1Password buys Apono to bolster AI access controls

1Password has acquired access governance specialist Apono as it launches its Credential Broker product in private beta.

Together, the moves extend 1Password's push into identity security beyond password and secret storage, as businesses seek tighter control over how employees, software workloads and AI agents obtain and use access to sensitive systems.

Terms of the acquisition were not disclosed.

Apono's technology focuses on just-in-time access governance. Instead of relying on permanent accounts or standing privileges, it evaluates each access request against policy, creates the account, role or permission needed for a specific task, and removes that access once the work is complete.

The approach applies to human users, service accounts and AI agents. An AI agent's access can be tied to the person who authorised it and limited to the stated purpose of the task, with access narrowed or revoked if its behaviour diverges from that intent.

Apono connects to cloud and data platforms including Amazon Web Services, Microsoft Azure, Google Cloud, Kubernetes, Snowflake and Databricks. It also integrates with more than 200 enterprise systems, including Slack, Jira, PagerDuty and GitHub.

The acquisition supports 1Password's broader Unified Access strategy, which aims to bring credential protection and runtime access controls into a single platform. According to 1Password, older identity systems were built in separate layers for people, machines and credentials, creating gaps as AI agents begin interacting with critical corporate systems.

David Faugno, Chief Executive Officer of 1Password, described what he sees as a weakness in current identity tools in a statement accompanying the announcement.

"Today's identity systems govern the entry, but not the stay. They decide who gets in, then lose sight of what an identity does once it's inside," said Faugno.

"Agentic workflows have exposed how fragmented enterprise identity really is, built in silos for a world before AI. Companies can't capture the full value of their AI investments when agents are reaching critical systems through credentials nobody is governing. By combining Apono's just-in-time provisioning and intent-based policy enforcement with 1Password's zero-knowledge vault and Credential Broker, we're delivering the answer: unlocking the highest-value AI use cases while keeping people in control."

Credential layer

Alongside the acquisition, 1Password introduced Credential Broker, a new product that releases credentials, tokens and federated access to approved requesters when needed. The product is currently in private beta and initially supports GitHub Actions workload identity.

It is designed to address a different part of the access problem. Rather than governing what an identity may do once access is granted, Credential Broker is intended to control where credentials are stored and how they are delivered.

Many organisations still copy secrets into applications, code repositories, configuration files and software delivery pipelines, a practice that has become harder to manage as companies expand their use of CI/CD workflows, machine identities and AI-assisted software development.

Under the initial GitHub Actions setup, a workflow presents identity signals to 1Password, which checks those signals before releasing the approved credential to the workload. This creates a record of which actor requested a credential and under what trust relationship it was delivered, according to the company.

Nancy Wang, Chief Technology Officer at 1Password, said the product is intended to move companies away from storing credentials across multiple environments.

"1Password has always been the place enterprises trust to keep credentials safe. The next step is making that same source of truth work for every credential, whether it is requested by a person, a workflow, or an AI agent," said Wang.

"The 1Password Credential Broker is about closing the gap between where credentials are protected and where access happens. It helps organizations move away from credentials copied across environments and toward credentials brokered from 1Password, based on trusted identity and logged delivery."

AI access

The announcements reflect a broader shift in security spending as companies try to manage a growing number of non-human identities. Cloud infrastructure, automated development pipelines and AI systems all need access to internal services and data, creating more privileged identities for security teams to monitor.

Apono Co-Founder and Chief Executive Officer Rom Carmel said the company was built to remove permissions as soon as work ends rather than leaving them in place.

"Standing access is the quiet liability inside almost every company: permissions granted once and never taken back," said Carmel.

"We built Apono to remove access the moment the work is done: scoped to exactly what the task needs, for every engineer, knowledge worker, service account, and AI agent, decided at runtime based on context and intent. Done right, security stops being the thing that slows people down and becomes the thing that lets them move, including how confidently they can put AI to work. With a shared vision of seamless secure access across every identity, we are excited to be joining 1Password and define what access governance looks like when AI agents run in production."

Industry analyst Duncan Brown of IDC said demand is rising for systems that can eliminate permanent privileges and make decisions in real time.

"As organizations accelerate adoption of cloud infrastructure, machine identities, and AI agents, the number of privileged identities is growing dramatically, creating demand for solutions that eliminate standing privileges and can govern access in real time," said Brown.

"By combining credential security, machine identity protection, and just-in-time zero-standing-privilege access, 1Password is uniquely positioned to help organizations secure the next generation of human and non-human identities."