Compliance gaps in extended access management now expose IAM blind spots

At a glance

What this is: This is a 1Password summary of Omdia research arguing that extended access management is needed because legacy IAM and MDM no longer cover unmanaged devices, apps, and identities in modern compliance and insurance workflows.

Why it matters: It matters because IAM, NHI, and human access programmes now have to prove control over access that lives outside traditional policy boundaries, or compliance and cyber insurance assessments will keep exposing the same blind spots.

👉 Read 1Password's summary of Omdia's findings on extended access management and compliance

Context

Extended access management is a response to a simple governance failure: organisations no longer control every application, device, or identity that can reach company data. When SaaS adoption, BYOD, third-party access, and shadow AI expand the access surface, traditional IAM and MDM controls stop providing the evidence needed for audit, insurance, and regulatory review.

The practical issue for identity teams is not just coverage, but provability. If unmanaged devices and applications can still access sensitive data, then RBAC, MFA, vendor access controls, and audit trails become incomplete by design. That turns compliance from a periodic exercise into a continuous identity governance problem across human users, service access, and emerging AI-driven access paths.

Key questions

Q: How should security teams handle unmanaged access when preparing for compliance audits?

A: They should first identify every application, device, contractor flow, and shadow AI path that can access sensitive data outside central IAM or MDM. Then they should attach each path to an accountable control owner, a log source, and a review cycle. If an access path cannot produce evidence, it is not audit ready.

Q: Why do unmanaged devices and applications create cyber insurance risk?

A: Because insurers increasingly want proof that access is controlled, monitored, and explainable. Unmanaged devices and apps undermine that proof by bypassing posture checks, identity logs, and policy enforcement. The result is not only higher exposure to breach claims, but weaker negotiating position during underwriting and renewal.

Q: What do IAM teams get wrong about compliance in BYOD and SaaS environments?

A: They often assume a written policy is enough. In practice, compliance depends on whether the policy is enforced where access actually happens. BYOD and SaaS create access paths that can sit outside traditional tooling, so teams need evidence of enforcement, not just declarations of intent.

Q: How can organisations simplify identity governance across human and non-human access?

A: By using one evidence model for all access types. Human logins, contractor access, service identities, and unmanaged application flows should all map to the same expectations for authentication, logging, and review. That does not eliminate different controls, but it does remove fragmented explanations during audit and assurance checks.

Technical breakdown

Why legacy IAM and MDM miss unmanaged access

Legacy IAM and mobile device management were designed for environments where IT provisioned most applications and devices directly. That model breaks when workers adopt SaaS tools, personal devices, and third-party services outside central control. The result is not simply more devices to manage, but more access paths that never enter the normal governance lifecycle, so policy enforcement, logging, and attestations become partial rather than complete.

Practical implication: map which access paths are outside IAM and MDM coverage before you treat any compliance control as complete.

Why compliance evidence depends on access visibility

Compliance frameworks do not just ask whether controls exist. They ask whether you can prove who or what accessed sensitive data, under what conditions, and with what monitoring in place. Unmanaged apps and devices make that proof harder because they bypass the systems that generate authoritative logs, device posture signals, and policy enforcement records. Without that evidence, audit readiness degrades even if written policies look strong.

Practical implication: tie every sensitive-access path to a log source, a control owner, and a reviewable policy decision.

How extended access governance changes the control model

Extended access management shifts the control model from device-first perimeter thinking to identity-centric enforcement across apps, devices, and access decisions. That means contextual access, credential protection, device trust, and reporting become part of the same governance layer rather than separate point controls. In practice, the value is not just tighter security but a cleaner compliance narrative that auditors and insurers can evaluate consistently.

Practical implication: consolidate access evidence into a single governance workflow instead of proving compliance control by control.

NHI Mgmt Group analysis

Unmanaged access is the real compliance failure mode: the gap is not that organisations lack policies, but that policies cannot govern access paths they do not see. Omdia’s framing shows how SaaS, BYOD, and third-party adoption create an access estate that sits outside traditional IAM and MDM assumptions. The practitioner conclusion is straightforward: compliance evidence is only as strong as the least governed access path.

