Extended access management: what does it change for IAM teams?

TL;DR: The Access-Trust Gap created by unfederated identities, unmanaged apps, devices, and AI agents accessing sensitive data has made Extended Access Management a necessary response, according to 1Password. The security issue is broader than a sponsorship story: governance now has to cover every sign-in path, not just managed endpoints and federated users.

NHIMG editorial — based on content published by 1Password: extended access management and the Red Bull Racing partnership

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern unmanaged identities that sit outside IAM and MDM coverage?

A: Start by inventorying the identities that never enter the normal joiner, mover, leaver process, including service accounts, API keys, tokens, and agent credentials.

Q: Why do unmanaged apps and machine identities increase identity risk?

A: Because they can authenticate to critical systems without going through the same lifecycle controls used for human users.

Q: What do teams get wrong about governing AI agents as identities?

A: They often treat AI agents as if they were just another automation job, then inherit controls that assume fixed behaviour and stable privilege.

Practitioner guidance

• Inventory unmanaged access paths Map every application, token, service account, and agent credential that authenticates outside your managed IAM estate, then assign an owner and review cadence for each one.
• Separate human and non-human lifecycle controls Create distinct offboarding, rotation, and recertification workflows for human users, service accounts, and AI agents so that each actor type is governed by its own evidence and revocation trigger.
• Tie agent permissions to narrow business purposes For any AI agent or automation that can touch sensitive data, define the exact task scope, approved tools, and credential lifetime before deployment.

What's in the full article

1Password's full article covers the brand partnership and campaign detail this post intentionally leaves for the source:

• The livery reveal story and how the collaboration was positioned around women in motorsport and cybersecurity.
• The sponsorship and event context around the Canadian Grand Prix weekend in Montreal.
• The specific brand and community messaging used around mentorship, inclusion, and talent development.
• The public-facing description of 1Password’s extended access management positioning in its own words.

👉 Read 1Password's post on extended access management and the Red Bull Racing partnership →

Extended access management: what does it change for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →