Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Identity sprawl is exploding. What was once a manageable set of user accounts has rapidly evolved into a complex ecosystem, comprising human identities, service accounts, ephemeral workloads, APIs, and bots, each with its own permissions and potential blast radius. Machine identities alone now outnumber humans by more than 80:1, creating an ever-expanding attack surface that most teams can’t fully see, let alone govern.

Secrets run your applications: API keys, SSH keys, tokens, passwords, database credentials. They reside in repositories, CI/CD pipelines, infrastructure-as-code templates, containers, and even chat logs; one stray commit is enough to expose a path into production. In 2024, abuse of valid account credentials was the initial access vector in roughly 30% of incidents investigated.

Pillar Security’s recent analysis of Docker’s Agentic AI assistant, Ask Gordon, offers an early glimpse into the security challenges organizations will face as AI systems begin operating inside the development stack. Their researchers discovered that a single poisoned line of Docker Hub metadata caused the agent to run privileged tool calls and quietly exfiltrate internal data.

Last week’s disclosure from AWS is another reminder that in the cloud, attackers don’t need to break in. They just need a working set of keys. Several AWS customers learned this the hard way when threat actors used compromised IAM credentials to deploy a rapid cryptomining campaign across EC2 and ECS environments. The incident didn’t rely on vulnerabilities or sophisticated exploitation. It relied on valid credentials and overly permissive access.

The theme at the Gartner IAM Summit conference this year was clear: identity is no longer adjacent to the business. It is the business. That idea showed up in the opening keynote, analyst sessions, hallway conversations, and especially in the gap between how IAM is supposed to work and how it actually works inside most organizations. After a week of listening closely, a few takeaways rose above the noise. We did not see many buzzwords or grand predictions.

Manual access requests and long-lived credentials pose a significant scaling challenge for engineering teams, even as they automate pipelines, testing, delivery, and monitoring. As the volume of machine identities grows, the sheer volume of permissions makes manual review and revocation unmanageable, increasing risks of stale tokens and silent privilege exposure. Nearly 47% of cloud intrusions stem from weak or mismanaged credentials, according to a Google Cloud report.

It’s not hard for secrets to sprawl, buried under layers of commits and forgotten branches. Most teams don’t notice it until one bad push exposes everything. Secret leaks don’t come from breaches, but from configuration drift and forgotten credentials; a gap that traditional vault tools struggle to close on their own. Here’s the scale of that mess. Machine identities now outnumber human users by more than 80 to 1, and each one relies on credentials to function.

We’re excited to announce Apono integration with 1Password to help organizations control, automate, and audit access to sensitive credentials and secrets bringing stronger security and smoother operations to teams everywhere. This new integration enables customers to enforce Zero Standing Privileges (ZSP) and provision Just-in-Time (JIT) and just-enough access (JEA) to secrets stored in 1Password Enterprise Password Manager through Apono’s automated access flows.

The next wave of supply-chain breaches go beyond exploiting software dependencies and weaponize the trust layer between organizations and their vendors/partners. Off-the-shelf toolkits, some of them state-sponsored, are lowering the barrier to entry for third-party compromises. As a result, regulators are hard-coding “continuous verification” into frameworks such as NIS2, DORA, and the EU Cyber Resilience Act.