Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential sprawl and AI agents: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Credential sprawl now spans passwords, API keys, service accounts, passkeys, SSO tokens, and AI-driven workflows, with 97% of AI-related security breaches involving AI that lacked proper access controls, according to IBM. The governance problem is broader than secrets rotation alone: access oversight has to cover every person, agent, secret, and workflow or the blast radius keeps expanding.

NHIMG editorial — based on content published by 1Password: Credential sprawl and how AI increases the risks

By the numbers:

Questions worth separating out

Q: How should security teams handle credential sprawl across humans, NHIs, and AI workflows?

A: Treat credential sprawl as a lifecycle and visibility problem, not just a storage problem.

Q: Why does credential sprawl increase breach impact so quickly?

A: Credential sprawl increases breach impact because one exposed secret can open multiple systems, and the same credential is often reused or left valid for too long.

Q: What breaks when AI tools can store and reuse credentials outside approved channels?

A: What breaks is accountability.

Practitioner guidance

  • Inventory every credential-bearing path Map passwords, API keys, tokens, certificates, passkeys, service accounts, and AI-linked secrets to owners and systems of record.
  • Separate runtime secret use from static storage Treat vault storage as only one control layer.
  • Remove duplicate and long-lived credentials Prioritise rotation and revocation for secrets that appear in multiple environments or remain valid after their original purpose ends.

What's in the full article

1Password's full blog covers the operational detail this post intentionally leaves for the source:

  • How 1Password positions runtime secret delivery for developers and AI-assisted workflows
  • The product-specific view of shadow AI discovery inside 1Password Unified Access
  • How the vendor describes breach monitoring and vault-based credential governance in practice
  • The implementation detail behind its least-privilege and onboarding/offboarding workflows

👉 Read 1Password's analysis of credential sprawl and AI access risk →

Credential sprawl and AI agents: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Credential sprawl is now an identity governance failure, not a hygiene problem. Once credentials are spread across code, chat, spreadsheets, and AI workflows, the programme can no longer prove ownership, recertify access, or retire stale privilege with confidence. That shifts the issue from secret storage to identity lifecycle control across human and non-human actors. The practical conclusion is that governance has to extend to every credential-bearing workflow, not just the obvious vault boundary.

A few things that frame the scale:

  • 70% of secrets that were leaked in 2022 were still valid in 2025, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • In the same research set, 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which shows how widespread this control failure has become.

A question worth separating out:

Q: Who is accountable when unmanaged credentials cause a compliance failure?

A: The organisation remains accountable, even if the credential is used by an AI agent, a contractor, or a third-party workflow. Standards expect proof that access is provisioned and removed correctly, and that regulated data and workflows are protected throughout their lifecycle. Accountability does not disappear because the identity is non-human.

👉 Read our full editorial: Credential sprawl is now an AI governance problem, not just a password one



   
ReplyQuote
Share: