Access-trust gap in AI-era identity security: what changes now?

TL;DR: Enterprise access is shifting as people and AI agents operate across more tools, devices, and unmanaged apps than traditional security models cover, according to 1Password’s Cloud 100 announcement. The real issue is not recognition, but that identity governance is now stretching beyond the boundaries assumed by legacy IAM, IGA, and MDM.

NHIMG editorial — based on content published by 1Password: 1Password is named to the 2025 Forbes Cloud 100 for fourth consecutive year

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern access when AI agents and humans share the same apps?

A: Treat AI agents as separate identity subjects with their own approvals, scope limits, and monitoring.

Q: Why do unmanaged devices create an identity governance problem?

A: Because identity control depends on knowing both who is accessing and from what trusted endpoint.

Q: What do teams get wrong about extended access management?

A: They often treat it as an add-on to SSO rather than a response to a wider trust problem.

Practitioner guidance

• Inventory the access-trust gap Map every application and device path that falls outside federated SSO, managed endpoints, or centrally approved app usage.
• Separate agent governance from human access policy Classify AI agents and other non-human actors as their own identity subjects, then assign explicit controls for their app reach, approvals, and session scope.
• Close unmanaged-device exceptions Review exceptions where users or agents can reach corporate apps from devices that are not posture-checked or enrolled.

What's in the full analysis

1Password's full article covers the operational detail this post intentionally leaves for the source:

• The specifics of Extended Access Management positioning across people, AI agents, managed devices, and unmanaged endpoints.
• The partner ecosystem and integration context behind the access model.
• The Cloud 100 evaluation criteria and how the ranking was framed by Forbes and Bessemer Venture Partners.
• The company context and category narrative that sit behind the announcement.

👉 Read 1Password’s Cloud 100 announcement and Extended Access Management context →

Access-trust gap in AI-era identity security: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →