Notifications
Clear all
Topic starter
12/06/2026 9:28 pm
TL;DR: At Black Hat and Hacker Summer Camp, CISOs reportedly focused on nation-state threats, AI agents, and the growing problem of sensitive data leakage through private apps, according to 1Password. Policies are not the constraint here; real enforcement and control are, especially as agentic use cases expand.
NHIMG editorial — based on content published by 1Password: AI agents and secret leakage are sharpening CISO concerns
Questions worth separating out
Q: How should security teams govern AI agents that touch sensitive business data?
A: Treat them as delegated access paths, not as harmless productivity features.
Q: Why do private apps and shadow AI create an identity risk?
A: Because they bypass the approved control plane.
Q: When do agentic workflows become a governance problem instead of a convenience?
A: They become a governance problem when the workflow can reach sensitive systems or data without a human review gate and without a clear revocation path.
Practitioner guidance
- Inventory private app and agent use cases Identify where employees are moving sensitive data into private tools or AI-assisted workflows outside approved identity controls.
- Enforce runtime boundaries for agent access Keep agent permissions narrow, task-scoped, and reviewable.
- Separate policy intent from control reality Test whether the organisation can actually block, log, or revoke the behaviours it says are prohibited.
What's in the full article
1Password's full article covers the conference observations and on-the-ground practitioner reactions this post intentionally leaves for the source:
- The panel and session context that shaped the CISO conversations in Vegas, including the AI and resilience themes.
- The informal practitioner commentary on how organisations are actually using AI tools today.
- The source article's broader conference framing across Black Hat, BSides, and related summer camp events.
- The speaker and event details behind the quoted talks and panels.
👉 Read 1Password's perspective on AI agents, resilience, and CISO concerns →
AI agents and secret leakage: what security teams are actually worried about?
Explore further
12/06/2026 11:34 pm
AI agent governance is now being shaped by the same control gap that has long defined NHI sprawl. The article shows CISOs worrying about private app use, sensitive data leakage, and tightly scoped agents at the same time. That combination matters because the identity boundary is no longer a single login or token. Practitioners need to treat delegated AI access as part of the broader identity attack surface, not a separate novelty category.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, showing that control failure often begins before a secret reaches production.
A question worth separating out:
Q: Who is accountable when an AI-assisted workflow leaks sensitive data?
A: Accountability sits with the organisation that allowed the workflow to operate outside governed controls. Security, IAM, and business owners all share responsibility for ensuring approval, logging, and lifecycle management exist before data moves through the path. If no one can block or revoke it, no one is governing it.
👉 Read our full editorial: AI agents and secret leakage are sharpening CISO concerns
