Secure AI growth starts with identity. Learn practical IAM lessons from Canva’s 1Password approach—built for UK SMEs scaling fast.
Secure AI Growth: Identity Tools UK SMEs Can Trust
Most small businesses treat identity security like an IT housekeeping task. Then growth hits—more staff, more SaaS logins, more customer data flowing through AI tools—and suddenly “housekeeping” becomes a business risk.
Canva learned this the hard way. After a major 2019 breach affecting more than 100 million users’ data, it invested heavily in security and later standardised identity and credential management with 1Password during a period of rapid expansion. Canva’s scale is unusual, but the pattern is familiar: when organisations grow quickly, identity sprawl and messy onboarding/offboarding become the easiest way for attackers (or simple mistakes) to get in.
This matters to UK small businesses right now because AI adoption is accelerating. AI chatbots, AI marketing assistants, and AI-enabled customer support tools are becoming normal in SMEs—and each new tool adds accounts, tokens, integrations, and access paths. The better way to approach this is simple: secure identity first, then scale AI with confidence.
Snippet-worthy rule: If you can’t confidently answer “who has access to what?” you’re not ready to scale AI safely.
Why identity becomes the biggest risk during AI adoption
Identity is the control plane for your business. Once attackers get credentials, they rarely need “hacking skills”—they just log in like a normal user.
For SMEs, AI adoption often increases identity risk in three predictable ways:
- More tools, more logins. AI copy tools, analytics platforms, customer service bots, HR automation, finance apps—each adds another door.
- More secrets, more places to leak. API keys, service account credentials, SSH keys, shared team logins, “temporary” passwords in Slack—this is secret sprawl.
- More people touching sensitive data. AI tools frequently handle customer messages, invoices, internal documents, and sometimes regulated personal data.
Canva’s security lead described the growth challenge plainly: as workflows multiply, it gets harder to “lock things down.” That’s not a big-company problem; it’s a growth problem.
The myth: “We’re too small to need enterprise-grade identity controls”
Most companies get this wrong. Size doesn’t protect you—complexity does the damage. A 12-person agency with 40 SaaS tools and freelancers has more identity chaos than a 200-person firm with disciplined access management.
If you’re building a modern UK business in 2026—digital-first, tool-heavy, and experimenting with AI—you need repeatable identity hygiene more than you need fancy security jargon.
Lessons from Canva: secure onboarding, reduce secret sprawl, keep teams fast
Canva’s experience with 1Password is interesting because it focuses on a practical goal: make the secure path the easiest path.
That “paved road” idea is gold for SMEs. People follow the route that costs the least time and friction. If secure login and secret-sharing is clunky, your team will route around it—often using personal password managers, browser-saved passwords, or shared spreadsheets.
Here are three lessons worth copying.
1) Fix onboarding on day one (not week three)
Onboarding is a security blind spot. New hires arrive with habits, assumptions, and speed expectations. If you don’t give them a secure way to work immediately, they’ll invent one.
Canva’s approach: get new starters into the password manager on day one and have required team credentials already available there. The behavioural trick is simple:
- The secure system is the easiest system.
- Everyone uses it because it removes guesswork.
For a UK SME, the “day-one” checklist can be lightweight:
- Create business accounts (don’t reuse personal emails)
- Enforce MFA on key systems (email, accounting, CRM, helpdesk)
- Add staff to the password manager vaults they need
- Provide a 15-minute setup guide (short, practical, non-preachy)
2) Treat shared accounts as high-risk by default
Shared logins are common in small teams: social media accounts, ad platforms, marketplaces, and “the old supplier portal.” They’re also a recurring cause of messy offboarding.
Canva used centralised credential storage and added stronger authentication where accounts aren’t tied to a person (for example, one-time passcodes). SMEs can mimic the intent even if the exact setup differs:
- Store shared credentials in one controlled place
- Limit who can see/use them
- Rotate credentials when someone leaves (or when a supplier changes)
Practical stance: If your marketing team shares a social login through a WhatsApp message thread, you’re one lost phone away from a breach.
3) Don’t break developer (or power-user) workflows
Canva highlighted something many businesses overlook: security tooling has to fit real workflows. Their developers used a command line interface (CLI) for retrieving secrets, shaving seconds off repetitive steps—seconds that add up across thousands of engineers.
SMEs may not have 5,000 engineers, but you likely have “power users”:
- the ops person automating invoicing
- the analyst pulling reports
- the founder wiring up Zapier/Make integrations
- the developer maintaining the website
If those people find your security controls annoying, they’ll store API keys in plain text files and reuse passwords “just for speed.” Your identity stack should speed up safe behaviour, not punish it.
A simple identity stack for UK small businesses scaling with AI
You don’t need a giant IAM programme to be safer than most companies. You need consistency.
Here’s a practical, SME-friendly identity approach that works well for businesses adopting AI tools.
Step 1: Pick one “source of truth” for staff identities
Answer first: Use a central directory (often Google Workspace or Microsoft 365) as the place where staff accounts start and end.
Why it matters: if HR says someone left, their access should shut off everywhere—email, files, AI tools, CRM, finance.
If you’re already on Google Workspace or Microsoft 365, you’re halfway there. The key is discipline:
- no shared personal Gmail accounts
- no “we’ll remove them later” offboarding
Step 2: Standardise credential and secret storage
Password managers aren’t optional once you scale AI. They’re the fastest way to reduce secret sprawl.
Store:
- passwords for SaaS tools
- shared team credentials
- API keys used in automations
- service account credentials (where applicable)
- recovery codes for critical accounts
Set rules that match how SMEs actually work:
- vaults by team (Marketing, Finance, Ops)
- least-privilege access (don’t give everyone everything)
- MFA enforced for the password manager itself
Step 3: Automate provisioning where you can (and document the rest)
Canva used SCIM-based automation to provision access. SMEs might not use SCIM everywhere, but you can still reduce chaos:
- Use SSO for tools that support it (start with email, CRM, helpdesk)
- Maintain a “systems list” with owners (who approves access, who rotates passwords)
- Use templates for onboarding/offboarding tasks
Snippet-worthy rule: Every tool needs an owner, or it becomes an orphaned security risk.
Step 4: Define “AI tool boundaries” before you plug in customer data
AI tools often tempt teams to paste in customer emails, support transcripts, proposals, or contracts. Set boundaries early:
- What data types are allowed in AI tools?
- Which AI tools are approved?
- Who can connect AI tools to your CRM/helpdesk?
- Where are API keys stored and rotated?
This fits directly into the broader Technology, Innovation & Digital Economy theme: innovation-led growth only works when trust and resilience grow with it.
People also ask: common SME identity questions (answered)
“Is a password manager enough, or do we need full IAM?”
For many UK SMEs, a password manager + MFA + disciplined offboarding gets you most of the benefit quickly. Full IAM becomes important as you add many apps, contractors, and compliance requirements.
“What’s the biggest identity mistake small businesses make with AI tools?”
Connecting AI tools to core systems using a single shared admin account and then never rotating the credentials. That’s how small issues become major incidents.
“How do we keep security from slowing down growth?”
Design the secure route to be the easiest route: day-one onboarding, shared vaults, and fewer manual steps. Canva’s “paved road” concept applies perfectly here.
A short action plan you can run this week
If you want momentum, do this in order:
- Turn on MFA for email, finance, CRM, and your password manager.
- Inventory your tools (yes, even the forgotten ones) and list the account owner for each.
- Move shared credentials out of chat threads and spreadsheets into a password manager.
- Create an offboarding checklist and run it the same day someone leaves.
- Review AI tool integrations: where are the API keys, who has access, and what data is being sent?
If you do only one thing: centralise shared credentials and enforce MFA. It removes a huge amount of low-effort risk.
Where this is heading for UK SMEs in 2026
AI tools are becoming part of everyday operations—marketing, customer service, analytics, internal workflows. That’s good for productivity, but it also means identity and access management becomes a frontline business function, not an IT detail.
Canva’s story is a reminder that security doesn’t have to be a brake on growth. When identity is handled well, it becomes a way to onboard faster, collaborate safely, and adopt new tools without anxiety.
If you’re scaling AI in your small business, here’s the question that decides whether you’ll grow smoothly or stumble: is your identity setup helping people work quickly, or forcing them to work around it?