Your AI Agents Have Keys to Everything. Nobody's Watching.

1Password launched a zero-exposure integration with Claude that lets AI agents use credentials without seeing them. But the bigger story is that 68% of enterprises can't distinguish AI agent actions from human ones, the average enterprise has 36.9 agents deployed, and fewer than half monitor them. Agent credential security assessment and zero-exposure architecture implementation checklist inside.

By Rajesh Beri·July 16, 2026·13 min read
Share:
THE DAILY BRIEF
AI Agent SecurityEnterprise IdentityNon-Human IdentityAgentic AI1PasswordAnthropicCredential SecurityIAM
Your AI Agents Have Keys to Everything. Nobody's Watching.

1Password launched a zero-exposure integration with Claude that lets AI agents use credentials without seeing them. But the bigger story is that 68% of enterprises can't distinguish AI agent actions from human ones, the average enterprise has 36.9 agents deployed, and fewer than half monitor them. Agent credential security assessment and zero-exposure architecture implementation checklist inside.

By Rajesh Beri·July 16, 2026·13 min read

By Rajesh Beri | July 16, 2026


Today, 1Password launched a browser integration for Anthropic's Claude that lets the AI agent use stored credentials without those credentials ever reaching the model, its memory, or Anthropic's systems. The feature, called Agentic Mode, introduces what 1Password calls a "zero-exposure security framework" — the agent can authenticate on your behalf, but it never sees the password.

This is genuinely novel. And the fact that it had to be built tells you something alarming about the current state of enterprise AI security.

Until today, the standard approach for letting an AI agent log into something on your behalf was to paste your credentials directly into the agent's context window. Your username. Your password. Your MFA codes. All of it sitting inside the model's working memory, potentially logged, potentially leaking into training data, definitely visible to the model itself.

A Cloud Security Alliance survey found that 68% of organizations cannot reliably distinguish AI agent activity from human activity in their systems. The average enterprise has deployed 36.9 AI agents into its workflows, according to Gravitee's State of Agent Security 2026 report. Fewer than half have implemented monitoring or security solutions for those agents.

That means the majority of enterprises have dozens of AI agents operating inside their environments, using credentials that were either hardcoded, pasted into prompts, or stored in environment variables — with no audit trail distinguishing what an agent did from what a human did.

This isn't a theoretical risk. It's the biggest unaddressed identity crisis in enterprise security.

The Credential Exposure Problem Nobody Talks About

When an AI agent needs to complete a task — booking a flight, filing an expense report, pulling data from Salesforce — it needs credentials. And in 2026, the dominant pattern for providing those credentials is shockingly primitive.

Pattern 1: Paste it in the prompt. The user copies their username and password directly into the chat context. The model sees the secret. The model's context window is the attack surface. If the model's provider logs conversations for quality assurance, safety monitoring, or fine-tuning — the credential is in that log.

Pattern 2: Hardcode it in the agent configuration. Service accounts, API keys, and OAuth tokens are embedded in agent definitions, MCP server configs, or environment variables. This is the "it works on my machine" approach to agent security — fast to deploy, impossible to audit, and a breach investigation nightmare.

Pattern 3: Shared service accounts. Multiple agents use the same service account credentials. When something goes wrong, you can't tell which agent did it, let alone which human authorized it.

Crogl's research documented this gap in April 2026, showing that most enterprises have secrets directly in prompts, in LLM context windows, and crossing enterprise boundaries — an entire class of risk that traditional secret management tools weren't designed to catch.

The problem is structural. Traditional IAM was built for a world where identities are humans and machines are deterministic. AI agents are neither. They're probabilistic systems with human-like autonomy, machine-like scale, and no native concept of identity. When Claude books a flight, whose identity is it using? When an AI agent updates a CRM record, who approved it? When a multi-agent system transfers funds, which agent made the decision, and which identity authorized the action?

What 1Password Actually Built — and Why It Matters

1Password's approach to this problem is worth understanding in detail, because it introduces an architectural pattern — zero-exposure credential injection — that should become the standard for enterprise AI agent authentication.

Here's how it works:

  1. Claude requests credentials. When Claude encounters a task that requires authentication (logging into a website, submitting a form), it requests the credentials it needs.

  2. User approves via biometric prompt. The user sees what credential is being requested and for what purpose. They approve or deny with a biometric prompt (Face ID, fingerprint).

  3. 1Password injects credentials directly into the target site. The password, username, and any MFA one-time codes are injected through a secure channel that 1Password controls — directly into the browser form, never into the model's context.

  4. The model never sees the secret. The credential doesn't enter Claude's working memory, context window, conversation log, or Anthropic's systems. The agent can use the credential. It cannot read the credential.

This is the critical distinction: use without visibility. The agent gets the access it needs to complete the task. The credential stays inside the vault. The audit trail shows exactly which credential was used, when, by which agent, for which task, with which human's biometric approval.

As SiliconANGLE reported, 1Password built Agentic Mode to extend to other browser-based agents beyond Claude — positioning this as the beginning of an identity layer for the entire agentic AI ecosystem, not a single-vendor integration.

The Non-Human Identity Explosion

1Password's launch lands in the middle of a market that's rapidly recognizing the scope of this problem.

