Notifications
Clear all
Topic starter
11/06/2026 11:16 pm
TL;DR: Traditional IAM and IGA leave gaps in SaaS discovery, device trust, and agentic access governance, making access control a performance and risk problem rather than a login problem, according to 1Password’s October 27, 2025 article. 1Password frames Extended Access Management as a way to secure access across people, apps, devices, and AI-driven workflows while preserving speed.
NHIMG editorial — based on content published by 1Password: Extended Access Management for people, apps, devices, and AI
Questions worth separating out
Q: How should security teams govern AI agent access alongside human IAM?
A: Security teams should keep human sign-in, machine access, and AI agent workflows in separate governance views even when they touch the same application.
Q: Why do unmanaged SaaS apps create identity governance risk?
A: Unmanaged SaaS creates risk because access can exist outside normal onboarding, offboarding, and review processes.
Q: When should organisations require device trust before sign-in?
A: Organisations should require device trust for sensitive systems, remote work, and any environment where unmanaged devices could expose credentials or data.
Practitioner guidance
- Map unmanaged SaaS before tightening access policy. Feed application discovery into joiner, mover, and leaver workflows so hidden apps are included in access reviews, offboarding, and license rationalisation.
- Use device trust for high-risk access paths. Require device posture checks before granting access to sensitive systems, especially for remote users and shared environments.
- Separate human and agent access reporting. Track AI-driven workflows, service accounts, and human users in distinct access inventories so reviews do not collapse different actor types into one report.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- The partnership framing and how the Extended Access Management suite is positioned across enterprise and consumer access use cases.
- The specific product components and their role in credential vaulting, SaaS discovery, and device trust enforcement.
- The company’s own explanation of how the model supports distributed work, AI-driven operations, and shared access.
- The sports partnership context and the broader business narrative behind the announcement.
👉 Read 1Password's article on Extended Access Management for people, apps, devices, and AI →
Extended access management: what it means for IAM teams?
Explore further
12/06/2026 7:53 am
Extended access management is a response to identity sprawl, not a replacement for IAM. The article describes a control problem where people, devices, SaaS, and AI-driven workflows all sit inside the same access perimeter. Traditional IAM and IGA were built around cleaner boundaries than most organisations now have. Practitioners should read this as a signal that access governance must span discovery, device trust, and workflow control together.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when shared credentials are used across teams?
A: Accountability should sit with the service owner or platform owner, not with the people who happen to use the credential day to day. Shared access needs a named owner, logging, and a revocation path. Without that, offboarding and review become guesswork instead of a controlled process.
👉 Read our full editorial: Extended access management for AI agents and trusted devices