Extended access management is a governance response, not just a security feature: the important shift is from managing devices to governing all access that reaches sensitive data. That aligns with NIST Cybersecurity Framework 2.0 thinking on governance and protection, because control ownership, evidence, and accountability matter as much as enforcement. Practitioners should treat it as an identity control plane question, not a tooling label.

Compliance and cyber insurance are converging on the same identity questions: the report’s audit and insurance framing shows that both buyers now ask whether access is verifiable, constrained, and explainable. That convergence puts pressure on IAM, PAM, and NHI programmes to share a common evidence model for humans, contractors, service identities, and unmanaged endpoints. The practitioner takeaway is that fragmented governance will fail both reviews at once.

Shadow AI makes access governance broader than endpoint control: once employees can adopt tools and services independently, the identity problem includes unmanaged application access as well as unmanaged devices. That means identity teams must think in terms of who can create access, not only who can consume it. The conclusion for practitioners is that access governance now has to cover discovery, policy, and auditability across the full shadow access surface.

Compliance simplification is actually control simplification: the strongest reading of this topic is that organisations reduce audit friction when they reduce governance fragmentation. A single evidence model for RBAC, MFA, vendor access, device trust, and logging is easier to defend than separate control narratives built for different tool stacks. Practitioners should use compliance as the forcing function for access rationalisation.

From our research:

• 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• NHI Lifecycle Management Guide shows how governance breaks when discovery, rotation, and offboarding are handled as separate tasks.

What this signals

Compliance pressure is becoming an identity architecture issue: as access expands beyond managed devices and sanctioned applications, programme leaders should expect audit and insurance requirements to ask for stronger proof of who or what accessed data. The useful signal is not just more control, but fewer uncontrolled access paths that force manual explanations later. For teams aligning to the NIST Cybersecurity Framework 2.0, the governance and protect functions now depend on access visibility.

Access governance fragmentation will surface in review cycles first: if one team owns IAM, another owns device trust, and a third owns vendor access, the audit trail will fragment before the policy set does. With 75% of organisations expressing strong confidence in their secrets management capabilities according to The State of Secrets in AppSec, confidence and control are clearly diverging in many programmes. Practitioners should look for that divergence in their own reporting and certification workflows.

Evidence unification is the next maturity step: the organisations that can tie access, posture, and reporting into one reviewable record will have a simpler path through both compliance and cyber insurance scrutiny. That makes extended access management a forcing function for identity programme design, not a niche product category. Teams should use this moment to rationalise how human, contractor, and NHI access evidence is assembled and retained.

For practitioners

• Inventory unmanaged access paths Identify every device, application, contractor flow, and shadow AI entry point that can reach sensitive data but does not pass through central IAM or MDM controls.
• Unify audit evidence collection Require each sensitive access path to produce logs, device posture signals, and policy decisions that can be reviewed together during audit or insurance assessment.
• Map compliance controls to access sources Tie RBAC, MFA, vendor access, and incident reporting to the specific systems that enforce them so no control depends on a manual explanation at audit time.
• Extend governance to shadow AI adoption Treat unmanaged applications and AI tools as access governance issues, then document how their authentication, data access, and logging will be reviewed.

Key takeaways

• Legacy IAM and MDM fail when access grows beyond centrally managed devices, apps, and identities.
• Compliance and cyber insurance now depend on demonstrable access evidence, not policy statements alone.
• Identity teams should treat extended access management as a governance model for all access paths, not just another control layer.

Key terms

• Extended Access Management: A governance approach that extends identity and access controls beyond traditional managed endpoints and sanctioned applications. It treats unmanaged devices, SaaS tools, contractors, and shadow access paths as part of the security perimeter that must be evidenced, not merely asserted.
• Unmanaged Access: Any access to company data that does not pass through the organisation's primary control and logging stack. In practice, this includes devices, apps, or identities that can authenticate or reach data without being fully visible to IAM, MDM, or audit workflows.
• Audit Readiness: The ability to prove that identity and access controls are operating as described, with logs, ownership, and review evidence available on demand. It is not just having controls in place, but being able to demonstrate them consistently to auditors, insurers, and regulators.
• Shadow AI: AI tools or services adopted without formal approval or governance. In identity terms, shadow AI matters because it introduces new authentication, data-access, and logging paths that often sit outside existing IAM assumptions and can weaken compliance evidence.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: Omdia report summary on how extended access management closes security gaps. Read the original.