Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent identity sprawl: what IAM teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: AI agents are widening identity sprawl by requiring access to applications, API keys, passwords, and business data that existing IAM tools were not built to govern, according to 1Password’s summary of Omdia’s report. The real issue is not just access volume but the collapse of provisioning, auditability, and de-provisioning assumptions when agents operate continuously and at scale.

NHIMG editorial — based on content published by 1Password: AI agent identity sprawl and access risk in extended access management

Questions worth separating out

Q: How should security teams govern AI agents that need access to multiple applications?

A: Treat each agent as a governed identity with explicit entitlements, audit trails, and revocation paths.

Q: Why do AI agents complicate least privilege in enterprise IAM?

A: AI agents complicate least privilege because their access is often continuous, multi-tool, and task-shifting, while classic IAM assumes stable roles and predictable login sessions.

Q: What do organisations get wrong about hardcoded credentials for AI agents?

A: They treat embedded credentials as a quick integration choice instead of a control compromise.

Practitioner guidance

  • Map every agent integration as a governed identity Document each agent, tool, credential, and approval path as a distinct identity relationship so security teams can see where access starts, expands, and ends.
  • Remove embedded secrets from agent workflows Replace plaintext API keys and passwords with centrally managed credentials so agents never authenticate through copied secrets in code or prompts.
  • Bind access to task completion Use time-bound access, explicit revocation, and auditable handoff points so agent permissions expire when the work is done, not when someone remembers to review them.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

  • How 1Password positions Extended Access Management for agent authentication and credential handling
  • The specific controls the vendor cites for preventing hardcoded secrets in AI workflows
  • Examples of how AI agent sign-ins and access monitoring are meant to work in practice
  • The vendor's implementation framing for developers building secure AI connections

👉 Read 1Password's analysis of AI agent identity sprawl and access risk →

AI agent identity sprawl: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Identity sprawl is no longer just an inventory problem. AI agents turn identity sprawl into a control-plane issue because each new tool connection becomes a new identity dependency, not just another app link. Omdia’s framing is directionally right, but the deeper point is that governance teams are now dealing with identities that can multiply during runtime rather than at onboarding. The practitioner takeaway is that discovery, entitlement mapping, and de-provisioning must move at the same tempo as agent activity.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: How do identity teams decide whether an AI agent needs a separate governance model?

A: Use a separate model when the agent can operate continuously, touch multiple applications, and request or reuse access without a human approval gate for each action. Those behaviours break human IAM assumptions and require NHI-style lifecycle control with stronger visibility, tighter scoping, and explicit offboarding.

👉 Read our full editorial: AI agent identity sprawl is exposing IAM gaps in enterprise access



   
ReplyQuote
Share: