TL;DR: Credential sprawl now spans passwords, API keys, service accounts, passkeys, SSO tokens, and AI-driven workflows, with 97% of AI-related security breaches involving AI that lacked proper access controls, according to IBM. The governance problem is broader than secrets rotation alone: access oversight has to cover every person, agent, secret, and workflow or the blast radius keeps expanding.
NHIMG editorial — based on content published by 1Password: Credential sprawl and how AI increases the risks
By the numbers:
- 97% of AI-related security breaches involved AI that didn’t have proper access controls.
- 70% of secrets that were leaked in 2022 were still valid in 2025.
- 50% of CISOs who’ve experienced a material breach in the last three years identified compromised credentials as a root cause.
Questions worth separating out
Q: How should security teams handle credential sprawl across humans, NHIs, and AI workflows?
A: Treat credential sprawl as a lifecycle and visibility problem, not just a storage problem.
Q: Why does credential sprawl increase breach impact so quickly?
A: Credential sprawl increases breach impact because one exposed secret can open multiple systems, and the same credential is often reused or left valid for too long.
Q: What breaks when AI tools can store and reuse credentials outside approved channels?
A: What breaks is accountability.
Practitioner guidance
- Inventory every credential-bearing path Map passwords, API keys, tokens, certificates, passkeys, service accounts, and AI-linked secrets to owners and systems of record.
- Separate runtime secret use from static storage Treat vault storage as only one control layer.
- Remove duplicate and long-lived credentials Prioritise rotation and revocation for secrets that appear in multiple environments or remain valid after their original purpose ends.
What's in the full article
1Password's full blog covers the operational detail this post intentionally leaves for the source:
- How 1Password positions runtime secret delivery for developers and AI-assisted workflows
- The product-specific view of shadow AI discovery inside 1Password Unified Access
- How the vendor describes breach monitoring and vault-based credential governance in practice
- The implementation detail behind its least-privilege and onboarding/offboarding workflows
👉 Read 1Password's analysis of credential sprawl and AI access risk →
Credential sprawl and AI agents: what IAM teams are missing?
Explore further
Credential sprawl is now an identity governance failure, not a hygiene problem. Once credentials are spread across code, chat, spreadsheets, and AI workflows, the programme can no longer prove ownership, recertify access, or retire stale privilege with confidence. That shifts the issue from secret storage to identity lifecycle control across human and non-human actors. The practical conclusion is that governance has to extend to every credential-bearing workflow, not just the obvious vault boundary.
A few things that frame the scale:
- 70% of secrets that were leaked in 2022 were still valid in 2025, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- In the same research set, 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which shows how widespread this control failure has become.
A question worth separating out:
Q: Who is accountable when unmanaged credentials cause a compliance failure?
A: The organisation remains accountable, even if the credential is used by an AI agent, a contractor, or a third-party workflow. Standards expect proof that access is provisioned and removed correctly, and that regulated data and workflows are protected throughout their lifecycle. Accountability does not disappear because the identity is non-human.
👉 Read our full editorial: Credential sprawl is now an AI governance problem, not just a password one