Notifications
Clear all
Topic starter
22/06/2026 10:08 am
TL;DR: Identity security is extending from credential protection into runtime access governance, with just-in-time access for humans, machines, and AI agents, plus unified audit trails and intent-based controls, according to 1Password. The practical shift is that standing privilege, not just secret storage, becomes the core governance problem when agents and workloads act inside production systems.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should organisations govern access for AI agents that operate in production systems?
A: Treat agent access as runtime governance, not as a one-time entitlement.
Q: Why do standing privileges create more risk for NHIs and AI agents than for humans?
A: Standing privileges give non-human identities a larger uninterrupted window to move laterally, access sensitive systems, or reuse credentials after the original task is complete.
Q: What breaks when credential security is treated as the same thing as access governance?
A: Teams end up protecting the secret while leaving the action unconstrained.
Practitioner guidance
- Inventory standing privilege across humans, machines, and agents Identify which production permissions remain active by default, then separate persistent access from task-bound access in your access catalogue.
- Define runtime policy for delegated and agentic access Require access decisions to evaluate task intent, target system, and duration at the moment of use.
- Split secret custody from authorisation control Keep credential storage, brokered release, and privilege enforcement as separate controls in your operating model.
What's in the full announcement
1Password's full post covers the operational detail this post intentionally leaves for the source:
- How Apono evaluates access requests against policy and provisions permissions in native systems
- How the Credential Broker releases approved credentials, tokens, or federated access at request time
- How intent-based access control compares declared intent with observed agent behaviour in real time
- How the unified audit trail is structured for SIEM exports and compliance mapping
👉 Read 1Password's acquisition analysis for Apono and Unified Access →
1Password and Apono: what changes for access governance now?
Explore further
22/06/2026 10:55 am
Standing access is the quiet liability in modern identity programmes: it assumes permissions can be granted once and safely left in place until review. That assumption was built for slower human-paced administration, not for systems where machines and agents act continuously inside production. The implication is that governance has to shift from static entitlement ownership to runtime control of access duration and context.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to the same report.
A question worth separating out:
Q: Who is accountable when a delegated AI agent accesses the wrong system?
A: Accountability should follow the delegation chain, the policy that authorised the access, and the task context that justified it. If those three are not recorded together, responsibility becomes ambiguous and incident review turns into log archaeology. Governance should make it clear which human sponsor, policy owner, and control point approved the action.
👉 Read our full editorial: 1Password and Apono reset access governance for humans, machines, and agents