Non-human identities (NHIs) — service accounts, API keys, OAuth tokens, machine credentials, RPA bots, CI/CD pipeline identities, and now AI agents — already outnumber human identities in most enterprise environments. Every AI agent that authenticates to a system, calls an API, or accesses data is a non-human identity that needs to be discovered, governed, and monitored.

The investment landscape reflects the urgency:

  • SailPoint acquired Entro Security (June 2026) to strengthen automated machine identity and credential lifecycle management. Entro was the first platform to unify security for AI agents, NHIs, and secrets.

  • Oasis Security raised $120 million in a 2026 Series B, with the majority of its customers being Fortune 500 organizations adopting agentic AI. The company has raised roughly $195 million total.

  • Oak Security emerged from stealth with $60 million in seed funding, building a platform for managing identities across enterprise systems — specifically targeting the problem of AI agent proliferation.

  • Noma Security raised $100 million for AI agent hardening, while WitnessAI closed $58 million backed by Sound Ventures, Qualcomm Ventures, and Samsung Ventures.

Gartner's Top Cybersecurity Trends for 2026 names agentic AI oversight as Trend #1 and IAM adaptation to AI agents as Trend #4. These aren't peripheral concerns — they're the forces redefining cyber risk this year.

The total funding flowing into agentic AI security is staggering. Louis Columbus's analysis on LinkedIn documented $3.6 billion in Crunchbase funding and $96 billion in M&A across 10 agentic AI security categories, with identity and credential management emerging as the fastest-growing segment.

Framework #1: Agent Credential Security Assessment

Use this framework to evaluate your organization's current exposure. Score each dimension 1-5, where 1 = no controls and 5 = mature, automated controls.

Dimension 1: Credential Injection Method

Score Description Risk Level
1 Credentials pasted directly into agent prompts/context Critical
2 Credentials stored in environment variables or config files accessible to agents High
3 Credentials managed by a secrets manager, but injected into agent context at runtime Medium
4 Credentials injected at the application layer without entering model context (e.g., proxy-based) Low
5 Zero-exposure architecture — credentials never reach the model, injected directly into target via secure channel Minimal

Dimension 2: Identity Attribution

Score Description
1 Agent actions are indistinguishable from human actions in logs
2 Agents use shared service accounts — agent activity visible but not attributable to specific agents
3 Each agent has a unique identity, but no linkage to the human who authorized the action
4 Agent identity is linked to authorizing human, with per-action approval logging
5 Full audit chain: human authorization → agent identity → action → target system, with biometric or MFA approval per credential use

Dimension 3: Credential Lifecycle Management

Score Description
1 Credentials are static, never rotated, no expiry
2 Manual rotation on a calendar schedule (quarterly, annually)
3 Automated rotation with notification to dependent agents
4 Dynamic, short-lived credentials issued per-session or per-task
5 Just-in-time credential provisioning with automatic revocation after task completion

Dimension 4: Scope and Permissions

Score Description
1 Agents use admin-level or overly broad service account credentials
2 Some agents have scoped permissions, but defaults are permissive
3 All agents have defined permission boundaries, but no runtime enforcement
4 Least-privilege permissions enforced at runtime with policy-based controls
5 Dynamic permission scoping per task, with automatic escalation requests and human approval for sensitive actions

Dimension 5: Monitoring and Detection

Score Description
1 No monitoring of agent credential usage
2 Logs exist but aren't reviewed — reactive detection only
3 Alerts on known patterns (failed logins, unusual hours)
4 Behavioral anomaly detection across the agent fleet
5 Real-time monitoring with automated response: credential revocation, agent suspension, human escalation

Scoring Your Organization

Total score (sum of 5 dimensions):

  • 5-10 (Critical Exposure): Your agents are operating with minimal credential controls. Every credential pasted into an agent context is a potential breach vector. Priority: implement a secrets management layer and eliminate credentials from model context immediately.

  • 11-15 (High Risk): You have some controls but significant gaps. Most likely: credentials are managed but still enter model context, and agent actions aren't attributable. Priority: adopt zero-exposure credential injection and per-agent identity attribution.

  • 16-20 (Moderate Risk): Controls exist across most dimensions but aren't fully mature. Priority: automate credential lifecycle management and implement behavioral monitoring.

  • 21-25 (Well-Managed): Your agent credential security is ahead of the market. Focus on: dynamic permission scoping, just-in-time credential provisioning, and extending coverage to shadow AI agents your security team doesn't know about.

Framework #2: Zero-Exposure Architecture Implementation Checklist

Based on 1Password's approach and the emerging patterns across the NHI management market, here's a step-by-step checklist for implementing zero-exposure agent credential management.

Phase 1: Discovery and Inventory (Weeks 1-2)

  • Catalog all AI agents in your environment — sanctioned and shadow. Include browser-based agents (Claude, ChatGPT), IDE agents (Copilot, Cursor), automation agents (Zapier AI, custom MCP tools), and internal agents.
  • Map credential exposure. For each agent, document: what credentials does it use? How are they provided (pasted, env var, config file, vault)? Does the model see the credential?
  • Identify high-risk credentials. Flag any agent that uses: admin/root credentials, credentials to financial systems, credentials to customer data stores, credentials to production infrastructure.
  • Count non-human identities. Total the service accounts, API keys, OAuth tokens, and agent-specific credentials in your environment. Compare to your human identity count.

