How IT can reduce credential risk across every department

by Rachel Sudbeck
July 9, 2026 - 6 min

Related Categories
Note
This blog is a recap of 1Password’s recent webinar, “The credential sprawl tour: Is your department leaking secrets?” Head here to watch the complete webinar recording.
Credential sprawl has long been an issue IT and security teams have had to grapple with, and solutions like single-sign-on (SSO) have never been able to contain it completely. Now, AI is accelerating the problem. AI agents need access to credentials at an unprecedented scale, leaving IT and security teams struggling even more to ensure that every credential, across every department, is secure.
These issues were the focus of 1Password’s recent webinar: “The credential sprawl tour: Is your department leaking secrets?”
During the webinar, Sebastian Cevallos, Senior Product Marketing Manager, and Graham McKelvie, Solutions Engineer, explored how 1Password’s solutions can help IT and security teams secure and govern these unapproved or unmanaged credentials.
Read on for an in-depth exploration of the webinar’s key themes.
Password and secrets sprawl across every department
The webinar provided a department-by-department overview of how credential sprawl proliferates across teams and roles.
Product: Developer secrets are used across departments
AI is dramatically changing how teams manage developer secrets. As McKelvie explained, “The challenge isn’t just managing passwords anymore. It’s managing every identity, credential, API key, tokens, and all of the secrets that are powering AI-driven work.”
The growing use of AI means that those secrets are being used in new ways by departments outside of engineering. For example, product managers are having to move faster than ever, and a lot of that speed comes from AI tools like ChatGPT, Claude, and Gemini, which are able to help them stress test, draft PRDs, map out user flows, and more.
Unfortunately, it’s entirely possible now for a product manager to paste context into an AI prompt, and that context might include things like API keys, connection strings, staging credentials, or other sensitive information.
Developer secrets pose serious risks when compromised, and IT and security teams need oversight over when and how these secrets are used, but AI is changing the secrets perimeter. As Cevallos put it, “It’s not just developers anymore who are handing secrets. It’s everyone in an organization.”
Marketing: Unmanaged passwords can put company reputation at risk
Do you know who has the password to your company’s Instagram account? What about LinkedIn or Facebook pages? Is it one person? Is it five different people? Is it someone who left the company months ago?
As Cevallos explained during the webinar, social media platforms are not your typical enterprise application; they don’t support SSO and can’t integrate with your identity provider. This means that marketing teams often can’t do things the “right way,” and resort to sharing platform passwords over Slack or through other unsecure channels.
None of that is auditable. Moreover, if your company’s brand account gets compromised, the attack can be particularly difficult to trace or contain, as there’s often no system of record for who has access to different accounts, whether it’s current employees or former marketing agencies.
Marketing accounts often seem low stakes from a security perspective, but they’re extremely attractive to bad actors, who use stolen accounts to share malware links or otherwise damage company reputations. After a recent attack targeting business Facebook accounts, security researcher Shaked Chen stated that “...access, business identity, ad reputation, and even account recovery have all become tradable commodities.”
Finance and sales: Critical systems guarded by unmanaged passwords
Finance and sales are two of the highest-risk departments when it comes to credential sprawl, as they interface with a company’s most sensitive customer information and financial data.
Unfortunately, these departments often have credential risks that go overlooked by traditional security tooling. Finance may be accessing banking portals or billing accounts with credentials that are shared or reused across accounts. Sales, meanwhile, may choose to run tools like DocuSign or ZoomInfo that are outside of their company’s SSO.
As Cevallos points out during the webinar, these departments face similar issues to Marketing: passwords may be used to protect sensitive systems, and IT or security teams have little oversight over who has access to those credentials.
Contractors, agencies, and third parties: A growing risk
The difficulty of managing third-party accounts has been a longtime issue in cybersecurity, and it’s only growing worse. These third parties often need access to various systems to do their jobs, and teams are faced with two questions: how much access to give them, and how to revoke that access when needed?
Unfortunately, it’s not always simple to answer those questions. Verizon’s 2026 Data Breach Incident Report (DBIR) found that breaches involving third-parties increased by 60% over the previous year. The report found that many of these third-party incidents “...boil down to insecure authentication (absence of MFA, improper credential rotation) or lack of least privilege enforcement for users or service accounts.” They also found that for cases involving weak passwords or permission misconfigurations, the time to resolve the incident was significantly longer.
As Cevallos put it during the webinar, “The challenge is that the manual cleanup process is essentially a broken one. Someone has to remember to go in and revoke the access or change the password. Someone also has to know which specific credentials were shared, and with whom. In any fast-moving company, that almost never happens consistently.”
IT and security teams: Doing their best with inadequate tooling
1Password’s most recent annual report found that on average, 34% of a company’s apps aren’t protected by SSO, and that’s not even accounting for the sprawl of invisible shadow IT that employees adopt without any oversight from IT or security teams. Unsurprisingly, our report also found that 70% of IT and security professionals say that SSO tools aren’t a complete solution for securing employee identities.
Cevallos stated the unfortunate reality facing most teams: “Everything we’ve shown you so far – the AI tools, the social media logins, the contractor access – none of that is visible without a system in place.”
Cevallos emphasized how 1Password provides a complete picture of the credentials being used at a company. Teams can surface weak or compromised passwords, audit credential and secrets use, and manage all of the access paths that exist beyond the oversight of tools like SSO.
What should teams do next?
To summarize the main points of the webinar:
Credential and secrets sprawl present unique risks across different departments.
AI is accelerating and changing how those risks proliferate
Traditional security tools like SSO can leave serious gaps in IT and security teams’ oversight over secrets and credential use.
1Password is purpose-built to enable IT and security teams to oversee where, when, and how credentials are being used, across departments and across AI tools.
To learn more, and to see the demos in action, watch the complete webinar recording.
Want to get started with 1Password? Reach out to our team.

