Skip to content
OPS-074
← Back to ledger
Holding·last review24 May 2026

A 5-15 person team running AI tools on paid client work in 2026 can move from default-shared personal credentials for AI agents to a defensible non-human-identity posture in three hours of work using existing tooling (password manager, calendar, spreadsheet). The five-step starter kit (inventory every AI tool acting in the environment and its credential; mint per-agent credentials with smallest-scope; move every credential into one secrets vault and remove from elsewhere; set a 90-day rotation cadence with a calendar owner; write and test a one-page leaver and revocation runbook) covers the credential-management practices that CyberArk-grade enterprise NHI programmes cover, scaled to a team without an identity-governance function. The answer the kit produces is sufficient for almost every mid-market and SMB client procurement question, and a credible answer to most enterprise procurement questionnaires reaching small-agency vendors in 2026.

Claim is scoped to the operational capability of a 5-15 person services team to reach a defensible NHI posture using existing tools. Does not assert the kit replaces enterprise-grade IAM tooling for the team's own internal systems if the team grows past ~20 people or starts holding regulated client data classes (HIPAA, PCI). 30-day review cadence aggressive because the small-team SaaS pricing and feature landscape moves fast and one vendor change can render a kit step easier or harder. Trigger conditions: (1) a major SMB-targeted vault product (1Password, Bitwarden, Doppler) ships agent-credential-management as a default feature with rotation reminders and audit-log export — would move toward Partial because the tooling gap is closing; (2) a published small-business or small-agency breach traceable to a shared AI tool credential — would confirm the structural exposure and strengthen the case-for-action; (3) a published change in small-business cyber insurance terms requiring NHI controls — would change the operator's incentive map and the kit becomes table-stakes rather than discretionary; (4) an enterprise procurement-questionnaire standard (ISA, SIG Lite, CAIQ) adds explicit NHI questions for small-vendor responses — would change the procurement-cycle pressure on small agencies.

Published
24 May 2026
Last reviewed
24 May 2026
Next review
+23d· 23 Jun 2026
Cohort
5-15 person services agency or in-house team running AI tools (Claude Code, Cursor, Windsurf, customer-service bots, internal automations) on paid client work without a dedicated IT or identity-governance function
Cadence
30-day
Sibling claim
AM-167The NHI procurement clause gap: every vendor-provided AI agent is a vendor-issued non-human identity inside your environment
Source piece
Your AI assistants already have identities. They just don't have yours. A 5-step NHI starter kit for 5-15 person teamsRead piece →
Permalink/holding/OPS-074/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when OPS-074's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: A 5-15 person team running AI tools on paid client work in 2026 can move from default-shared personal credentials for AI agents to a defensible non-human-identity posture in three hours of work using existing tooling (password manager, calendar, spreadsheet). The five-step starter kit (inventory every AI tool acting in the environment and its credential; mint per-agent credentials with smallest-scope; move every credential into one secrets vault and remove from elsewhere; set a 90-day rotation cadence with a calendar owner; write and test a one-page leaver and revocation runbook) covers the credential-management practices that CyberArk-grade enterprise NHI programmes cover, scaled to a team without an identity-governance function. The answer the kit produces is sufficient for almost every mid-market and SMB client procurement question, and a credible answer to most enterprise procurement questionnaires reaching small-agency vendors in 2026.

About this register

The Operators register tracks claims published from practitioner-advisory pieces addressed to solo founders, micro-SMB, and small businesses up to around fifty people. Claims are reviewed on a 30–45 day cadence — tooling and SMB-relevant pricing shift faster than enterprise procurement signals.

Recent corrections in Operators

  • OPS-002 · Partial · 28 May 2026

    Price drift: Notion Business with bundled AI now about $15/seat annual ($20 monthly) vs cited $19.50; ClickUp Brain now $7/seat vs cited $9. Verdict logic unchanged; figures need updating.

  • OPS-036 · Partial · 29 Apr 2026

    Initial publication 29 Apr 2026. Status set to Partial at publication because clause 6 commentary references an order-of-magnitude remediation-cost gap derived from the IAPP 2024 AI Governance Profession Report; the report characterises the gap as material but does not publish a precise multiple, so the wording is annotated source: our-estimate.

  • OPS-035 · Holding · 29 Apr 2026

    Initial publication 29 Apr 2026. Status set to Partial at publication because category 5 lacks the same regulatory/cited-consequence anchor as categories 1-4.

Reviews coming up in Operators

  • OPS-062 · Holding · next +2d (02 Jun 2026)

    For a UK sole trader, Claude Pro and ChatGPT Plus subscriptions are allowable expenses under HMRC's wholly-and-exclusiv…

  • OPS-065 · Holding · next +11d (11 Jun 2026)

    A solo agency delivering AI-assisted work to a client needs four contract clauses by Aug 2026 — disclosure of AI use, I…

  • OPS-064 · Holding · next +11d (11 Jun 2026)

    For a freelance translator below 0.10 €/word, accepting MTPE rates at agency-standard 40–60% of full rate is rational o…