Phase 2: Architecture Design (Weeks 3-4)

  • Select a credential injection pattern. Options: proxy-based injection (gateway intercepts agent calls and adds credentials server-side), browser-based injection (1Password model — credential manager injects directly into target), or runtime vault integration (agent requests credential from vault API, receives short-lived token).
  • Design the approval flow. Define which credentials require human approval per use, which can be pre-approved for specific tasks, and which are automatically provisioned for low-risk operations.
  • Define the identity model. Every agent needs: a unique identity, a linked human sponsor/owner, a defined permission scope, a credential rotation schedule, and an audit trail.
  • Choose monitoring tooling. Evaluate: Entro Security (NHI + agent unified view), Oasis Security (agent-specific), Token Security (machine-first), or build on existing SIEM with agent-specific detections.

Phase 3: Implementation (Weeks 5-8)

  • Deploy zero-exposure injection for your highest-risk credentials first (financial systems, customer data, production infrastructure).
  • Migrate from shared to per-agent service accounts. Each agent should authenticate as itself, not share a service account with other agents or humans.
  • Implement per-action audit logging. Every credential use by an agent must produce a log entry that includes: agent identity, human authorizer, credential used, target system, action taken, timestamp.
  • Set up behavioral baselines. Monitor normal agent credential usage patterns for 2-4 weeks before enabling anomaly alerting.

Phase 4: Operationalize (Weeks 9-12)

  • Automate credential rotation for all agent credentials. Target: no credential lives longer than 90 days. Ideal: dynamic, per-session credentials.
  • Enable automated response. Credential revocation on anomaly detection. Agent suspension on repeated failures. Human escalation on sensitive system access outside normal patterns.
  • Integrate with your identity governance platform. Agent identities should show up in your IGA/IAM console alongside human identities — same lifecycle management, same access reviews, same certification campaigns.
  • Establish recurring agent credential audits. Monthly: review all agent credentials, permissions, and usage patterns. Quarterly: full access certification for all AI agent identities.

The Bigger Picture: Identity Is the New Perimeter for AI

The security industry spent a decade teaching enterprises that "identity is the new perimeter." That message was about humans — employees, contractors, partners — and the systems they access.

AI agents just broke that model. An agent isn't a human and it isn't a traditional machine identity. It's a probabilistic system that makes decisions, takes actions, and needs credentials — but has no native concept of identity, no consistent behavior pattern, and no inherent accountability.

When I wrote about the agentic control gap last week, the focus was on governance — the 54% of enterprises that had already experienced AI agent incidents. Today's 1Password launch and the explosion of NHI management funding show that the industry is starting to build the solutions. But the gap between the problem and the deployed solutions remains enormous.

Consider: Gartner predicts 40% of enterprise applications will feature AI agents by end of 2026, up from less than 5% in 2025. That's an 8x increase in agent surface area in a single year. Every one of those agents will need credentials. Every one will need an identity. Every one will need to be monitored.

The VentureBeat Pulse data I covered this morning showed that 71% of enterprise "AI agents" are still chatbot wrappers. But even chatbot wrappers can have credentials pasted into their context. And as those wrappers mature into genuine multi-step agents — the explicit goal of 96% of enterprises surveyed — the credential surface area will grow exponentially.

1Password's zero-exposure framework is a good start. But it's a browser-based solution for a single agent. The enterprise needs a complete identity layer for every AI agent — browser-based, API-based, server-side, multi-agent systems — with the same governance rigor we apply to human identities.

That layer doesn't exist yet. And until it does, your AI agents have keys to everything, and nobody's watching.


Continue Reading

THE DAILY BRIEF

Enterprise AI insights for technology and business leaders, twice weekly.

beri.net

Subscribe at beri.net/subscribe for twice-weekly AI insights delivered to your inbox.

LinkedIn: linkedin.com/in/rberi  |  X: x.com/rajeshberi

© 2026 Rajesh Beri. All rights reserved.

Your AI Agents Have Keys to Everything. Nobody's Watching.

Photo by Sora Shimazaki on Pexels

By Rajesh Beri | July 16, 2026


Today, 1Password launched a browser integration for Anthropic's Claude that lets the AI agent use stored credentials without those credentials ever reaching the model, its memory, or Anthropic's systems. The feature, called Agentic Mode, introduces what 1Password calls a "zero-exposure security framework" — the agent can authenticate on your behalf, but it never sees the password.

This is genuinely novel. And the fact that it had to be built tells you something alarming about the current state of enterprise AI security.

Until today, the standard approach for letting an AI agent log into something on your behalf was to paste your credentials directly into the agent's context window. Your username. Your password. Your MFA codes. All of it sitting inside the model's working memory, potentially logged, potentially leaking into training data, definitely visible to the model itself.

A Cloud Security Alliance survey found that 68% of organizations cannot reliably distinguish AI agent activity from human activity in their systems. The average enterprise has deployed 36.9 AI agents into its workflows, according to Gravitee's State of Agent Security 2026 report. Fewer than half have implemented monitoring or security solutions for those agents.

That means the majority of enterprises have dozens of AI agents operating inside their environments, using credentials that were either hardcoded, pasted into prompts, or stored in environment variables — with no audit trail distinguishing what an agent did from what a human did.

This isn't a theoretical risk. It's the biggest unaddressed identity crisis in enterprise security.

The Credential Exposure Problem Nobody Talks About

When an AI agent needs to complete a task — booking a flight, filing an expense report, pulling data from Salesforce — it needs credentials. And in 2026, the dominant pattern for providing those credentials is shockingly primitive.

