A 5-15 person team running AI tools on paid client work in 2026 can move from default-shared personal credentials for AI agents to a defensible non-human-identity posture in three hours of work using existing tooling (password manager, calendar, spreadsheet). The five-step starter kit (inventory every AI tool acting in the environment and its credential; mint per-agent credentials with smallest-scope; move every credential into one secrets vault and remove from elsewhere; set a 90-day rotation cadence with a calendar owner; write and test a one-page leaver and revocation runbook) covers the credential-management practices that CyberArk-grade enterprise NHI programmes cover, scaled to a team without an identity-governance function. The answer the kit produces is sufficient for almost every mid-market and SMB client procurement question, and a credible answer to most enterprise procurement questionnaires reaching small-agency vendors in 2026.
Claim is scoped to the operational capability of a 5-15 person services team to reach a defensible NHI posture using existing tools. Does not assert the kit replaces enterprise-grade IAM tooling for the team's own internal systems if the team grows past ~20 people or starts holding regulated client data classes (HIPAA, PCI). 30-day review cadence aggressive because the small-team SaaS pricing and feature landscape moves fast and one vendor change can render a kit step easier or harder. Trigger conditions: (1) a major SMB-targeted vault product (1Password, Bitwarden, Doppler) ships agent-credential-management as a default feature with rotation reminders and audit-log export — would move toward Partial because the tooling gap is closing; (2) a published small-business or small-agency breach traceable to a shared AI tool credential — would confirm the structural exposure and strengthen the case-for-action; (3) a published change in small-business cyber insurance terms requiring NHI controls — would change the operator's incentive map and the kit becomes table-stakes rather than discretionary; (4) an enterprise procurement-questionnaire standard (ISA, SIG Lite, CAIQ) adds explicit NHI questions for small-vendor responses — would change the procurement-cycle pressure on small agencies.
/holding/OPS-074/Embed this claimiframe + oEmbed
The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.
Email-me when OPS-074's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.
The claim: A 5-15 person team running AI tools on paid client work in 2026 can move from default-shared personal credentials for AI agents to a defensible non-human-identity posture in three hours of work using existing tooling (password manager, calendar, spreadsheet). The five-step starter kit (inventory every AI tool acting in the environment and its credential; mint per-agent credentials with smallest-scope; move every credential into one secrets vault and remove from elsewhere; set a 90-day rotation cadence with a calendar owner; write and test a one-page leaver and revocation runbook) covers the credential-management practices that CyberArk-grade enterprise NHI programmes cover, scaled to a team without an identity-governance function. The answer the kit produces is sufficient for almost every mid-market and SMB client procurement question, and a credible answer to most enterprise procurement questionnaires reaching small-agency vendors in 2026.
About this register
The Operators register tracks claims published from practitioner-advisory pieces addressed to solo founders, micro-SMB, and small businesses up to around fifty people. Claims are reviewed on a 30–45 day cadence — tooling and SMB-relevant pricing shift faster than enterprise procurement signals.
Recent corrections in Operators
- OPS-036 · Partial · 29 Apr 2026
Initial publication 29 Apr 2026. Status set to Partial at publication because clause 6 commentary references an order-of-magnitude remediation-cost gap derived from the IAPP 2024 AI Governance Profession Report; the report characterises the gap as material but does not publish a precise multiple, so the wording is annotated source: our-estimate.
- OPS-035 · Holding · 29 Apr 2026
Initial publication 29 Apr 2026. Status set to Partial at publication because category 5 lacks the same regulatory/cited-consequence anchor as categories 1-4.
- OPS-034 · Holding · 29 Apr 2026
Initial publication 29 Apr 2026 with status=partial. Cost-side claims (vendor pricing) verifiable against the four cited pricing pages on the publication date. Time-recovery claim (90+ min compressed to ~20 min) drawn from published productivity-blogger benchmarks rather than Peter-run measurement; first-cohort replication on the publication's tracked operator cohort due by 13 Jun 2026.
Reviews coming up in Operators
- OPS-005 · Holding · next +1d (26 May 2026)
At sub-1M tokens per month (typical SMB agent volume) in 2026, the absolute dollar gap between Claude Haiku 4.5, GPT-4o…
- OPS-003 · Holding · next +1d (26 May 2026)
For a solo founder choosing exactly one consumer AI subscription at around $20/month in 2026, the choice between Claude…
- OPS-002 · Holding · next +1d (26 May 2026)
For a 5-person consultancy already on either Notion or ClickUp in 2026, the AI features alone do not justify a workspac…