1Password roadmap review shows SaaS governance moving into IAM

At a glance

What this is: 1Password’s Q2 2026 security spotlight is a customer webinar on SaaS Manager, with a key focus on visibility, lifecycle automation, and access governance across the employee lifecycle.

Why it matters: It matters because SaaS spend, provisioning, deprovisioning, and access reviews sit at the intersection of human IAM, NHI-style lifecycle control, and operational governance.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Register for 1Password's quarterly security spotlight on SaaS governance

Context

SaaS governance is now an identity problem as much as a procurement problem. When organisations cannot see who or what has access, they also cannot reliably provision, deprovision, or review access at the pace modern work demands. This webinar is about the operational controls behind that shift, not just about software administration.

For IAM and governance teams, the real question is how far lifecycle automation can reduce manual overhead without creating new blind spots. The strongest signal in this topic is that access reviews, access requests, and employee lifecycle processes are converging into one control plane for human and non-human access.

That makes the conversation relevant to both workforce identity and NHI governance. Once SaaS access is managed through the same lifecycle discipline, teams need clear ownership, evidence, and repeatable controls rather than ad hoc review cycles.

Key questions

Q: How should teams govern SaaS access across the employee lifecycle?

A: They should bind SaaS access to joiner, mover, and leaver events, then automate provisioning, access reviews, and deprovisioning from the same identity record. That reduces orphaned access, shortens revocation delays, and makes ownership clearer. The control objective is not just efficiency. It is making sure access always reflects current business need.

Q: Why do access reviews often fail in SaaS environments?

A: They fail when reviewers do not have enough context to judge whether access is still needed. If the review process lacks application ownership, last-use data, or entitlement scope, it tends to approve access by default. That creates the appearance of governance without materially reducing risk.

Q: When does lifecycle automation create real governance value?

A: It creates real value when it reduces the time between an identity change and the matching access change. The most useful signal is not how many workflows are automated, but how quickly access is removed after a role change or offboarding event. Faster revocation means less orphaned access.

Q: What is the difference between access review and deprovisioning?

A: Access review decides whether access should continue, while deprovisioning removes access that is no longer justified. Reviews are governance decisions and deprovisioning is the enforcement step. Strong programmes need both, because review without removal leaves stale access in place.

Background and context

SaaS lifecycle governance is really entitlement governance

SaaS Manager-style control is not just about listing applications. It is about mapping who has access, which entitlements exist, where access originates, and when it should be removed. In practice, that means provisioning and deprovisioning become entitlement events tied to joiner, mover, and leaver processes. Access reviews then validate whether those entitlements still match business need, rather than functioning as a paper exercise after the fact. The architecture only works when inventory, identity data, and approval workflows stay aligned across the same operational record.

Practical implication: integrate SaaS access into lifecycle workflows so entitlement changes and reviews share one source of truth.

Automated deprovisioning reduces dwell time and orphaned access

Deprovisioning is the control that prevents stale SaaS access from persisting after role changes, contractor exits, or app rationalisation. Without it, access survives long after the business justification disappears. Automation helps compress the gap between offboarding and revocation, but only if the process is tied to authoritative identity events and not just cleanup tasks. That matters because orphaned SaaS accounts often outlive the employees or teams that requested them, especially when app ownership is fragmented across IT, security, and business units.

Practical implication: connect deprovisioning to employee and contractor lifecycle events so revoked access is not left to manual cleanup.

Access reviews only work when they are anchored to real usage

Access reviews in SaaS environments fail when reviewers cannot see whether an app is still in use, whether the entitlement is necessary, or whether the requester still has the right role. A review process that lacks usage context tends to rubber-stamp access, especially in large estates with many low-visibility apps. The better model is to pair review requests with application ownership, last-use data, and entitlement scope. That turns review from periodic checkbox activity into an actual governance decision about whether access should continue.

Practical implication: require usage and ownership context in each access review before approving continued entitlement.

NHI Mgmt Group analysis

SaaS visibility gaps are now lifecycle gaps, not just shadow IT gaps. When teams cannot see the full application estate, they also cannot reliably govern provisioning, access reviews, or deprovisioning. That is why the operational problem sits inside identity governance, not outside it. Practitioners should treat visibility as the prerequisite for every downstream control.

Employee lifecycle automation is becoming the control plane for SaaS governance. Once access requests, approvals, and revocation move into one workflow, the boundary between IT service management and identity governance disappears. This is where NHI-style lifecycle discipline starts to matter for human access: the same logic of authoritative events, entitlement scope, and timely removal applies across both.

Access review programmes fail when they are detached from actual entitlement usage. Review cycles that cannot reflect application ownership, current need, and recent usage create administrative comfort without governance value. That failure mode is especially visible in SaaS estates because the number of low-friction apps makes stale access easy to miss. Practitioners need evidence-based review, not periodic confirmation bias.

Lifecycle automation is no longer only about efficiency, it is about reducing governance debt. Manual provisioning and deprovisioning create delays, exceptions, and orphaned access that accumulate across the employee lifecycle. The practical consequence is that teams should measure control quality by how quickly access follows role change, not by how many workflows they have digitised.

Identity operations debt: As SaaS estates expand, the hidden cost is not only spend but unmanaged access friction. When provisioning, review, and offboarding are not unified, every exception becomes a small governance liability. Practitioners should treat that debt as a measurable risk, not an administrative inconvenience.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation delays are still a governance problem, not just a technical one.
• That same lifecycle gap is why NHI Lifecycle Management Guide and Ultimate Guide to NHIs should be read together when teams are formalising revocation and review controls.

What this signals

Identity operations debt: SaaS governance teams should expect more pressure to collapse identity, access, and application administration into a single operational workflow. The organisations that do this well will measure success by revocation speed, review quality, and ownership clarity rather than by the number of tools in the stack.

The broader signal is that lifecycle governance is becoming a cross-domain discipline. Human access, machine access, and application access all fail in different ways, but the control question is increasingly the same: can the organisation prove who should have access, who does have access, and how quickly that changes when the business changes?

For practitioners

• Map SaaS applications to lifecycle events Tie every application to a joiner, mover, and leaver trigger so provisioning and removal follow the same authoritative identity record. This reduces orphaned accounts and makes ownership visible when reviews happen.
• Automate deprovisioning for offboarding and role changes Remove access when employment status, contractor status, or job function changes rather than relying on manual cleanup after the fact. The control should operate before stale access becomes the default.
• Require usage context in access reviews Give reviewers app ownership, last-use data, and entitlement scope so they can decide whether access is still justified. Reviews without those inputs become box-ticking exercises.

Key takeaways

• SaaS governance now depends on lifecycle control, not just app inventory, because access has to follow joiner, mover, and leaver events.
• The evidence here is about operational drift, where review and deprovisioning lag behind actual identity changes and leave orphaned access behind.
• Practitioners should measure success by revocation speed, entitlement accuracy, and review context, not by how many administrative tasks have been automated.

Key terms

• SaaS Lifecycle Governance: The discipline of controlling SaaS access from joiner through mover to leaver events. It links provisioning, review, and deprovisioning to authoritative identity records so access changes when the business relationship changes, not when someone remembers to clean it up.
• Access Review: A periodic decision process that checks whether access is still justified. In practice, it only has value when reviewers receive enough context to make an evidence-based decision, including ownership, usage, and the current business need for the entitlement.
• Deprovisioning: The removal of access when it is no longer required. Effective deprovisioning is tied to identity lifecycle events and should happen as close as possible to offboarding, role change, or service closure so stale access does not linger.
• Governance Debt: The accumulation of access, process, and ownership gaps that build up when identity controls are manual or fragmented. It is not a formal accounting term, but it is a useful way to describe the risk created when lifecycle processes cannot keep pace with the environment.

Deepen your knowledge

SaaS lifecycle governance and access review control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a more disciplined approach to provisioning, deprovisioning, and review, it is worth exploring.

This post draws on content published by 1Password: Webinar On Demand EMEA - What's new? The 1Password quarterly security spotlight and roadmap review - Q2 2026. Read the original.