Notifications
Clear all
Topic starter
22/06/2026 10:03 am
TL;DR: AI-native development agents operate near code, tools, and credentials without predictable behavior, and 73% of employees are encouraged to use AI for at least part of their workload while 37% say they follow AI policy only most of the time, according to 1Password. Access models built for stable principals break when runtime decisions, tool choice, and execution timing are all variable.
NHIMG editorial — based on content published by 1Password: analysis of AI agent identity risk and runtime access
By the numbers:
- 73% of employees are encouraged to use AI for some part of their workload.
- 37% say they only follow company AI policies most of the time.
Questions worth separating out
Q: How should security teams implement least privilege for AI agents that change behaviour at runtime?
A: Security teams should define access around task profiles, not assumed user stories, and keep grants as narrow as the current workflow allows.
Q: Why do AI agents complicate existing IAM and access review processes?
A: AI agents complicate IAM because access review assumes a stable principal with durable entitlements that can be certified later.
Q: What breaks when external content can influence an AI agent’s tool use?
A: What breaks is the boundary between information processing and delegated execution.
Practitioner guidance
- Map agent tasks to runtime access profiles Define the smallest practical access set for each agent workflow, then grant it at the moment of use rather than preloading broad entitlements.
- Separate untrusted input from execution triggers Block external content from directly influencing tool calls unless the action is explicitly approved or policy-evaluated.
- Require full attribution for agent access events Track what was granted, what was used, and which identity or approver authorized any escalation.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- The podcast-specific discussion between Travis McPeak, Nancy Wang, and Dev Tagare on how teams should think about agent governance in practice.
- The detailed example of starting from zero permissions and using requestable, auditable escalation paths for agent access.
- The credential-layer approach behind the 1Password Hook for Cursor, including runtime delivery and in-memory secret handling.
- The full context behind policy-as-code workflows and how they reduce human bottlenecks in development pipelines.
👉 Read 1Password's analysis of AI agent identity risk and runtime access →
Non-deterministic AI agents: are your identity controls keeping up?
Explore further
22/06/2026 10:47 am
Least privilege designed for stable principals fails when the actor is non-deterministic. That model assumes the required access set can be defined up front and remains valid long enough to govern. The article’s core point is that agents can behave differently across runs, so the privilege profile is not static enough for conventional provisioning logic. The implication is that identity governance must stop treating agent access as a fixed grant and start treating it as a runtime state with bounded scope.
A few things that frame the scale:
- 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do organisations know whether AI agent governance is actually working?
A: Governance is working when teams can show which actions were allowed, which were used, and which were escalated with named approval. If access is granted but usage is opaque, the programme has only created the appearance of control. The clearest signal is complete attribution across the full access lifecycle.
👉 Read our full editorial: AI agent identities expose the limits of traditional IAM
