Credential sprawl and AI agents: what IAM teams are missing

TL;DR: Credential sprawl now spans passwords, API keys, service accounts, passkeys, SSO tokens, and AI-driven workflows, with 97% of AI-related security breaches involving AI that lacked proper access controls, according to IBM. The governance problem is broader than secrets rotation alone: access oversight has to cover every person, agent, secret, and workflow or the blast radius keeps expanding.

NHIMG editorial — based on content published by 1Password: Credential sprawl and how AI increases the risks

By the numbers:

• 97% of AI-related security breaches involved AI that didn’t have proper access controls.
• 70% of secrets that were leaked in 2022 were still valid in 2025.
• 50% of CISOs who’ve experienced a material breach in the last three years identified compromised credentials as a root cause.

Questions worth separating out

Q: How should security teams handle credential sprawl across humans, NHIs, and AI workflows?

A: Treat credential sprawl as a lifecycle and visibility problem, not just a storage problem.

Q: Why does credential sprawl increase breach impact so quickly?

A: Credential sprawl increases breach impact because one exposed secret can open multiple systems, and the same credential is often reused or left valid for too long.

Q: What breaks when AI tools can store and reuse credentials outside approved channels?

A: What breaks is accountability.

Practitioner guidance

• Inventory every credential-bearing path Map passwords, API keys, tokens, certificates, passkeys, service accounts, and AI-linked secrets to owners and systems of record.
• Separate runtime secret use from static storage Treat vault storage as only one control layer.
• Remove duplicate and long-lived credentials Prioritise rotation and revocation for secrets that appear in multiple environments or remain valid after their original purpose ends.

What's in the full article

1Password's full blog covers the operational detail this post intentionally leaves for the source:

• How 1Password positions runtime secret delivery for developers and AI-assisted workflows
• The product-specific view of shadow AI discovery inside 1Password Unified Access
• How the vendor describes breach monitoring and vault-based credential governance in practice
• The implementation detail behind its least-privilege and onboarding/offboarding workflows

👉 Read 1Password's analysis of credential sprawl and AI access risk →

Credential sprawl and AI agents: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →