Formula 1 identity security: what it means for IAM teams

TL;DR: Oracle Red Bull Racing describes how a $100 million Formula 1 breach pushed it toward zero trust, segmented systems, and tighter secret handling across a distributed operation, according to 1Password. The real lesson is that speed and security now depend on treating every credential, access path, and SaaS connection as governable identity surface, not background infrastructure.

NHIMG editorial — based on content published by 1Password: a look at how Oracle Red Bull Racing approaches identity security, secrets, and zero trust

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

Questions worth separating out

Q: How should security teams govern access in fast-moving operational environments?

A: They should treat access as a live control, not a one-time approval.

Q: Why do shared operational credentials create so much risk?

A: Shared credentials make ownership unclear, which weakens accountability and delays revocation when roles change.

Q: What do teams get wrong about secrets management in pipelines and scripts?

A: They often treat the vault as the finish line.

Practitioner guidance

• Map every high-value data path Identify where telemetry, engineering data, and partner-access workflows move across sites, and require explicit ownership for each access path before it is allowed to persist.
• Eliminate plaintext secrets in operational workflows Replace script-embedded credentials and copied tokens with managed references, then verify that the same secret does not exist in collaboration tools, tickets, or code repositories.
• Rebase shared access on task-scoped entitlements Review broad team access to engineering and SaaS systems, break it into narrower roles, and revoke any standing access that is no longer tied to a current duty.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• The team’s own workflow for balancing zero trust with speed in a high-pressure racing operation.
• Examples of how secure developer workflows are used to reduce plaintext secret handling.
• Details on how SaaS governance supports visibility and reclaiming underused software access.
• The role of ISO 27001, CIS 18, and the NCSC Cyber Assessment Framework in the team’s security baseline.

👉 Read 1Password's analysis of Formula 1 identity security and secrets governance →

Formula 1 identity security: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →