February was about expanding what identity governance can control and how securely it can operate across both humans and machines. As organizations accelerate automation and adopt more AI-driven workflows, identity becomes more than access approvals and quarterly reviews. It becomes the control plane for secrets, service accounts, custom logic, and machine-driven actions.
This month’s releases reflect that shift. We introduced secure secret sharing, expanded support for non-human identities, and unlocked deeper extensibility inside the platform, all while continuing to improve day-to-day usability and auditability.
Secure secret sharing, built into governance
Secrets are everywhere. API keys. Credentials. Configuration files. Temporary tokens.
Historically, they’ve lived outside identity governance systems, passed through chat, email, or vault tools without clear oversight or audit context.
In February, we introduced Secret Sharing inside ConductorOne.
You can now securely share credentials, files, API keys, and other sensitive content directly from the platform. Secrets are encrypted in your browser before upload, which means ConductorOne never sees plaintext data. Internal recipients authenticate via SSO. External recipients use a one-time magic link. You control expiration and view limits.
Administrators maintain visibility through metadata and audit logs across the tenant. This brings sensitive operational workflows into the same governed, observable system that already manages access. Identity is not just about who can access an application. It is also about how sensitive data moves between people and systems.
Service principals: governing non-human identity
CI pipelines, Terraform runs, scripts, and API integrations all need access, and that access must be auditable and revocable.
In early access this month, we introduced Service principals in ConductorOne.
Service principals are machine identities fully separate from any human account. Instead of assigning roles to a user and repurposing those credentials for automation, you can now give an automation its own identity in ConductorOne and assign it only the roles it needs.
Service principals support two authentication models:
- Client credentials using a client ID and secret, with configurable credential lifetimes up to 180 days
- Workload federation using OIDC tokens from platforms like GitHub Actions, GitLab CI, and HCP Terraform, enabling secretless authentication
The result is a cleaner separation between human and machine access, tighter least-privilege enforcement, and stronger auditability across automated workflows.
As automation increases, governance must extend to machines by default. Service principals make that possible.
Functions: extending governance with custom code
No two identity programs look exactly alike. There are always edge cases, custom integrations, and organization-specific workflows.
We also introduced Functions: serverless TypeScript functions that let you extend ConductorOne’s governance engine with your own logic.
Functions can:
- Run as steps within automations
- Trigger on lifecycle events, access events, review events, or schedules
- Be invoked manually from the web UI
Each function executes in an isolated sandbox with network allowlists, secrets management, and full execution logging.
Instead of relying on fragile external scripts or disconnected infrastructure, teams can now embed custom governance logic directly inside the identity layer. That keeps automation observable, auditable, and aligned with policy.
Identity programs mature when they can handle the edge cases without sacrificing control. Functions give teams that flexibility without adding operational overhead.
Making everyday governance faster and clearer
February also included a wide set of usability improvements designed to make governance work more intuitive and efficient at scale.
We enhanced access reporting to provide clearer context around what access represents and who owns it, improving accountability across teams. Campaign workflows became more flexible and easier to manage, helping reviewers move through large volumes of decisions with less friction.
We also expanded policy expression capabilities, enabling more context-aware routing and risk-based logic. These updates give teams greater precision without increasing operational complexity.
Across requests and task management, we focused on visibility and responsiveness. From clearer task insights to streamlined exports and faster search, teams can now navigate and analyze identity data more efficiently.
Individually, these changes are subtle. Together, they reduce cognitive load and make high-volume governance feel calmer, more structured, and easier to scale.
Fixes that reinforce trust
As always, we resolved a range of issues across search overlays, policy rule editing, campaign filtering, and task state display. Reliability matters in governance. Fixes may not be headline features, but they reinforce the consistency and trust required for identity to operate as a system of record.
February expanded the surface area of what identity governance can safely control. At the same time, everyday workflows continue to get faster, clearer, and more observable.
You can find full details in ourweekly release notes. We are excited to keep building on this foundation as identity evolves to support a mixed human and machine workforce.
