TL;DR: As AI tools and non-human identities expand beyond SSO and PAM coverage, 1Password argues that enterprises now face an access-trust gap created by application sprawl, device heterogeneity, and unmanaged credentials, based on its webinar and report. The core issue is that identity controls built for stable human access do not map cleanly to autonomous agents and other NHIs.
NHIMG editorial — based on content published by 1Password: Inside 1Password’s Enterprise Identity Transformation
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern AI agent access in enterprise environments?
A: Security teams should govern AI agent access as a runtime identity problem.
Q: Why do SSO and PAM leave gaps for NHIs and AI agents?
A: SSO and PAM are designed around stable, mostly human access paths.
Q: What breaks when organisations treat AI agents like ordinary users?
A: What breaks is the assumption that access review, role assignment, and device confidence can be applied on a human schedule.
Practitioner guidance
- Map the unmanaged access boundary Identify which apps, devices, service accounts, and agents sit outside SSO and PAM coverage, then classify them as separate governance populations.
- Inventory AI agents and shadow AI paths Build discovery into your identity programme so agents, credentials, and delegated access paths are visible before they are allowed to scale.
- Separate human, NHI, and agent trust rules Apply different access assumptions to users, service accounts, and autonomous tools so device trust and runtime scope are evaluated correctly for each actor type.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How 1Password positions Extended Access Management across password management, device trust, and SaaS governance
- The webinar discussion with Francis Odum, Abe Ankumah, and Blaine Carter on closing the access-trust gap
- The product capabilities described for discovering shadow AI and providing time-bound access to agents
- The customer perspective on managing productivity without expanding standing privilege
👉 Read 1Password's analysis of the access-trust gap and AI agent identity →
AI agent identity security and the access-trust gap?
Explore further
The access-trust gap is the new boundary problem in identity security. SSO and PAM were built to control access inside a more stable perimeter, but that perimeter no longer describes how work actually happens. Application sprawl, unmanaged devices, and AI agents create identity activity outside the traditional control plane. The practitioner conclusion is that governance must start from the unmanaged edge, not from the assumed core.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
A question worth separating out:
Q: How can teams close the access-trust gap without slowing productivity?
A: Teams should reduce friction by making trust decisions explicit and automated at the point of access, not by broadening standing permission. Focus on discoverability, scoped entitlements, and auditable temporary access for users, devices, and agents. That preserves productivity while shrinking the unmanaged layer that creates security blind spots.
👉 Read our full editorial: AI agent identity security exposes the access-trust gap