Pattern 1: Paste it in the prompt. The user copies their username and password directly into the chat context. The model sees the secret. The model's context window is the attack surface. If the model's provider logs conversations for quality assurance, safety monitoring, or fine-tuning — the credential is in that log.

Pattern 2: Hardcode it in the agent configuration. Service accounts, API keys, and OAuth tokens are embedded in agent definitions, MCP server configs, or environment variables. This is the "it works on my machine" approach to agent security — fast to deploy, impossible to audit, and a breach investigation nightmare.

Pattern 3: Shared service accounts. Multiple agents use the same service account credentials. When something goes wrong, you can't tell which agent did it, let alone which human authorized it.

Crogl's research documented this gap in April 2026, showing that most enterprises have secrets directly in prompts, in LLM context windows, and crossing enterprise boundaries — an entire class of risk that traditional secret management tools weren't designed to catch.

The problem is structural. Traditional IAM was built for a world where identities are humans and machines are deterministic. AI agents are neither. They're probabilistic systems with human-like autonomy, machine-like scale, and no native concept of identity. When Claude books a flight, whose identity is it using? When an AI agent updates a CRM record, who approved it? When a multi-agent system transfers funds, which agent made the decision, and which identity authorized the action?

What 1Password Actually Built — and Why It Matters

1Password's approach to this problem is worth understanding in detail, because it introduces an architectural pattern — zero-exposure credential injection — that should become the standard for enterprise AI agent authentication.

Here's how it works:

  1. Claude requests credentials. When Claude encounters a task that requires authentication (logging into a website, submitting a form), it requests the credentials it needs.

  2. User approves via biometric prompt. The user sees what credential is being requested and for what purpose. They approve or deny with a biometric prompt (Face ID, fingerprint).

  3. 1Password injects credentials directly into the target site. The password, username, and any MFA one-time codes are injected through a secure channel that 1Password controls — directly into the browser form, never into the model's context.

  4. The model never sees the secret. The credential doesn't enter Claude's working memory, context window, conversation log, or Anthropic's systems. The agent can use the credential. It cannot read the credential.

This is the critical distinction: use without visibility. The agent gets the access it needs to complete the task. The credential stays inside the vault. The audit trail shows exactly which credential was used, when, by which agent, for which task, with which human's biometric approval.

As SiliconANGLE reported, 1Password built Agentic Mode to extend to other browser-based agents beyond Claude — positioning this as the beginning of an identity layer for the entire agentic AI ecosystem, not a single-vendor integration.

The Non-Human Identity Explosion

1Password's launch lands in the middle of a market that's rapidly recognizing the scope of this problem.

Non-human identities (NHIs) — service accounts, API keys, OAuth tokens, machine credentials, RPA bots, CI/CD pipeline identities, and now AI agents — already outnumber human identities in most enterprise environments. Every AI agent that authenticates to a system, calls an API, or accesses data is a non-human identity that needs to be discovered, governed, and monitored.

The investment landscape reflects the urgency:

  • SailPoint acquired Entro Security (June 2026) to strengthen automated machine identity and credential lifecycle management. Entro was the first platform to unify security for AI agents, NHIs, and secrets.

  • Oasis Security raised $120 million in a 2026 Series B, with the majority of its customers being Fortune 500 organizations adopting agentic AI. The company has raised roughly $195 million total.

  • Oak Security emerged from stealth with $60 million in seed funding, building a platform for managing identities across enterprise systems — specifically targeting the problem of AI agent proliferation.

  • Noma Security raised $100 million for AI agent hardening, while WitnessAI closed $58 million backed by Sound Ventures, Qualcomm Ventures, and Samsung Ventures.

Gartner's Top Cybersecurity Trends for 2026 names agentic AI oversight as Trend #1 and IAM adaptation to AI agents as Trend #4. These aren't peripheral concerns — they're the forces redefining cyber risk this year.

The total funding flowing into agentic AI security is staggering. Louis Columbus's analysis on LinkedIn documented $3.6 billion in Crunchbase funding and $96 billion in M&A across 10 agentic AI security categories, with identity and credential management emerging as the fastest-growing segment.

Framework #1: Agent Credential Security Assessment

Use this framework to evaluate your organization's current exposure. Score each dimension 1-5, where 1 = no controls and 5 = mature, automated controls.

Dimension 1: Credential Injection Method

Score Description Risk Level
1 Credentials pasted directly into agent prompts/context Critical
2 Credentials stored in environment variables or config files accessible to agents High
3 Credentials managed by a secrets manager, but injected into agent context at runtime Medium
4 Credentials injected at the application layer without entering model context (e.g., proxy-based) Low
5 Zero-exposure architecture — credentials never reach the model, injected directly into target via secure channel Minimal

Dimension 2: Identity Attribution

Score Description
1 Agent actions are indistinguishable from human actions in logs
2 Agents use shared service accounts — agent activity visible but not attributable to specific agents
3 Each agent has a unique identity, but no linkage to the human who authorized the action
4 Agent identity is linked to authorizing human, with per-action approval logging
5 Full audit chain: human authorization → agent identity → action → target system, with biometric or MFA approval per credential use

