TL;DR: Enterprise access is shifting as people and AI agents operate across more tools, devices, and unmanaged apps than traditional security models cover, according to 1Password’s Cloud 100 announcement. The real issue is not recognition, but that identity governance is now stretching beyond the boundaries assumed by legacy IAM, IGA, and MDM.
NHIMG editorial — based on content published by 1Password: 1Password is named to the 2025 Forbes Cloud 100 for fourth consecutive year
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams govern access when AI agents and humans share the same apps?
A: Treat AI agents as separate identity subjects with their own approvals, scope limits, and monitoring.
Q: Why do unmanaged devices create an identity governance problem?
A: Because identity control depends on knowing both who is accessing and from what trusted endpoint.
Q: What do teams get wrong about extended access management?
A: They often treat it as an add-on to SSO rather than a response to a wider trust problem.
Practitioner guidance
- Inventory the access-trust gap Map every application and device path that falls outside federated SSO, managed endpoints, or centrally approved app usage.
- Separate agent governance from human access policy Classify AI agents and other non-human actors as their own identity subjects, then assign explicit controls for their app reach, approvals, and session scope.
- Close unmanaged-device exceptions Review exceptions where users or agents can reach corporate apps from devices that are not posture-checked or enrolled.
What's in the full analysis
1Password's full article covers the operational detail this post intentionally leaves for the source:
- The specifics of Extended Access Management positioning across people, AI agents, managed devices, and unmanaged endpoints.
- The partner ecosystem and integration context behind the access model.
- The Cloud 100 evaluation criteria and how the ranking was framed by Forbes and Bessemer Venture Partners.
- The company context and category narrative that sit behind the announcement.
👉 Read 1Password’s Cloud 100 announcement and Extended Access Management context →
Access-trust gap in AI-era identity security: what changes now?
Explore further
Access-trust gap: the enterprise has outgrown its original identity perimeter. Traditional IAM was built for managed users, managed devices, and federated applications. That assumption no longer holds when work is performed through autonomous agents, unmanaged endpoints, and apps adopted outside IT oversight. The implication is that identity governance now has to account for access paths that never fit the original trust model.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: What frameworks are most relevant when AI agents expand the access surface?
A: OWASP NHI Top 10 and Zero Trust Architecture are the most useful starting points because they connect identity scope, trust boundaries, and access enforcement. Teams should also use governance and lifecycle controls to decide who or what can reach each app, under which conditions, and with what visibility.
👉 Read our full editorial: 1Password’s cloud 100 recognition spotlights the access-trust gap