governance is no longer separate from performance, because distributed operations magnify every identity weakness.
- Secrets and standing access become dangerous when they outlive the task, the owner, or the environment they were granted for.
- The control that matters most is lifecycle proof, because credential sprawl only shrinks when organisations can show what was removed, not just what was issued.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secrets handling and rotation are central to the article's risk posture. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access segmentation align with access control governance. |
| NIST Zero Trust (SP 800-207) | PR.AC-5 | Continuous verification matches the article's zero-trust operating model. |
Review secret discovery, rotation, and storage paths against NHI-03 and remove plaintext exposure routes.
Key terms
- Zero Trust: A security model that assumes no identity, device, or system should be trusted by default. Access is verified continuously and contextually, which makes it suitable for distributed environments where data and users move across sites, partners, and services.
- Least Privilege: An access model in which an identity receives only the permissions needed for the current task. In practice, this reduces blast radius by limiting what a user, service account, or token can reach if it is misused or exposed.
- Secrets Management: The governance process for discovering, storing, rotating, and retiring credentials such as tokens, API keys, and certificates. It is effective only when it covers every location where a secret may appear, including scripts, tickets, and collaboration tools.
- Lifecycle Governance: The control discipline that ensures access is issued, reviewed, and revoked according to business need. For high-tempo environments, lifecycle governance is the difference between temporary access that is actually temporary and access that simply goes unchallenged.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by 1Password: a look at how Oracle Red Bull Racing approaches identity security, secrets, and zero trust. Read the original.
Published by the NHIMG editorial team on 2025-10-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