Dimension 3: Credential Lifecycle Management

Score Description
1 Credentials are static, never rotated, no expiry
2 Manual rotation on a calendar schedule (quarterly, annually)
3 Automated rotation with notification to dependent agents
4 Dynamic, short-lived credentials issued per-session or per-task
5 Just-in-time credential provisioning with automatic revocation after task completion

Dimension 4: Scope and Permissions

Score Description
1 Agents use admin-level or overly broad service account credentials
2 Some agents have scoped permissions, but defaults are permissive
3 All agents have defined permission boundaries, but no runtime enforcement
4 Least-privilege permissions enforced at runtime with policy-based controls
5 Dynamic permission scoping per task, with automatic escalation requests and human approval for sensitive actions

Dimension 5: Monitoring and Detection

Score Description
1 No monitoring of agent credential usage
2 Logs exist but aren't reviewed — reactive detection only
3 Alerts on known patterns (failed logins, unusual hours)
4 Behavioral anomaly detection across the agent fleet
5 Real-time monitoring with automated response: credential revocation, agent suspension, human escalation

Scoring Your Organization

Total score (sum of 5 dimensions):

  • 5-10 (Critical Exposure): Your agents are operating with minimal credential controls. Every credential pasted into an agent context is a potential breach vector. Priority: implement a secrets management layer and eliminate credentials from model context immediately.

  • 11-15 (High Risk): You have some controls but significant gaps. Most likely: credentials are managed but still enter model context, and agent actions aren't attributable. Priority: adopt zero-exposure credential injection and per-agent identity attribution.

  • 16-20 (Moderate Risk): Controls exist across most dimensions but aren't fully mature. Priority: automate credential lifecycle management and implement behavioral monitoring.

  • 21-25 (Well-Managed): Your agent credential security is ahead of the market. Focus on: dynamic permission scoping, just-in-time credential provisioning, and extending coverage to shadow AI agents your security team doesn't know about.

Framework #2: Zero-Exposure Architecture Implementation Checklist

Based on 1Password's approach and the emerging patterns across the NHI management market, here's a step-by-step checklist for implementing zero-exposure agent credential management.

Phase 1: Discovery and Inventory (Weeks 1-2)

  • Catalog all AI agents in your environment — sanctioned and shadow. Include browser-based agents (Claude, ChatGPT), IDE agents (Copilot, Cursor), automation agents (Zapier AI, custom MCP tools), and internal agents.
  • Map credential exposure. For each agent, document: what credentials does it use? How are they provided (pasted, env var, config file, vault)? Does the model see the credential?
  • Identify high-risk credentials. Flag any agent that uses: admin/root credentials, credentials to financial systems, credentials to customer data stores, credentials to production infrastructure.
  • Count non-human identities. Total the service accounts, API keys, OAuth tokens, and agent-specific credentials in your environment. Compare to your human identity count.

Phase 2: Architecture Design (Weeks 3-4)

  • Select a credential injection pattern. Options: proxy-based injection (gateway intercepts agent calls and adds credentials server-side), browser-based injection (1Password model — credential manager injects directly into target), or runtime vault integration (agent requests credential from vault API, receives short-lived token).
  • Design the approval flow. Define which credentials require human approval per use, which can be pre-approved for specific tasks, and which are automatically provisioned for low-risk operations.
  • Define the identity model. Every agent needs: a unique identity, a linked human sponsor/owner, a defined permission scope, a credential rotation schedule, and an audit trail.
  • Choose monitoring tooling. Evaluate: Entro Security (NHI + agent unified view), Oasis Security (agent-specific), Token Security (machine-first), or build on existing SIEM with agent-specific detections.

Phase 3: Implementation (Weeks 5-8)

  • Deploy zero-exposure injection for your highest-risk credentials first (financial systems, customer data, production infrastructure).
  • Migrate from shared to per-agent service accounts. Each agent should authenticate as itself, not share a service account with other agents or humans.
  • Implement per-action audit logging. Every credential use by an agent must produce a log entry that includes: agent identity, human authorizer, credential used, target system, action taken, timestamp.
  • Set up behavioral baselines. Monitor normal agent credential usage patterns for 2-4 weeks before enabling anomaly alerting.

Phase 4: Operationalize (Weeks 9-12)

  • Automate credential rotation for all agent credentials. Target: no credential lives longer than 90 days. Ideal: dynamic, per-session credentials.
  • Enable automated response. Credential revocation on anomaly detection. Agent suspension on repeated failures. Human escalation on sensitive system access outside normal patterns.
  • Integrate with your identity governance platform. Agent identities should show up in your IGA/IAM console alongside human identities — same lifecycle management, same access reviews, same certification campaigns.
  • Establish recurring agent credential audits. Monthly: review all agent credentials, permissions, and usage patterns. Quarterly: full access certification for all AI agent identities.

The Bigger Picture: Identity Is the New Perimeter for AI

The security industry spent a decade teaching enterprises that "identity is the new perimeter." That message was about humans — employees, contractors, partners — and the systems they access.

AI agents just broke that model. An agent isn't a human and it isn't a traditional machine identity. It's a probabilistic system that makes decisions, takes actions, and needs credentials — but has no native concept of identity, no consistent behavior pattern, and no inherent accountability.

When I wrote about the agentic control gap last week, the focus was on governance — the 54% of enterprises that had already experienced AI agent incidents. Today's 1Password launch and the explosion of NHI management funding show that the industry is starting to build the solutions. But the gap between the problem and the deployed solutions remains enormous.

