High-performance culture and identity security at 1Password

At a glance

What this is: This is 1Password’s essay on high-performance culture, and its key point is that speed, alignment, and accountability are presented as prerequisites for secure product delivery.

Why it matters: It matters because identity, IAM, and security leaders increasingly need operating models that can support human teams, NHI governance, and AI-adjacent work without losing control or clarity.

By the numbers:

• organizations with people-first performance management are over four times more likely to outperform their peers, with 30% higher revenue growth and lower attrition.
• employees spend an average of 4.34 hours each week dealing with work-related conflict, twice as much as in 2008.

👉 Read 1Password’s article on high-performance culture and identity security

Context

High-performance culture is an operating model problem, not a branding exercise. In identity security programmes, unclear ownership and slow decision-making usually surface as review debt, delayed remediation, and weak accountability when access decisions span humans, service accounts, and AI-enabled workflows.

The article frames 1Password’s culture around speed, alignment, and shared accountability. For IAM and NHI leaders, that is a reminder that governance quality depends as much on how teams work together as on the controls they deploy.

Key questions

Q: How should security teams turn accountability into a measurable identity control?

A: Security teams should assign one owner for approval, one for review, and one for revocation, then measure whether each step completes on time. If those responsibilities are unclear, access exceptions, stale entitlements, and delayed cleanup will accumulate. Accountability only works as a control when it has a named owner, a due date, and an audit trail.

Q: Why does continuous improvement matter in IAM and NHI governance?

A: Because identity controls drift unless teams keep checking whether they work in practice. Recertification, rotation, and offboarding can all exist as documented processes while still failing operationally. Continuous improvement forces teams to compare policy intent with actual completion rates, exception volumes, and remediation speed, which is what reveals whether the programme is really reducing risk.

Q: What breaks when secure-by-default thinking is absent from product design?

A: Security becomes a retrofit, and identity controls arrive too late to shape the workflow. That leads to brittle permissions, weak auditability, and revocation paths that are hard to execute under pressure. Secure-by-default design prevents those issues by making the safe path the normal path rather than an exception handled manually after release.

Q: What should IAM leaders look for when culture claims to support high performance?

A: They should look for clear role ownership, open escalation paths, and evidence that teams learn from failed controls. A culture can sound collaborative and still hide confusion about decision rights. The strongest signal is whether teams can explain who owns each access outcome and whether they use feedback to improve the control itself.

Technical breakdown

Shared accountability as a control for identity operations

Shared accountability is the difference between a security programme that moves and one that stalls. In identity operations, it means each control owner understands who approves access, who reviews exceptions, and who owns cleanup after the decision. The article’s emphasis on open communication and clear roles maps well to IAM because misalignment often creates duplicate approvals, orphaned exceptions, and unresolved access debt. When the organisation treats accountability as a daily operating practice, teams can react faster to privilege issues and control failures.

Practical implication: define owners for approval, review, and revocation so identity issues do not linger between teams.

Continuous improvement in IAM and NHI governance

Continuous improvement in security is not about constant change for its own sake. It is about using feedback, metrics, and retrospectives to find where controls are failing in practice. In IAM and NHI governance, that includes reviewing whether access recertification, secret rotation, and offboarding are actually happening on schedule. The article’s four-stage pattern of explore, experiment, innovate, and transform reflects a maturity model that security teams can use, provided each stage ends in measurable operational change rather than activity.

Practical implication: tie IAM and NHI process reviews to measurable outcomes, not just meeting cadence.

How culture affects secure-by-default engineering

Secure-by-default engineering depends on teams making the safe path the easy path. The article connects high performance with product reliability and speed, which matters in identity products because design choices determine whether customers can enforce least privilege, automate rotation, and reduce friction. In practice, culture influences whether security requirements are treated as constraints or as core product behavior. When engineering, product, and security share the same mission, controls are more likely to be built into workflows rather than bolted on after incidents.

Practical implication: require identity controls to be part of product design reviews, not an after-the-fact security overlay.

NHI Mgmt Group analysis

High-performance culture is an identity governance issue, not just a management philosophy. Identity programmes fail when ownership is diffuse, decisions stall, and teams cannot tell who is responsible for approval, review, or cleanup. The article’s focus on clarity and accountability shows that control effectiveness depends on operating discipline as much as tooling. The practitioner takeaway is that governance performance should be managed like a security control, not a soft cultural trait.

Continuous improvement is the only sustainable answer to control drift. Review cadences, rotation schedules, and offboarding processes degrade when teams stop examining whether they work in practice. The article’s emphasis on learning from outcomes aligns with NIST Cybersecurity Framework 2.0, where adaptive governance matters more than static policy. The practitioner takeaway is to measure whether controls are reducing exposure, not whether the process exists on paper.

Secure-by-default product culture determines whether identity security scales with the business. The article links culture to building products that support how people and AI agents work today, which matters because identity controls increasingly need to survive real-world operational pressure. If teams treat security as something to add later, they will keep rebuilding the same governance gaps. The practitioner takeaway is to make secure design a delivery requirement, not a downstream review.

Named concept: culture-mediated control quality. This article shows that identity control quality is shaped by how teams communicate, assign ownership, and respond to feedback. That concept matters because many IAM failures are not technical failures alone but execution failures created by poor collaboration. The practitioner takeaway is to inspect culture as part of control assurance.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes are still operating with incomplete machine-account oversight.
• Use NIST Cybersecurity Framework 2.0 to connect governance, protection, and recovery to measurable identity operations.

What this signals

Culture-mediated control quality: the real test of an identity programme is whether teams can translate shared purpose into repeatable approval, review, and revocation outcomes. When that discipline is missing, the tooling can look mature while the control plane quietly drifts.

The fact that 30.9% of organisations store long-term credentials directly in code shows how often execution discipline fails before a policy question even begins, and that is where culture and control design intersect most sharply.

For practitioners, the next step is to treat operating cadence as part of the control surface. If teams cannot show timely closure of exceptions, rotations, and offboarding, the programme is signalling structural weakness rather than isolated process noise.

For practitioners

• Assign explicit owners for each access decision Document who approves access, who performs the review, and who removes access when a decision changes. Use this for both human IAM and NHI workflows so no entitlement sits between teams.
• Measure control outcomes, not policy existence Track whether recertifications close on time, whether secrets rotate on schedule, and whether offboarding removes access from live systems. Use those results in regular control reviews.
• Bake secure-by-default requirements into product design Require product and engineering teams to review identity flows early so least privilege, auditability, and revocation are built into workflows before release.

Key takeaways

• High-performance culture matters in identity security because control ownership, review discipline, and cleanup speed determine whether governance works in practice.
• The article’s message aligns with a broader security reality: organisations often have policies but still fail to execute them consistently enough to reduce exposure.
• IAM leaders should treat accountability, continuous improvement, and secure-by-default design as operational controls that shape identity risk, not as abstract values.

Key terms

• Identity governance: Identity governance is the set of processes that determine who or what gets access, who approves it, and when it must be reviewed or removed. In practice, it covers policy, ownership, certification, and revocation across human identities, service accounts, tokens, and automated workflows.
• High-performance culture: High-performance culture is an operating model where teams share clear goals, act with accountability, and improve continuously. In security organisations, it matters because access decisions, remediation work, and control reviews depend on people executing reliably, not just on having the right tooling.
• Secure by default: Secure by default means the safest configuration and workflow is the one the system encourages by design. For identity products, that usually means least privilege, auditability, and revocation paths are built into the normal user journey instead of being added as manual exceptions later.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by 1Password: High-performance culture and identity security at 1Password. Read the original.