1Password sees AI as both threat and tool

For a company with one of the most important jobs in information security, assessing the risks and opportunities of AI might feel less like an analytical exercise and more like a roll of a 20-sided die.

That’s because a password manager, which already has to defend a customer’s most valuable credentials against both outside attackers and the customer’s own carelessness, now has to contend with AI on multiple fronts.

AI can help a password-management firm develop code and find vulnerabilities faster, but it may also enable clients to ship sloppy, vibe-coded apps that expose passwords. And while AI agents promise to zip through complex tasks with a single-minded focus, hallucinations or prompt-injection attacks could cause them to err like any tired, distracted human, just faster and at scale.

“You have to start with helping your customers understand their blast radius and also just how pervasive this challenge is within their ecosystem,” says Nancy Wang, chief technology officer of 1Password.

Keeping customers out of self-inflicted trouble

The Toronto-based company’s AI strategy starts with trying to keep enterprise customers out of trouble in the first place. It uses an on-device agent to audit AI model use and flag risks that a client’s management would want to know about.

“Hey, Mrs, CISO, did you know that your developers are using DeepSeek model on this branch of your code base?” Wang says of the Chinese-developed LLM that’s drawn criticism over its security risks. “That has actually happened.”

She adds that “some security best-practices conversations” followed with the developers in question.

Automated scanning by the agent, which also checks for installed software updates and other signs of device health, helps 1Password spot sloppy password management.

“When we discover unprotected unencrypted credentials on disk because we have our own device agent, we can then move those credentials into our secure, encrypted vault,” Wang explains.

1Password, like other password managers, encrypts saved credentials end-to-end, leaving no way for the company to view saved passwords. Wang adds that its software is designed so an AI agent cannot see the plain text of a password even as it is auto-filled into a site.

Companies can also direct employees to install 1Password’s Device Trust agent on personal devices, addressing one frequent and often successful attack vector. Compliance, however, can be uneven, much like the family 1Password accounts bundled with business plans that often go unused on employees’ computers.

Stopping agents from going awry

AI agents can automate routine business tasks but, by their non-deterministic nature, require systematic monitoring to ensure they stay focused. Wang calls that a “greenfield opportunity” for 1Password to learn at scale from analyzing agent behavior.

“What was the prompt? What did the agent do with the prompt? Was the output of the prompt?” she says. The resulting log files “will then feed back as a learning mechanism for the agent and the model.”

In February, 1Password announced a benchmark for AI agent behavior, the Security Comprehension and Awareness Measure (or SCAM) index, and published its code under an open-source license. “We’re teaching an agent to recognize what is a phishing link, what is insecure credential handling,” Wang says. She thinks that agents, as “stateless beings,” can’t be managed as if they were humans.

“We need new identity standards that are specific for agents that take into context,” Wang adds. “What that agent was created to do, what it is doing, right, and also the drift between what it’s doing now and the original intent.”

Now this: In addition, 1Password is studying how AI developers and users are integrating 1Password and developing secured connections for AI apps—today allowing Anthropic and OpenAI agentic tools to read from 1Password vaults, and eventually to write back into them.

The command-line interface in 1Password that most non-technical users probably don’t know exists has proven surprisingly popular among people paying for their own accounts.

“The usage of our CLI product, which has been our longest running developer offering, has 2.5x-ed,” Wang says—with the highest growth coming from people on individual and family plans.

Her thesis: “a tailwind of vibe coding driving that usage increase.”

Putting AI to work in 1Password itself

This company, like so many others, is leveraging AI to accelerate its software development—but vibe coding is not part of that picture.

1Password has already rolled out such AI coding models as Cursor, GitHub Copilot and Claude Code, first with humans checking their work. “You’re prompting, it generates code,” she says. “But the human is still validating, creating testing harnesses.”

Wang cites one early success, a refactoring project to pull out services that had been run through a single MySQL database.

“Can we actually use an agent to help us speed up the refactoring process?” she recalls. “And the answer came back, resounding yes”—with the work done in four weeks instead of the four to five months she estimated human engineers would have needed.

But 1Password is now moving towards automated testing of this automated code generation. “We have full agent loops that are running in the background,” Wang says. “We set up a testing harness for every coding agent, so once it passes that testing harness eval, it will actually merge requests into the code repo itself.”

AI scanning of code for vulnerabilities shows particular promise, as seen in efforts like Anthropic’s Project Glasswing and the Mythos model developed from that.

“The finding vulnerabilities piece will be greatly accelerated with the likes of Glasswing,” she says. But that will only create more work for developers, AI or human: “How do we harden those vulnerabilities, how do we defend against those vulnerabilities?”

That leaves Wang with an unsettled conclusion: “AI’s been a mixed bag, just because that work has been so gnarly and technical.”

View the full article