Consider: Gartner predicts 40% of enterprise applications will feature AI agents by end of 2026, up from less than 5% in 2025. That's an 8x increase in agent surface area in a single year. Every one of those agents will need credentials. Every one will need an identity. Every one will need to be monitored.

The VentureBeat Pulse data I covered this morning showed that 71% of enterprise "AI agents" are still chatbot wrappers. But even chatbot wrappers can have credentials pasted into their context. And as those wrappers mature into genuine multi-step agents — the explicit goal of 96% of enterprises surveyed — the credential surface area will grow exponentially.

1Password's zero-exposure framework is a good start. But it's a browser-based solution for a single agent. The enterprise needs a complete identity layer for every AI agent — browser-based, API-based, server-side, multi-agent systems — with the same governance rigor we apply to human identities.

That layer doesn't exist yet. And until it does, your AI agents have keys to everything, and nobody's watching.


Continue Reading

Share:
THE DAILY BRIEF
AI Agent SecurityEnterprise IdentityNon-Human IdentityAgentic AI1PasswordAnthropicCredential SecurityIAM
Your AI Agents Have Keys to Everything. Nobody's Watching.

1Password launched a zero-exposure integration with Claude that lets AI agents use credentials without seeing them. But the bigger story is that 68% of enterprises can't distinguish AI agent actions from human ones, the average enterprise has 36.9 agents deployed, and fewer than half monitor them. Agent credential security assessment and zero-exposure architecture implementation checklist inside.

By Rajesh Beri·July 16, 2026·13 min read

By Rajesh Beri | July 16, 2026


Today, 1Password launched a browser integration for Anthropic's Claude that lets the AI agent use stored credentials without those credentials ever reaching the model, its memory, or Anthropic's systems. The feature, called Agentic Mode, introduces what 1Password calls a "zero-exposure security framework" — the agent can authenticate on your behalf, but it never sees the password.

This is genuinely novel. And the fact that it had to be built tells you something alarming about the current state of enterprise AI security.

Until today, the standard approach for letting an AI agent log into something on your behalf was to paste your credentials directly into the agent's context window. Your username. Your password. Your MFA codes. All of it sitting inside the model's working memory, potentially logged, potentially leaking into training data, definitely visible to the model itself.

A Cloud Security Alliance survey found that 68% of organizations cannot reliably distinguish AI agent activity from human activity in their systems. The average enterprise has deployed 36.9 AI agents into its workflows, according to Gravitee's State of Agent Security 2026 report. Fewer than half have implemented monitoring or security solutions for those agents.

That means the majority of enterprises have dozens of AI agents operating inside their environments, using credentials that were either hardcoded, pasted into prompts, or stored in environment variables — with no audit trail distinguishing what an agent did from what a human did.

This isn't a theoretical risk. It's the biggest unaddressed identity crisis in enterprise security.

The Credential Exposure Problem Nobody Talks About

When an AI agent needs to complete a task — booking a flight, filing an expense report, pulling data from Salesforce — it needs credentials. And in 2026, the dominant pattern for providing those credentials is shockingly primitive.

Pattern 1: Paste it in the prompt. The user copies their username and password directly into the chat context. The model sees the secret. The model's context window is the attack surface. If the model's provider logs conversations for quality assurance, safety monitoring, or fine-tuning — the credential is in that log.

Pattern 2: Hardcode it in the agent configuration. Service accounts, API keys, and OAuth tokens are embedded in agent definitions, MCP server configs, or environment variables. This is the "it works on my machine" approach to agent security — fast to deploy, impossible to audit, and a breach investigation nightmare.

Pattern 3: Shared service accounts. Multiple agents use the same service account credentials. When something goes wrong, you can't tell which agent did it, let alone which human authorized it.

Crogl's research documented this gap in April 2026, showing that most enterprises have secrets directly in prompts, in LLM context windows, and crossing enterprise boundaries — an entire class of risk that traditional secret management tools weren't designed to catch.

The problem is structural. Traditional IAM was built for a world where identities are humans and machines are deterministic. AI agents are neither. They're probabilistic systems with human-like autonomy, machine-like scale, and no native concept of identity. When Claude books a flight, whose identity is it using? When an AI agent updates a CRM record, who approved it? When a multi-agent system transfers funds, which agent made the decision, and which identity authorized the action?

What 1Password Actually Built — and Why It Matters

1Password's approach to this problem is worth understanding in detail, because it introduces an architectural pattern — zero-exposure credential injection — that should become the standard for enterprise AI agent authentication.

Here's how it works:

  1. Claude requests credentials. When Claude encounters a task that requires authentication (logging into a website, submitting a form), it requests the credentials it needs.

  2. User approves via biometric prompt. The user sees what credential is being requested and for what purpose. They approve or deny with a biometric prompt (Face ID, fingerprint).

  3. 1Password injects credentials directly into the target site. The password, username, and any MFA one-time codes are injected through a secure channel that 1Password controls — directly into the browser form, never into the model's context.

  4. The model never sees the secret. The credential doesn't enter Claude's working memory, context window, conversation log, or Anthropic's systems. The agent can use the credential. It cannot read the credential.

This is the critical distinction: use without visibility. The agent gets the access it needs to complete the task. The credential stays inside the vault. The audit trail shows exactly which credential was used, when, by which agent, for which task, with which human's biometric approval.

