TL;DR: Modern enterprises are spreading credentials across spreadsheets, developer environments, browser sessions, and automation workflows, creating identity sprawl and an Access-Trust Gap as teams add subsidiaries, contractors, AI builders, and SaaS tools, according to 1Password. The editorial issue is bigger than provisioning speed: governance has to scale without assuming every credential lives inside SSO or PAM.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern credentials that live outside SSO and PAM?
A: Start by treating those credentials as governed assets rather than exceptions.
Q: Why do shared spreadsheets and browser sessions create identity risk?
A: Because they often hold credentials without the controls that identity teams rely on for review and revocation.
Q: When should organisations treat delegated automation as privileged access?
A: When the integration can create, suspend, restore, or otherwise alter access without manual approval at every step.
Practitioner guidance
- Inventory credentials outside SSO and PAM List where secrets, tokens, browser sessions, spreadsheets, and automation workflows actually live, then assign each location an owner and a lifecycle rule.
- Separate provisioning authority from data visibility For hosted automation, document where encryption keys are generated, used, and stored, and verify whether any operator, cloud layer, or integration partner can inspect them.
- Review OAuth integrations as privileged identity paths Classify delegated integrations that can list users, suspend access, or restore access as privileged access paths.
What's in the full announcement
1Password's full blog post covers the operational detail this post intentionally leaves for the source:
- Automated provisioning setup details for enterprise environments using hosted infrastructure and SCIM-style integration patterns
- Multi-tenancy structure for parent and child accounts, including delegated administration and centralized visibility
- OAuth-based Users API workflow examples for listing users, suspending access, and restoring access after remediation
- Verified email mechanics across supported inboxes and the trust signals used for account onboarding and recovery
👉 Read 1Password’s analysis of enterprise provisioning, multi-tenancy, and workflow automation →
Enterprise provisioning in 1Password: what IAM teams need to rework?
Explore further
Access-Trust Gap: This article names the right problem even if it does not fully solve it. Modern enterprises have more credentials than their governance model can continuously observe, and that is the operational meaning of the Access-Trust Gap. SSO and PAM still matter, but neither was designed to absorb the full spread of workflow credentials, browser-held secrets, and cross-team automation. Practitioners should read that gap as a programme design failure, not a tooling inconvenience.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to the same research.
A question worth separating out:
Q: What should teams do before adopting hosted identity automation?
A: Verify the execution boundary, the trust model, and the rollback path. Teams should know where sensitive operations happen, which parties can observe them, and how access can be reversed if the workflow misbehaves. Without those answers, automation can expand risk faster than it reduces it.
👉 Read our full editorial: 1Password’s enterprise provisioning changes what identity teams govern