The cybersecurity landscape is changing fast. At 1Password, that means we’re continuously evolving what we work on, how we work, and the culture we need to achieve our goals.
Zero-Shot Learning is a podcast about how AI gets built, secured, and deployed. Hosted by Nancy Wang, 1Password CTO, and Dev Tagare, Senior Director of Engineering at Google, it’s a builder’s view of the architecture and the decisions it takes to ship with AI.
The developers and engineers here at 1Password are always working to improve our products. With all the active development to introduce features, fix bugs, and enhance the overall user experience, numerous code changes go into every release. We strive to ensure each iteration is better than the last and that new code doesn’t introduce vulnerabilities. A key part of this process is our Product Security (ProdSec) team’s review of all code changes that may have security implications.
This is the second post in a series that follows 1Password’s response to NIST’s call for input on how those principles should apply to agents. In our last post on agent identity, we introduced why the ability to reason makes agents fundamentally different from traditional machine workloads, why it breaks the assumptions traditional identity and access management was built on, and why real-time attestation establishes agent identity at runtime.
Today we're shipping a new capability directly into 1Password Device Trust that lets admins query their fleets faster, without needing to be SQL experts. Now you can describe what you want to investigate in plain English, and Device Trust generates a ready-to-run SQL query you can execute across your devices in a single click.
AI agents now write code, fix bugs, and ship to production. But in order to do useful work, agents require credentials. At 1Password, one of our core AI security principles is that raw credentials should never be directly exposed to LLMs, but all too often, that’s exactly what happens: most teams sacrifice security for speed and hand agents secrets in plaintext.
"The hardest thing in security is always the chaos," according to Travis McPeak, Head of Security at Cursor. He shared this with Nancy Wang, CTO of 1Password, and Dev Tagare, Senior Director of Engineering at Google, on a recent episode of Zero-Shot Learning, the podcast about how AI gets built, secured, and deployed. "We're always going to have more that we have to be doing than we can actually do.".
At 1Password, we regularly invite outside experts to challenge our assumptions and strengthen our security. We encourage security researchers to participate in our bug bounty programs, and have spent years building a collaborative research environment. We also believe in the benefit of open source software and standards, which raise the bar for the industry as a whole, while ultimately benefiting our 1Password customers.
One of the less surprising findings of the 2026 Verizon Data Breach Incident Report (DBIR) is the fact that incidents targeting the Financial and Insurance sector are on the rise. As they put it, “This sector continues to be a favorite among attackers, which isn’t surprising given that its core business is handling money.”