Agentic security is picking up steam. This week, identity security provider 1Password announced a collaboration with OpenAI that will enable developers to provide Codex with secure access to credentials, such as passwords. Under this partnership, users will be able to grant the Codex agent access to the 1Password Environments MCP Server for Codex. The move means that the agent can access credentials stored in a secure runtime environment without exposing secrets in prompts, code or model context. Today, the identity security vendor also released the first episode of the Zero-Shot Learning podcast in which Nancy Wang, CTO of 1Password, Jeff Malnick, general manager, VP of developer and AI at 1Password and Fotis Chantzis, OpenAI’s agent security lead, discussed how to safely deploy AI agents.

The podcast is part of an ongoing series that will run every two weeks, cohosted by Nancy Wang and Dev Tagare, senior director and head of engineering for Gemini Enterprise and Business at Google which interviews engineers building AI tools. The sessions content highlights the need for secure agent practices, including using short-lived credentials, sandboxing and keeping secrets out of model context.

Security has remained a consistent challenge for organizations adopting AI agents. According to a report issued by the Cloud Security Alliance , two thirds of organizations have suffered from a cybersecurity incident related to the deployment of AI agents during the past year. One of the biggest challenges increasing risk is identity management. While more agentic identities are emerging in the enterprise alongside human identities, authentication and access controls are still primarily designed to support human users, rather than agent identities that move at machine speed.

In the Zero-Shot Learning podcast, Chantzis defined agent identity as “a non-human identity that can be directly authorized by a tenant or delegated by some kind of user to access local or remote resources to perform some kind of task.” These identities need to be secured as much as human identities, but there are no universal practices for doing so. “Agent identity is not a solved problem...there’s no one size fits all for here’s the playbook for how you deploy agents into production,” Wang told me in a video interview. “As we’re seeing more of these autonomous agents, I think this conversation around who is an agent, you know, what was it created to do, becomes even more important, because their identities are no longer tied to that of a human.” She explains that agents may look like humans, but they work like machines. They can have the same access as a human user, but they work longer and faster, because they don’t need to take breaks. They can also spawn other agents. This means there could be more risk if the agent takes a malicious action with an API key.

“Being able to cryptographically prove the intent of an agent and tie that into its identity and therefore its access, having that entire chain, right, sort of be deliberate and also be pristine, matters,” Wang said.

Wang says that one design philosophy 1Password uses to reduce risk is having no standing privileges. That means not giving agents API keys to use as they wish. At the same time, the organization’s collaboration with OpenAI will bring just-in-time access to Codex. Just-in-time access allows the agent to access the tools it needs to perform its function without exposing the credentials to the model’s context.

Frontier AI Meets Agentic Security

As a provider at the forefront of the frontier AI race, OpenAI is seeking to address the security concerns presented by AI agents. Fotis Chantzis, OpenAI’s agent security lead, heads a team that designs, builds and deploys security controls to agentic services like Codex. At the time of writing on May 18, 2026, there were seven people in the team, including Chantzis himself.

According to Chantzis, the agentic security team is cross-functional and collaborates with members of OpenAI across privacy, detection, response and safety. The team also aims to combine both deterministic and non-deterministic controls in collaboration with the alignment team.

He notes that this cross-sectional approach emerged after the initial launch of Codex more than a year ago, when the company realized it needed someone to consolidate the efforts around securing agentic services which have become prevalent across the industry.

Addressing identity is a priority for securing an agentic AI initiative. “For someone to be able to properly authorize someone, they need to first be able to identify them. So, solving the agent identity problem is very important,” Chantzis said.

“Now that we have sub-agents that do specific tasks, like an agent that can spawn sub-agents, and then they can perform various actions and tasks, we need to have…basically an audit trail and observability across all of the actions,” Chantzis said. He says that continuous verification and authorization needs to be done in such a way that the permissions the agent gets should match the task it is asked to perform.

In terms of risk, Chantzis says that the biggest risks presented by AI agents are that of prompt injection and misalignment. Besides measures like continuous authorization, he says there should be some kind of credential mediation so that sensitive information like secrets, credentials or API keys are never put within the context window of the agent. After all, giving an agent access to credentials is a risky proposition, as there’s no guarantee what the agent will do with that access and what the exposure to third parties will be. As more agents emerge across the enterprise, security teams are going to have to rethink approaches to identity and credential management. Giving agents access to credentials increases the exposure of secrets to third parties, whereas depriving them of passwords altogether decreases their utility. OpenAI and 1Password demonstrate an alternative approach that gives agents access to credentials within the development workflow without exposing credentials.