"The hardest thing in security is always the chaos," according to Travis McPeak, Head of Security at Cursor. He shared this with Nancy Wang, CTO of 1Password, and Dev Tagare, Senior Director of Engineering at Google, on a recent episode of Zero-Shot Learning, the podcast about how AI gets built, secured, and deployed. "We're always going to have more that we have to be doing than we can actually do."
Travis has worked within that constraint in security roles at Netflix and Databricks and now at Cursor, the AI-native IDE, where agents write production code for a rapidly growing base of developers worldwide.
Agents in the development pipeline introduce a new kind of actor. They are non-deterministic, have access to tools, are exposed to untrusted input, and often operate near credentials, source code, and production systems. All with no guarantee that past behavior predicts future actions. Unlike developers who earn trust through accountability and predictability, agents offer neither. Sitting down with Nancy and Dev, Travis said that the only way to secure agents is to design secure-by-default workflows so that when they inevitably misbehave, the damage is contained.
Security teams are still grappling with how to classify and manage agent identities, but businesses aren't waiting to adopt AI and agentic tooling. The 1Password Access-Trust Gap Report found that 73% of employees are encouraged to use AI for some part of their workload. But policy enforcement clearly isn’t keeping up, since 37% say they only follow company AI policies "most of the time."
Travis embraces speed as a simple fact of the modern tech business model. "Security teams exist to serve the business. Your job is to do the best risk minimization that you can within the amount of slowdown that a business will tolerate. I'm in ‘ship, ship, ship.’ I want the company to thrive," he said.
Moving at the speed of business means that security teams often have more on their plates than they can achieve, and in that situation, the fights worth choosing are the ones that can be automated. Travis has found success in embedding security policy as code because LLMs can generate, review, and deploy it without a human in the loop.
With LLMs, production no longer hits a human bottleneck. "We have these wonderful tools that operate very well on anything text-based," he said. "If you can do configuration as code, the LLM can produce it, independent LLMs can review it, and once everything's good, it just gets auto-deployed." When systems operate in a secure-by-default mode, security travels with the code, and teams can work without a checkpoint slowing them down.
The 1Password Hook for Cursor is part of this approach because it embeds security at the credential layer. Secrets are available to Cursor only when needed, in memory, never written to disk or Git history. Access is controlled by design, and teams can work without worrying about accidentally committing secrets.
The concept of least privilege was designed to reduce risk. Give any principal the minimum access they need so when something goes wrong, the damage is limited. "Developers weren't mega-trusted in the first place," Travis says, "not because they're bad people, they just have other priorities." Agents are no different. They're executing a task, not managing their own access. The non-deterministic nature of agents makes a least-privilege approach essential, because something will eventually go wrong.
I still think people don't understand how non-deterministic these systems are… An agent could behave exactly as expected across dozens of runs and then do something completely different for no apparent reason. You always have to treat an individual agent as untrusted, especially if it has access to something that really matters."
–Travis McPeak, Head of Security, Cursor
Agents also process external content like emails, documents, and tool responses, and an attacker who controls that content can embed instructions the agent will follow as if they came from its legitimate operator. This is the architectural problem that made SQL injection effective, there was no boundary between the developer's instructions and user input. Prompt injection works the same way; there's no wall between an agent's instructions and the content it processes.
"We never got the separation of control plane and data plane right in the history of computers," Travis said. "We set up the agent in a hurry because it's gonna be so cool, and we forgot to put safeguards, guardrails, logging, anomaly detection."
With agents, a missing guardrail doesn't stay in one transaction. It executes automatically, across every run, at machine speed.
Traditional IAM has been a relatively successful permissions system for human identity management, but it’s not without limitations. "It's a great technology, honestly. Probably the best implementation of this thing," Travis said. The problem is usability, "Even I have dealt with it for years. How does this condition work? What's the syntax? It's just so hard for anybody to understand."
While IAM was built for people, service accounts, API keys, and machine credentials were never part of that governance model. Non-human identities have always existed outside of IAM and SSO, where they’re provisioned ad hoc. To keep work moving, engineers grant broader permissions than necessary to avoid debugging policy errors. In the enterprise, non-human identities already outnumber humans, and many have unaudited, overprivileged access.
Agentic non-determinism compounds the problem. Traditional IAM assumes you can define what a principal needs upfront, but an agent whose behavior is inherently unpredictable can't be governed by a static policy.
At Netflix, Travis built a project called RepoKid around the idea that you can't specify least privilege correctly up front, but you can observe your way to it. In their efforts, Repokid granted slightly more access than what was needed, watched what got used, and cut the rest. The 2026 version for agents starts from the opposite direction.
We want to have standing no permissions, or least permissions. And then, based on the actual agent, its profile, and what it's supposed to be able to do, there should be a requestable, auditable set that it receives. You definitely want to know what it was granted and what it actually ended up using. And then there should be an escalation path." –Travis McPeak, Head of Security, Cursor
Without the escalation path, an agent hard-blocked mid-task either fails silently or stalls. With it, the agent can surface unexpected needs and route them to named approvers. Travis details the use case: "My agent's working on something. If it just gets hard-blocked, it might stall out. But if it flags an unexpected need, access to the CEO's salary data, something it's never asked for before, there should be a defined set of approvers who can grant it.”
Securing agents requires a model that starts at zero, grants by profile, and enforces access decisions at the boundary rather than upfront. In his example, the grant, the usage, and the escalation would all be documented.
Nancy closed the conversation with a pointed observation, "A lot of teams these days are still talking about security and workflows like it's 2019."
The access model most enterprises rely on wasn’t built for non-deterministic agents. 1Password Unified Access is built to extend identity security to non-human identities. It discovers AI tools and agents running across developer endpoints, delivers credentials at runtime rather than pre-provisioning them, and provides full attribution for every access event across humans, agents, and machines.
Listeners to this episode inevitably came away with a clear question: Is your access model built for non-deterministic agents?
Securing agents requires a model that starts at zero, grants by profile, and enforces access decisions at the boundary rather than upfront. In his example, the grant, the usage, and the escalation would all be documented.
Nancy closed the conversation with a pointed observation, "A lot of teams these days are still talking about security and workflows like it's 2019."
The access model most enterprises rely on wasn’t built for non-deterministic agents. 1Password Unified Access is built to extend identity security to non-human identities. It discovers AI tools and agents running across developer endpoints, delivers credentials at runtime rather than pre-provisioning them, and provides full attribution for every access event across humans, agents, and machines.
Listeners to this episode inevitably came away with a clear question: Is your access model built for non-deterministic agents?
Travis McPeak, Nancy Wang, and Dev Tagare on Zero-Shot Learning.
Secrets in memory, never on disk, available only when Cursor needs them.