TL;DR: Identity security programmes are moving beyond SSO into access governance for people, workloads, and agents as the market broadens to AI and non-human identities, according to 1Password research, with the company saying it has crossed $400 million in ARR while remaining free cash-flow positive and is expanding its leadership team to accelerate global growth, enterprise adoption, and partner expansion.
NHIMG editorial — based on content published by 1Password: 1Password expands leadership team to accelerate global growth
By the numbers:
- 1Password says it has surpassed $400 million in annual recurring revenue while remaining free cash-flow positive.
Questions worth separating out
Q: How should security teams govern AI agent access without relying on human IAM assumptions?
A: Treat AI agents as non-human identities with their own scopes, owners, and revocation rules.
Q: Why does extended access management matter beyond traditional SSO programmes?
A: Because many business-critical access paths now bypass the SSO boundary entirely.
Q: What do IAM teams get wrong when they treat agents like ordinary users?
A: They assume the same lifecycle, approvals, and review cadence will work for both.
Practitioner guidance
- Inventory identities outside SSO coverage Identify SaaS applications, service accounts, and AI-driven access paths that are not governed by the main identity provider.
- Separate human and agent access policies Create distinct access models for employees, workloads, and AI agents so approval rules, scope limits, and revocation logic do not inherit from human IAM by default.
- Reconcile lifecycle ownership across teams Assign clear ownership for joiner, mover, and leaver events across identity, application, and platform teams.
What's in the full analysis
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How Michael Hughes and John Torrey are being mapped into global sales, partnerships, and corporate development responsibilities
- The vendor's own framing of Extended Access Management and how it fits its commercial strategy
- Direct quotes on how 1Password is positioning identity security across human users and AI agents
- The company context behind its $400 million ARR milestone and partner ecosystem growth
👉 Read 1Password’s leadership update on global growth and identity security expansion →
Identity security expansion at 1Password: what changes for IAM teams?
Explore further
Identity security is being redefined from authentication control to access governance across all identity types. This article shows the market moving beyond login security and toward management of access rights, device trust, and lifecycle control for SaaS, agents, and non-human accounts. That broadening matters because IAM programmes built only for human access do not fully cover the identities now consuming privilege in the enterprise. Practitioners should treat this as a category shift, not a product update.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How can organisations tell whether their access governance model is keeping up?
A: Look for evidence that every identity class is owned, scoped, reviewed, and revoked on time. If SaaS apps, service accounts, and agent access still live outside a common governance model, the programme is behind the actual access footprint. Coverage, not tool count, is the useful measure.
👉 Read our full editorial: 1Password leadership changes signal broader identity security expansion