As SiliconANGLE reported, 1Password built Agentic Mode to extend to other browser-based agents beyond Claude — positioning this as the beginning of an identity layer for the entire agentic AI ecosystem, not a single-vendor integration.

The Non-Human Identity Explosion

1Password's launch lands in the middle of a market that's rapidly recognizing the scope of this problem.

Non-human identities (NHIs) — service accounts, API keys, OAuth tokens, machine credentials, RPA bots, CI/CD pipeline identities, and now AI agents — already outnumber human identities in most enterprise environments. Every AI agent that authenticates to a system, calls an API, or accesses data is a non-human identity that needs to be discovered, governed, and monitored.

The investment landscape reflects the urgency:

  • SailPoint acquired Entro Security (June 2026) to strengthen automated machine identity and credential lifecycle management. Entro was the first platform to unify security for AI agents, NHIs, and secrets.

  • Oasis Security raised $120 million in a 2026 Series B, with the majority of its customers being Fortune 500 organizations adopting agentic AI. The company has raised roughly $195 million total.

  • Oak Security emerged from stealth with $60 million in seed funding, building a platform for managing identities across enterprise systems — specifically targeting the problem of AI agent proliferation.

  • Noma Security raised $100 million for AI agent hardening, while WitnessAI closed $58 million backed by Sound Ventures, Qualcomm Ventures, and Samsung Ventures.

Gartner's Top Cybersecurity Trends for 2026 names agentic AI oversight as Trend #1 and IAM adaptation to AI agents as Trend #4. These aren't peripheral concerns — they're the forces redefining cyber risk this year.

The total funding flowing into agentic AI security is staggering. Louis Columbus's analysis on LinkedIn documented $3.6 billion in Crunchbase funding and $96 billion in M&A across 10 agentic AI security categories, with identity and credential management emerging as the fastest-growing segment.

Framework #1: Agent Credential Security Assessment

Use this framework to evaluate your organization's current exposure. Score each dimension 1-5, where 1 = no controls and 5 = mature, automated controls.

Dimension 1: Credential Injection Method

Score Description Risk Level
1 Credentials pasted directly into agent prompts/context Critical
2 Credentials stored in environment variables or config files accessible to agents High
3 Credentials managed by a secrets manager, but injected into agent context at runtime Medium
4 Credentials injected at the application layer without entering model context (e.g., proxy-based) Low
5 Zero-exposure architecture — credentials never reach the model, injected directly into target via secure channel Minimal

Dimension 2: Identity Attribution

Score Description
1 Agent actions are indistinguishable from human actions in logs
2 Agents use shared service accounts — agent activity visible but not attributable to specific agents
3 Each agent has a unique identity, but no linkage to the human who authorized the action
4 Agent identity is linked to authorizing human, with per-action approval logging
5 Full audit chain: human authorization → agent identity → action → target system, with biometric or MFA approval per credential use

Dimension 3: Credential Lifecycle Management

Score Description
1 Credentials are static, never rotated, no expiry
2 Manual rotation on a calendar schedule (quarterly, annually)
3 Automated rotation with notification to dependent agents
4 Dynamic, short-lived credentials issued per-session or per-task
5 Just-in-time credential provisioning with automatic revocation after task completion

Dimension 4: Scope and Permissions

Score Description
1 Agents use admin-level or overly broad service account credentials
2 Some agents have scoped permissions, but defaults are permissive
3 All agents have defined permission boundaries, but no runtime enforcement
4 Least-privilege permissions enforced at runtime with policy-based controls
5 Dynamic permission scoping per task, with automatic escalation requests and human approval for sensitive actions

Dimension 5: Monitoring and Detection

Score Description
1 No monitoring of agent credential usage
2 Logs exist but aren't reviewed — reactive detection only
3 Alerts on known patterns (failed logins, unusual hours)
4 Behavioral anomaly detection across the agent fleet
5 Real-time monitoring with automated response: credential revocation, agent suspension, human escalation

Scoring Your Organization

Total score (sum of 5 dimensions):

  • 5-10 (Critical Exposure): Your agents are operating with minimal credential controls. Every credential pasted into an agent context is a potential breach vector. Priority: implement a secrets management layer and eliminate credentials from model context immediately.

  • 11-15 (High Risk): You have some controls but significant gaps. Most likely: credentials are managed but still enter model context, and agent actions aren't attributable. Priority: adopt zero-exposure credential injection and per-agent identity attribution.

  • 16-20 (Moderate Risk): Controls exist across most dimensions but aren't fully mature. Priority: automate credential lifecycle management and implement behavioral monitoring.

  • 21-25 (Well-Managed): Your agent credential security is ahead of the market. Focus on: dynamic permission scoping, just-in-time credential provisioning, and extending coverage to shadow AI agents your security team doesn't know about.

Framework #2: Zero-Exposure Architecture Implementation Checklist

Based on 1Password's approach and the emerging patterns across the NHI management market, here's a step-by-step checklist for implementing zero-exposure agent credential management.

Phase 1: Discovery and Inventory (Weeks 1-2)

  • Catalog all AI agents in your environment — sanctioned and shadow. Include browser-based agents (Claude, ChatGPT), IDE agents (Copilot, Cursor), automation agents (Zapier AI, custom MCP tools), and internal agents.
  • Map credential exposure. For each agent, document: what credentials does it use? How are they provided (pasted, env var, config file, vault)? Does the model see the credential?
  • Identify high-risk credentials. Flag any agent that uses: admin/root credentials, credentials to financial systems, credentials to customer data stores, credentials to production infrastructure.
  • Count non-human identities. Total the service accounts, API keys, OAuth tokens, and agent-specific credentials in your environment. Compare to your human identity count.

