Enterprise provisioning in 1Password: what IAM teams need to rework

TL;DR: Modern enterprises are spreading credentials across spreadsheets, developer environments, browser sessions, and automation workflows, creating identity sprawl and an Access-Trust Gap as teams add subsidiaries, contractors, AI builders, and SaaS tools, according to 1Password. The editorial issue is bigger than provisioning speed: governance has to scale without assuming every credential lives inside SSO or PAM.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams govern credentials that live outside SSO and PAM?

A: Start by treating those credentials as governed assets rather than exceptions.

Q: Why do shared spreadsheets and browser sessions create identity risk?

A: Because they often hold credentials without the controls that identity teams rely on for review and revocation.

Q: When should organisations treat delegated automation as privileged access?

A: When the integration can create, suspend, restore, or otherwise alter access without manual approval at every step.

Practitioner guidance

• Inventory credentials outside SSO and PAM List where secrets, tokens, browser sessions, spreadsheets, and automation workflows actually live, then assign each location an owner and a lifecycle rule.
• Separate provisioning authority from data visibility For hosted automation, document where encryption keys are generated, used, and stored, and verify whether any operator, cloud layer, or integration partner can inspect them.
• Review OAuth integrations as privileged identity paths Classify delegated integrations that can list users, suspend access, or restore access as privileged access paths.

What's in the full announcement

1Password's full blog post covers the operational detail this post intentionally leaves for the source:

• Automated provisioning setup details for enterprise environments using hosted infrastructure and SCIM-style integration patterns
• Multi-tenancy structure for parent and child accounts, including delegated administration and centralized visibility
• OAuth-based Users API workflow examples for listing users, suspending access, and restoring access after remediation
• Verified email mechanics across supported inboxes and the trust signals used for account onboarding and recovery

👉 Read 1Password’s analysis of enterprise provisioning, multi-tenancy, and workflow automation →

Enterprise provisioning in 1Password: what IAM teams need to rework?

Explore further

View Full Forum →  |  NHI Foundation Course →