AI agent identity sprawl: what IAM teams need to do now

TL;DR: AI agents are widening identity sprawl by requiring access to applications, API keys, passwords, and business data that existing IAM tools were not built to govern, according to 1Password’s summary of Omdia’s report. The real issue is not just access volume but the collapse of provisioning, auditability, and de-provisioning assumptions when agents operate continuously and at scale.

NHIMG editorial — based on content published by 1Password: AI agent identity sprawl and access risk in extended access management

Questions worth separating out

Q: How should security teams govern AI agents that need access to multiple applications?

A: Treat each agent as a governed identity with explicit entitlements, audit trails, and revocation paths.

Q: Why do AI agents complicate least privilege in enterprise IAM?

A: AI agents complicate least privilege because their access is often continuous, multi-tool, and task-shifting, while classic IAM assumes stable roles and predictable login sessions.

Q: What do organisations get wrong about hardcoded credentials for AI agents?

A: They treat embedded credentials as a quick integration choice instead of a control compromise.

Practitioner guidance

• Map every agent integration as a governed identity Document each agent, tool, credential, and approval path as a distinct identity relationship so security teams can see where access starts, expands, and ends.
• Remove embedded secrets from agent workflows Replace plaintext API keys and passwords with centrally managed credentials so agents never authenticate through copied secrets in code or prompts.
• Bind access to task completion Use time-bound access, explicit revocation, and auditable handoff points so agent permissions expire when the work is done, not when someone remembers to review them.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• How 1Password positions Extended Access Management for agent authentication and credential handling
• The specific controls the vendor cites for preventing hardcoded secrets in AI workflows
• Examples of how AI agent sign-ins and access monitoring are meant to work in practice
• The vendor's implementation framing for developers building secure AI connections

👉 Read 1Password's analysis of AI agent identity sprawl and access risk →

AI agent identity sprawl: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →