The costs of unmanaged credential sprawl

This blog has been adapted from an excerpted section of 1Password’s ebook, Credential sprawl: How AI increases the risks. To read the complete ebook and learn more about how AI is accelerating credential sprawl, click here.

In Ancient Rome, the military had a daily “watchword” that soldiers used to enter the camp. An official would inscribe the watchword on clay tablets, which were distributed throughout the various military units. If a tablet wasn’t returned, they swiftly tracked it down and punished the soldier who had failed to return it. 

Clearly, one thing has been true from Ancient Roman times until now: if you want to stay secure, you need to know where your passwords are. 

Unfortunately, keeping track of credentials is more difficult for a modern organization. Today’s companies have to manage an ever-growing number of credentials that go well beyond traditional passwords, such as developer secrets, passkeys, shared logins, API keys, SSH keys, service accounts, and SSO access tokens. 

This problem is especially urgent due to the rise of AI-based tools and agents, which have not only increased the scale and scope of unmanaged credentials, but also present access and identity management challenges that tools like SSO and PAM aren’t equipped to handle.

Credential sprawl tends to quietly accumulate across systems, often going unaddressed until a breach exposes the vast web of risky, unmanaged access. In this blog, we’ll make a case for addressing this issue proactively, by examining all the ways it extracts a cost from companies. 

What are the risks and costs of credential sprawl?

When credential sprawl runs rampant through a company, the costs manifest in a variety of ways, from an increased blast radius in the event of a breach, to time-consuming manual processes to manage security posture, compliance, and incident response.

Compliance failures

IT and security teams are consistently faced with the difficult task of achieving and proving compliance with regulatory standards like SOC 2, PCI DSS, ISO 27001:2022, and HIPAA. 

Each of these standards has requirements related to the secure use and storage of credentials. For instance, PCI DSS requires that, “Audit logs capture all changes to identification and authentication credentials…”

SOC 2 similarly has various requirements related to how companies provision access to credentials, including requirements dictating that “Your organisation should implement processes to remove credential access when an individual no longer requires such access.” 

With the increasing need to manage how AI and agentic AI access and store credentials, it’s worth noting that SOC 2 extends their requirements not only to user credential access, but to how “internal and external infrastructure and software” access credentials. 

Regulatory bodies, on the whole, expect companies to prove that they’ve done their due diligence to protect sensitive information. “Due diligence,” in the case of managing credentials, means implementing essential tools to give admins oversight over where and how credentials are being used. Credential sprawl fundamentally undermines a company’s ability to do so. 

Furthermore, regulatory bodies aren’t likely to cut companies any slack. If anything, they’re increasing their scrutiny. As Itamar Apelblat pointed out in an article for BleepingComputer, “In each of these frameworks, the organization is accountable for what happens to regulated data and regulated workflows. When AI agents are the ones acting inside those systems, accountability doesn’t disappear.”

Risk exposure

Compliance standards place so much emphasis on credential and access management because credential sprawl greatly increases an organization’s risk of cyber attack, and attackers are eager to take advantage of it. 

Compromised credentials are the single most common entry point for attackers, and have been for some time; 50% of CISOs who’ve experienced a material breach in the last three years identified compromised credentials as a root cause. 

Credential sprawl significantly increases a company’s attack surface. Each credential that’s stored without security and IT oversight presents an opportunity for bad actors to breach systems, particularly backend credentials like OAuth tokens and API keys, which often have broad permissions, and which are now being used by AI agents. And with automation and AI adoption spreading so rapidly, companies are facing more risk than ever. 

In 2025, IBM reported that shadow AI accounted for 20% of breaches, and 97% of AI-related security breaches involved AI that didn’t have proper access controls. IBM also points out, “...that data was most often stored across multiple environments, revealing just one unmonitored AI system can lead to widespread exposure.”

Incident Response

Breach remediation and incident response are already costly and time-consuming processes. Credential sprawl is only worsening these issues, as breaches involving data stored across multiple environments take the longest to resolve. 

As TechTarget reported, NHIs and agentic AI complicate this issue further: “Since many organizations use NHIs to link cloud environments… secrets are often duplicated or reused across multiple systems, making remediation and rotation difficult if a single identity is compromised.” Shadow AI, for instance, adds more complexity and cost to breach response; a breach involving shadow AI can cost up to $670k more than a comparable breach that didn’t involve it. 

According to GitGuardian, 70% of secrets that were leaked in 2022 were still valid in 2025. That’s a deeply worrying figure, indicating that compromised credentials aren’t being remediated by any standard business process; they’re not expiring automatically or being rotated by teams. 

How can organizations manage credential sprawl?

Managing credential sprawl requires a multi-pronged effort that addresses the myriad types of credentials and places they can live. 

Secrets management for AI and business-led IT

Broadly speaking, credential sprawl often comes down to the push and pull between security and productivity. The rise of AI has placed this conflict in stark relief: employees, and developers in particular, adopt AI to improve productivity. They often see security tools as intrusive blockers to their improved workflows.

1Password doesn’t just improve secrets management for developers; it removes friction. 1Password’s developer tools let teams securely vault secrets and make them available at runtime as developers code, so that they can work securely without interrupting workflows.

When it comes to agentic AI use, 1Password has also taken steps to let teams take advantage of the benefits of AI-assisted coding without ignoring the risks. Our Cursor integration “... gives developers a secure, just-in-time way to ensure required secrets are made available to Cursor’s AI agents via 1Password Environments. The result is an AI-native development workflow where… secure access becomes a natural part of writing and running code.”

1Password® Unified Access also includes shadow AI discovery, enabling IT and security teams to discover and manage the use of unapproved AI apps or local agents across their ecosystem. This is just the beginning, as 1Password is building a new foundation for runtime access governance for AI agents and machine workloads. 

This is the next frontier of credential management: governing not just who logs in, but how software identities authenticate, operate, and persist across environments.

Credential management

As the analyst and researcher Francis Odum reported, “1Password’s architectural anchor is its Enterprise Password Management (EPM) core. This zero-knowledge vault serves as the singular ‘system of record for all workforce credentials,’ spanning both human users and non-human identities (NHI)...”

Modern credential management platforms, such as 1Password, secure more than passwords, and are a mission-critical tool for companies to rein in credential sprawl and manage agentic AI use. 1Password’s EPM centralizes visibility into how credentials are used, allowing admins to enforce principles of least privilege through role-based vault access. Structured onboarding and offboarding workflows mean that users are only given access to the credentials, passkeys, and secrets that they need to do their jobs. And critically, EPM extends protection into developer workflows and AI-powered automation without introducing friction.

Since credentials are encrypted, teams can ensure that they can’t be accessed by infostealers and other targeted attacks. 1Password's breach monitoring also informs users and admins as soon as possible if a managed credential has been compromised.

It’s worth noting an essential element of EPM’s efficacy: credential governance must be deployed wall-to-wall. Businesses have to enforce credential management for every person, agent, secret, and workflow. Companies cannot stay secure by only protecting part of the identity surface.

How to manage credential sprawl and its costs

Credential risks are hardly a new issue. However, in recent years, managing where and how credentials are used has evolved from a Herculean task to a Sisyphean one. That is to say: it was never easy, but at some point it became close to impossible. Teams are faced with an ever-growing number of credentials across an ever-growing number of endpoints and apps. Credentials are hidden in codebases, Slack messages, AI chatbots, spreadsheets – and they probably still find a home on a sticky note or two.

Credential management has never been more difficult, but it’s also never been more crucial. In blunt terms: every unmanaged credential puts your ecosystem at risk. If credentials aren’t being secured wall-to-wall, then your business can have untold numbers of unsecured access points. 

Credential management has been an essential (though often neglected) part of security for years, and it has only become more pressing with the rapid rise of AI. 1Password is the critical solution for companies to control how credentials are used across their ecosystems. By building on the strong security of our password manager, we’re creating systems that will let teams manage credentials wherever they may be, from the spreadsheet to the AI agent.

There’s never been a better time to start managing credential sprawl. Reach out for a demo.