Phase 2: Architecture Design (Weeks 3-4)

  • Select a credential injection pattern. Options: proxy-based injection (gateway intercepts agent calls and adds credentials server-side), browser-based injection (1Password model — credential manager injects directly into target), or runtime vault integration (agent requests credential from vault API, receives short-lived token).
  • Design the approval flow. Define which credentials require human approval per use, which can be pre-approved for specific tasks, and which are automatically provisioned for low-risk operations.
  • Define the identity model. Every agent needs: a unique identity, a linked human sponsor/owner, a defined permission scope, a credential rotation schedule, and an audit trail.
  • Choose monitoring tooling. Evaluate: Entro Security (NHI + agent unified view), Oasis Security (agent-specific), Token Security (machine-first), or build on existing SIEM with agent-specific detections.

Phase 3: Implementation (Weeks 5-8)

  • Deploy zero-exposure injection for your highest-risk credentials first (financial systems, customer data, production infrastructure).
  • Migrate from shared to per-agent service accounts. Each agent should authenticate as itself, not share a service account with other agents or humans.
  • Implement per-action audit logging. Every credential use by an agent must produce a log entry that includes: agent identity, human authorizer, credential used, target system, action taken, timestamp.
  • Set up behavioral baselines. Monitor normal agent credential usage patterns for 2-4 weeks before enabling anomaly alerting.

Phase 4: Operationalize (Weeks 9-12)

  • Automate credential rotation for all agent credentials. Target: no credential lives longer than 90 days. Ideal: dynamic, per-session credentials.
  • Enable automated response. Credential revocation on anomaly detection. Agent suspension on repeated failures. Human escalation on sensitive system access outside normal patterns.
  • Integrate with your identity governance platform. Agent identities should show up in your IGA/IAM console alongside human identities — same lifecycle management, same access reviews, same certification campaigns.
  • Establish recurring agent credential audits. Monthly: review all agent credentials, permissions, and usage patterns. Quarterly: full access certification for all AI agent identities.

The Bigger Picture: Identity Is the New Perimeter for AI

The security industry spent a decade teaching enterprises that "identity is the new perimeter." That message was about humans — employees, contractors, partners — and the systems they access.

AI agents just broke that model. An agent isn't a human and it isn't a traditional machine identity. It's a probabilistic system that makes decisions, takes actions, and needs credentials — but has no native concept of identity, no consistent behavior pattern, and no inherent accountability.

When I wrote about the agentic control gap last week, the focus was on governance — the 54% of enterprises that had already experienced AI agent incidents. Today's 1Password launch and the explosion of NHI management funding show that the industry is starting to build the solutions. But the gap between the problem and the deployed solutions remains enormous.

Consider: Gartner predicts 40% of enterprise applications will feature AI agents by end of 2026, up from less than 5% in 2025. That's an 8x increase in agent surface area in a single year. Every one of those agents will need credentials. Every one will need an identity. Every one will need to be monitored.

The VentureBeat Pulse data I covered this morning showed that 71% of enterprise "AI agents" are still chatbot wrappers. But even chatbot wrappers can have credentials pasted into their context. And as those wrappers mature into genuine multi-step agents — the explicit goal of 96% of enterprises surveyed — the credential surface area will grow exponentially.

1Password's zero-exposure framework is a good start. But it's a browser-based solution for a single agent. The enterprise needs a complete identity layer for every AI agent — browser-based, API-based, server-side, multi-agent systems — with the same governance rigor we apply to human identities.

That layer doesn't exist yet. And until it does, your AI agents have keys to everything, and nobody's watching.


Continue Reading

THE DAILY BRIEF

Enterprise AI insights for technology and business leaders, twice weekly.

beri.net

Subscribe at beri.net/subscribe for twice-weekly AI insights delivered to your inbox.

LinkedIn: linkedin.com/in/rberi  |  X: x.com/rajeshberi

© 2026 Rajesh Beri. All rights reserved.

Frequently Asked Questions

What is 1Password's zero-exposure architecture for Claude?

It lets Claude use a stored login at runtime without the password, one-time code, or vault item ever entering the model, its memory, or Anthropic's systems. After a user-consented biometric approval, 1Password injects the credential directly into the target page, so the agent can authenticate but never sees the secret.

How many AI agents does the average enterprise run, and are they monitored?

According to Gravitee's State of Agent Security 2026 report, the average enterprise has deployed roughly 36.9 AI agents, yet fewer than half have monitoring or security controls for them. A Cloud Security Alliance survey also found 68% of organizations cannot reliably distinguish AI agent activity from human activity.

Why can't traditional IAM secure AI agents?

Traditional identity and access management assumes identities are either humans or deterministic machines. AI agents are neither: they are probabilistic systems with human-like autonomy and machine-like scale but no native concept of identity, so they need non-human identity governance, per-action attribution, and zero-exposure credential injection.

Newsletter

Stay Ahead of the Curve

Weekly enterprise AI insights for technology leaders. No spam, no vendor pitches—unsubscribe anytime.

Subscribe