TL;DR: Security teams can now suspend or restore users in Enterprise Password Manager through SOC workflows using 1Password’s public preview Users API for Partners, with OAuth 2.0-based delegated access and auditability, according to 1Password. The practical shift is not just faster response, but tighter identity action orchestration when alerts and remediation need to stay aligned.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams use automated identity actions in SOC workflows?
A: Use automated identity actions only for well-defined response cases such as high-confidence compromise, credential abuse, or containment workflows that already have clear approval boundaries.
Q: Why do delegated identity APIs matter for incident response?
A: Delegated identity APIs matter because they let security tooling enforce access decisions without handing broad admin rights to every response system.
Q: What breaks when identity suspension is still manual during incidents?
A: Manual suspension breaks containment speed, increases exposure time, and creates inconsistent execution when responders are under pressure.
Practitioner guidance
- Define which alerts can trigger identity suspension Map the specific incident types that may justify automated suspension or restoration, then restrict those actions to validated detection paths with explicit scope boundaries.
- Separate detection authority from execution authority Ensure the system that identifies risk is not the same system that can freely change identity state unless the delegated scope is tightly constrained and reviewable.
- Require immutable audit evidence for every identity action Capture the triggering event, timestamp, actor, and outcome for each suspend or restore action so security review and compliance checks can reconstruct the full sequence.
What's in the full announcement
1Password's full article covers the operational detail this post intentionally leaves for the source:
- Configuration steps for connecting EPM with CrowdStrike, Elastic, Sumo Logic, Tines, Torq, and BlinkOps.
- The Users API for Partners preview workflow for listing users, suspending access, and restoring access.
- How 1Password positions api.1Password.com as the entry point for future partner APIs.
- Implementation notes for automated provisioning, confidential computing, and multi-tenancy.
👉 Read 1Password’s analysis of the Users API for partners and SOC identity response →
Users API for partners: what changes for SOC-driven identity response?
Explore further
Programmatic identity response is now part of SOC design, not a separate IAM task. This shift matters because the identity action becomes an operational control inside the incident workflow, rather than a manual follow-up after the alert. The article shows that suspend and restore actions can be chained to detection signals through delegated authorization, which changes how teams should model response ownership. Practitioners should treat identity actions as part of the control plane for containment, not as back-office administration.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: Who is accountable when automated access restoration is wrong?
A: Accountability sits with the organisation that defined the workflow, the team that approved the scope, and the owners of the upstream detection logic. If restoration happens too early or too broadly, the failure is usually governance, not just tooling. Teams should be able to prove which signal, rule, and authorisation path caused the action.
👉 Read our full editorial: 1Password Users API shifts SOC workflows toward identity response