Credential sprawl in AI workflows: what IAM teams need now

TL;DR: Credential sprawl now extends across SaaS, scripts, pipelines, browsers, and AI prompts, while 52% of employees have downloaded apps without IT approval and stolen credentials remain the most common breach entry point, according to 1Password and Verizon. The governance gap is no longer sign-in security but ownership, lifecycle, and revocation across every credential-bearing workflow.

NHIMG editorial — based on content published by 1Password: credential sprawl in AI-driven work and why sign-ins are not enough

By the numbers:

• 52% of employees have downloaded apps without IT approval.
• 52% of employees have downloaded apps without IT approval.

Questions worth separating out

Q: How should security teams govern credentials that live outside the identity provider?

A: Security teams should treat every password, token, and secret as a governed asset, even when it is created in a browser, script, or SaaS console.

Q: Why do shared accounts and service accounts increase identity risk?

A: Shared accounts and service accounts increase risk because they weaken ownership, blur accountability, and make revocation harder when people change roles or leave.

Q: What breaks when credentials are created in AI workflows and pipelines?

A: Governance breaks when credentials are generated where work is executed but not where identity is managed.

Practitioner guidance

• Inventory credentials outside the identity provider Identify passwords, tokens, service accounts, SSH keys, environment files, and agent secrets stored in browsers, scripts, notes, SaaS consoles, and AI prompts.
• Assign ownership to every non-human credential Require a named owner for each API key, token, shared account, and automation secret so review and revocation do not depend on tribal knowledge.
• Extend lifecycle controls to automation and agents Apply creation, rotation, revocation, and offboarding controls to credentials created by scripts, pipelines, and AI workflows.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of how credential sprawl appears across browsers, scripts, SaaS tools, and AI workflows.
• The article's explanation of why sign-in controls and PAM stop short of governing the full credential lifecycle.
• Examples of how teams can think about coverage, control, and lifecycle when credentials are created outside the identity provider.
• The source discussion of how comprehensive credential security is positioned for humans, developers, and AI agents.

👉 Read 1Password's analysis of credential sprawl in AI-driven work →

Credential sprawl in AI workflows: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →