Bridging the Trust Gap with 1Password
We have spent what seems like an eternity of our careers trying to wrangle access issues. We set up our shiny SSO portals, federate the big apps, and feel pretty good. We have a “bubble” of control. But that bubble popped.
Bridging the Trust Gap with 1Password
We have spent what seems like an eternity of our careers trying to wrangle access issues. We set up our shiny SSO portals, federate the big apps, and feel pretty good. We have a “bubble” of control. But that bubble popped. Reality is a chaotic mess of Software-as-a-Service (SaaS) sprawl, personal devices accessing corporate data, and now, AI agents running around with keys to the kingdom. 1Password has a name for this mess: the Access Trust Gap. It’s the chasm between the managed, federated world we want and the unmanaged, unvetted reality of actual user behavior.
For years, 1Password was merely the place we put the passwords for things that didn’t support SAML. Now they’re making a credible play to solve the entire gap. They call it Extended Access Management, or EAM. Their approach, integrating device compliance and app governance, is worth paying attention to. They outlined it recently at Security Field Day and the videos speak for themselves.
[embedded content]
Taming the SaaS Sprawl
Let’s start with the apps. Shadow IT isn’t a new problem, but the sheer volume of AI tools and niche SaaS apps means our identity providers (IDPs), our Okta or Entra dashboards, only show half the picture. 1Password’s answer here is Trelica.
Trellica’s first job is discovery. It doesn’t just look at the IDP. It hooks into finance systems to see what people are expensing. It uses a browser extension to see what users are logging into with their company email. It even catches OAuth grants. It’s building a complete inventory, not just the official one.
Then, it centralizes everything into their App Launcher. For the user, it’s just one screen. They see the Box icon, which is SAML, right next to the icon for that weird marketing tool, which is a username and password. The user doesn’t know or care how they’re signed in. They just click and it works. But for us in IT we get visibility and a path to governance. Trelica also handles the lifecycle, the onboarding and offboarding workflows. When someone leaves, it can deprovision all the apps, not just the SSO ones. It ensures that access is revoked right away without the need to compile an exhaustive list of random apps and servers.
The Device Trust “Velvet Hammer”
Apps are only one part of the equation. The other is the device. Our old model was mobile device management (MDM). If the device is enrolled, it’s “managed,” so it’s “good.” We all know that’s not true. A managed laptop can still have unencrypted SSH keys or a malicious browser extension.
This is where the 1Password Device Trust tool, which came from the Kollide acquisition, comes into the picture. It runs an agent using OS Query. This isn’t just a simple checklist. It’s fact based. It can check for anything. Is file encryption on? Sure. It can also check if a developer has an unencrypted SSH key sitting in their home directory. It goes above and beyond to ensure data is safe.
It’s not just a “computer says no” blocker. When a user fails a check, say they try to access GitHub with that plaintext SSH key, they get blocked. But they immediately get a notification explaining why. “We blocked you because this SSH key is unencrypted. That’s bad because X. Click here to import it into your 1Password vault to secure it.” The user fixes it themselves, they learn something, and IT doesn’t get a ticket. It changes the security team from the “Department of No” to the “Department of Yes, But Do This First.”
The New Boogeyman, Agentic AI
This all comes together with agentic AI. These things are the ultimate Shadow IT. They behave like a hybrid of a user and an application. They’re often native apps, like the ChatGPT desktop client, or IDE plugins. They’re invisible to traditional SaaS management. After all, they’re not really software but also more than software.
The Device Trust agent can find them. It crawls the local file system and browser history. It can see you’re using the ChatGPT app. And this is where the policy gets nuanced. Instead of just blocking ChatGPT, Device Trust can check if you’re logged into your personal account or the corporate sanctioned_workspace. If it’s the personal one, it blocks you. Again, it tells you why. “Please use the corporate account for work stuff.”
Securing the AI’s own secrets is the next frontier. 1Password is rightly paranoid about this. Their stance is firm: never, ever put raw credentials into an LLM’s context window. That’s just asking for a leak. They’re modeling non-human identities so an audit log can tell the difference between what I did and what my AI agent did. For devs, they’re securing .env files by linking them to the vault, forcing an auth prompt just to run a local script.
Bringing IT All Together
1Password is betting its future on becoming the central nervous system for access. Their vision is to secure every sign in, to every app, from every device. By combining a deep, fact based understanding of the device with a comprehensive discovery of all applications, they’re closing that Access Trust Gap from both ends.
They’re using their strength, a great user experience, as a way to deploy serious, nuanced security. The user gets a simple app launcher. The security team gets compliance checks, shadow IT discovery, and a path to manage AI agents. It’s an ambitious leap from just being a password vault, but frankly, it’s the leap the industry needs. The old SSO/MDM-only model is broken. This integrated approach might just be what fixes it.
For more information about 1Password and their access solutions for the enterprise, make sure to check out https://1Password.com. To see more of their videos from Security Field Day, make sure to head over to the 1Password presentation page
About Author
