TL;DR: The Access-Trust Gap created by unfederated identities, unmanaged apps, devices, and AI agents accessing sensitive data has made Extended Access Management a necessary response, according to 1Password. The security issue is broader than a sponsorship story: governance now has to cover every sign-in path, not just managed endpoints and federated users.
NHIMG editorial — based on content published by 1Password: extended access management and the Red Bull Racing partnership
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern unmanaged identities that sit outside IAM and MDM coverage?
A: Start by inventorying the identities that never enter the normal joiner, mover, leaver process, including service accounts, API keys, tokens, and agent credentials.
Q: Why do unmanaged apps and machine identities increase identity risk?
A: Because they can authenticate to critical systems without going through the same lifecycle controls used for human users.
Q: What do teams get wrong about governing AI agents as identities?
A: They often treat AI agents as if they were just another automation job, then inherit controls that assume fixed behaviour and stable privilege.
Practitioner guidance
- Inventory unmanaged access paths Map every application, token, service account, and agent credential that authenticates outside your managed IAM estate, then assign an owner and review cadence for each one.
- Separate human and non-human lifecycle controls Create distinct offboarding, rotation, and recertification workflows for human users, service accounts, and AI agents so that each actor type is governed by its own evidence and revocation trigger.
- Tie agent permissions to narrow business purposes For any AI agent or automation that can touch sensitive data, define the exact task scope, approved tools, and credential lifetime before deployment.
What's in the full article
1Password's full article covers the brand partnership and campaign detail this post intentionally leaves for the source:
- The livery reveal story and how the collaboration was positioned around women in motorsport and cybersecurity.
- The sponsorship and event context around the Canadian Grand Prix weekend in Montreal.
- The specific brand and community messaging used around mentorship, inclusion, and talent development.
- The public-facing description of 1Password’s extended access management positioning in its own words.
👉 Read 1Password's post on extended access management and the Red Bull Racing partnership →
Extended access management: what does it change for IAM teams?
Explore further
Extended access management is a response to governance blind spots, not just product sprawl. The article is effectively arguing that identity programmes have outgrown the boundaries of managed devices and federated sign-in. That matters because the access surface now includes service accounts, tokens, unmanaged apps, and AI-connected execution paths that legacy tools only partially see. Practitioners should read this as a control-plane gap, not a branding change.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to The Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the same research.
A question worth separating out:
Q: How do IAM and NHI programmes work together in extended access management?
A: IAM provides the policy, authentication, and lifecycle discipline, while NHI governance handles the credential, workload, and machine access layer that traditional IAM often misses. Extended access management only works when both layers are connected to one inventory and one accountability model. Without that linkage, the same access gap simply shifts location.
👉 Read our full editorial: Extended access management for AI agents and unmanaged identities