AI agent credential sprawl: are your IAM controls keeping up?

TL;DR: AI agents are accelerating credential sprawl by creating, using, and replicating API keys, service accounts, and other non-human identities at machine scale, while traditional IAM and PAM controls still assume human-paced access and review, according to 1Password. The governance gap is structural because access review and session-based oversight do not fit identities that duplicate, persist, and act outside centralized visibility.

NHIMG editorial — based on content published by 1Password: AI agent credential sprawl and machine identity risk

By the numbers:

• 1 in 4 employees has used AI applications that were not approved by their company.
• Repositories with Copilot active are 40% more likely to have at least one leaked secret.

Questions worth separating out

Q: How should security teams reduce credential sprawl caused by AI agents?

A: Start by discovering where non-human credentials are created, copied, and reused across code, chat tools, CI/CD logs, and agent workflows.

Q: Why do SSO and MFA not fully solve credential sprawl?

A: SSO and MFA were designed for interactive human access, so they miss credentials that authenticate programmatically or exist outside the SSO boundary.

Q: What breaks when developer secrets are hardcoded or copied into collaboration tools?

A: The break is governance, not just storage.

Practitioner guidance

• Inventory credentials where they are actually created and reused Extend discovery beyond repositories into chat platforms, ticketing tools, CI/CD logs, local files, and agent workspaces so unmanaged secrets do not hide outside review scope.
• Separate non-human identity governance from human offboarding workflows Assign distinct lifecycle controls for service accounts, API keys, and agent identities so review, revocation, and ownership do not depend on employee-centred IAM processes.
• Reduce standing privilege on machine identities Re-scope long-lived service accounts and API tokens so they only carry the minimum access needed for the current workflow, and retire any access that survives beyond task completion.

What's in the full article

1Password's full report covers the operational detail this post intentionally leaves for the source:

• Specific examples of where credentials are being stored outside central governance, including developer and collaboration workflows
• The report’s discussion of how AI agents create and replicate credentials at machine scale across enterprise environments
• Operational detail on managing unmanaged apps and shadow AI before they become credential sprawl problems
• Examples of how teams can deliver credentials to agents and automation at runtime instead of leaving long-lived secrets in place

👉 Read 1Password's analysis of AI agent credential sprawl and machine identity risk →

AI agent credential sprawl: are your IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →