MSSP, Distributed Workforce, Endpoint/Device Security, Generative AI, AI benefits/risks, Identity, Decentralized identity and verifiable credentials

AI Agents Are Forcing a Shift in Identity Security, and 1Password Wants to Fix It

(Adobe Stock)

Identity has been facing security pressures, especially with the rise of software-as-a-service (SaaS), accelerating the already expanding distributed nature of IT. And while single sign-on has helped in improving control at the time of logging in, AI – and particularly agentic AI – is now changing the nature of the challenge.

“AI hasn’t broken authentication,” Nancy Wang, CTO of secure password management and digital vault firm 1Password, told MSSP Alert. “What it has exposed is that most identity systems were designed for a world where access decisions happened at login, not when software actually takes action. For years, identity security has focused on verifying who or what can sign in. That works well for human users operating within a session. But AI agents behave differently.”

Agents can take a range of actions – calling APIs, chaining tools together, and executing workflows continuously using credentials – that shifts the control point from authentication to authorization at the moment those credentials are used, Wang said.

She added that “most organizations are still adapting to that shift. Security teams often lack clear visibility into where agent credentials exist or how they’re being used across developer tools, pipelines, and infrastructure.”

The Toronto-based company has unveiled Unified Access, an agent security platform that Wang said can address the gap by giving security teams and MSSPs a way to discover where credentials and agents exist, consistently secure them across human and non-human identities (NHIs), and audit how access is used.

“We’re moving identity security closer to the moment access happens rather than relying on static permissions granted once and assumed to remain safe,” the CTO said.

Security Challenges of Agents

The rapid adoption of AI agents and the surge in NHIs is a key challenge for security teams and security services providers going forward this year. According to a January report from the Cloud Security Alliance and Oasis Security, 78% of organizations don’t have formal policies for creating or removing AI identities, 92% aren’t confident their legacy IAM tools can manage the risks AI and NHIs bring, and 79% said they had moderate or low confidence in their ability to prevent NHI-based attacks.

Lavi Lazarovitz, vice president of cyber research for CyberArkwrote in a blog post late last year that as AI agents become more autonomous and interconnected, the attack surface expands.

“By 2026, we won’t just be experimenting with AI agents; we’ll be relying on them,” Lazarovitz wrote. “This shift requires us to think differently about identity, access, and security. It’s not just about machines anymore; the very nature of human identity is also under pressure.”

It Takes an AI Village

1Password is working with a range of AI-related vendors – including Anthropic, Cursor, GitHub, Perlexity, and Vercel – on the Unified Access effort, as well as others in such areas as AI developer tools and Model Context Protocol (MCP) gateways.

Unified Access is designed to discover agents and other AI tool across endpoints, browsers, and local environments and identify exposed credentials and secrets, including unencrypted SSH keys. The platform can also map AI use to specific users and devices.

Exposed credentials are secured through one-click vaulting, according to 1Password. Other capabilities include governing human, agent, and machine credentials in a unified vault and putting controls on high-risk or shared accounts. Soon, security teams will be able to audit the actions of humans and agent identities by recording the credentials used, when they were used, by which identity, and through whose authority.

Riding the Endpoints

An advantage with Unified Access has come from 1Password having the only secrets vault with a presence on endpoints, Wang said. The vendor has a presence across more than a million endpoints at 180,000 businesses and protects more than 1.3 billion credentials and secrets, she added.

“Compared to other identity and access tools that operate at the login layer or inside cloud infrastructure, Unified Access begins where credentials are created and used,” she said, noting that 1Password has a presence across more than a million endpoints at 180,000 businesses and protects more than 1.3 billion credentials and secrets. “Unified Access helps organizations gain direct insight into how employees are building with AI and which tools they’re using.”

Such visibility is important because so much of the risk now stems from outside of traditional identity boundaries, Wang said. Developers are using AI tools, agents are invoking APIs, and credentials can often be found in local development environments.

Runtime Protection

Later this year, 1Password will expand Unified Access’ capabilities around persistent access and hardened governance to keep pace with the adoption of AI-fueled automation to include issuing scoped credentials to agent and machine workloads at runtime.

“Runtime credential brokering moves access decisions closer to the moment credentials are actually used,” Wang said. “Many organizations still rely on long-lived secrets distributed across developer tools, infrastructure, and automation workflows. That model becomes harder to manage as AI agents begin acting continuously. Issuing credentials only when they’re needed, and scoping them to a specific task, reduces the risk created by standing access while still giving developers the flexibility to automate systems.”

Good for MSSPs as Well

MSSPs are able to leverage the benefits of the Unified Access platform, the CTO said. Clients want MSSPs to help manage the security challenges that come with agents as they move into production, with a key challenge being visibility, given that developers use AI more on endpoints. It’s also there where credentials often are created, used, and stored, she said.

The platform provides visibility into AI use and exposed credentials at that level and governance across both human and machine identities.

“That’s useful both for MSSPs managing their own environments and for helping their clients understand and reduce new forms of access risk,” Wang said.

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds