Credential sprawl is exposing gaps beyond SSO and PAM on June 18

At a glance

What this is: This webinar examines how credential sprawl is expanding beyond SSO and PAM, with unmanaged accounts and shadow access creating the real exposure surface.

Why it matters: It matters because IAM programmes that only cover provisioned users and privileged accounts still miss the credentials employees create and use outside formal governance.

👉 Register for 1Password's live demo on credential sprawl and secret leakage

Context

Credential sprawl is the accumulation of unmanaged logins, secrets, and app accounts outside central identity controls. In this case, the primary keyword is credential sprawl, and the problem is that many teams only govern identities they formally provision through SSO or PAM.

That leaves a large gap across SaaS apps, AI tools, and department-level workflows where users create accounts with work email addresses and unmanaged passwords. The result is a governance surface that sits between IAM, PAM, and day-to-day employee behaviour, which is why it is easy to miss and hard to inventory.

For IAM teams, the operational question is not whether the organisation has SSO or PAM, but whether those controls actually cover the accounts employees adopt on their own. The article frames that gap as a programme design issue, not a narrow authentication problem.

Key questions

Q: How should security teams govern accounts created outside SSO?

A: Security teams should treat every externally created business account as an identity asset with an owner, a purpose, and a retirement trigger. The key is to discover those accounts, classify their business use, and fold them into lifecycle governance even when they were never provisioned through the IdP. That is how you reduce shadow access.

Q: Why do SSO and PAM still leave credential sprawl risk behind?

A: SSO covers federated applications and PAM covers elevated access, but credential sprawl lives in the unmanaged middle. Employees can create separate logins for SaaS and AI tools, often with work email and unmanaged passwords. Those accounts may be business critical, yet they sit outside the controls that IAM teams usually measure.

Q: What breaks when departments adopt SaaS tools without identity review?

A: Ownership, offboarding, and access review all break at the same time. The account may support real work, but if procurement, IAM, and the business owner never record it, no one can certify it or remove it later. That is how temporary adoption becomes persistent exposure.

Q: Who should be accountable for unmanaged business accounts?

A: Accountability should sit with the business owner, but operational control belongs with IAM and security. If no owner is assigned, the account will drift outside lifecycle management and become difficult to retire. Governance only works when ownership, technical enforcement, and offboarding are linked.

Background and context

Why credential sprawl escapes SSO coverage

SSO only governs applications that are onboarded into a federated access model. When employees sign up for AI tools or SaaS services with a work email and a separate password, the account exists outside the identity plane that IAM teams can see and control. Those identities still carry business access, but they are not protected by the same authentication, policy, or lifecycle processes as provisioned accounts. The technical problem is not authentication failure alone. It is identity fragmentation across systems that were never enrolled into the directory, the IdP, or the access review process.

Practical implication: map every business-used application against SSO coverage and treat unmanaged sign-up paths as first-class identity risk.

Why PAM does not close the gap

PAM is designed for elevated access, not for the everyday credentials employees create in unmanaged SaaS or AI accounts. That means privileged vaulting can be strong while the broader credential surface remains exposed through reused passwords, personal sign-ups, and department-owned tools. In practice, the organisation ends up protecting the most sensitive accounts while leaving the entry points that link work activity to external services outside formal governance. This is why credential sprawl often looks like a user convenience issue until it becomes a breach path.

Practical implication: use PAM as a privileged control, but separately govern the non-privileged credentials that create shadow access.

How department-led tool adoption creates identity blind spots

Department-led adoption usually starts with a workflow need, not an IAM exception request. Marketing, finance, engineering, and sales each adopt different services, often outside procurement and outside the IdP. That creates a distributed credential estate where accounts are tied to team behaviour rather than formal entitlement models. The governance challenge is lifecycle visibility: who created the account, who owns it, whether it is still used, and how it is removed when the work changes. Without that lifecycle data, the organisation cannot distinguish temporary convenience from permanent exposure.

Practical implication: require ownership and offboarding for every externally created business account, not just centrally provisioned identities.

NHI Mgmt Group analysis

Credential sprawl is an identity governance problem, not a password hygiene problem. The article shows that exposure is concentrated in the gap between SSO-covered apps and privileged accounts managed by PAM. That gap is where employees create business-critical access that no one inventories, certifies, or retires on schedule. Practitioners should treat it as a lifecycle failure across NHI and human identity programmes.

Credential shadowing is the named failure mode this article exposes. Shadow access forms when departments adopt tools faster than identity controls can register them, and the resulting accounts outlive the governance process. The issue is not only that accounts exist outside SSO, but that ownership, review, and offboarding never fully attach to them. Teams need to recognise that the problem is structural visibility loss, not a missing policy line.

SSO and PAM are necessary controls, but they do not describe the full identity perimeter. The article makes clear that modern exposure now lives in the unmanaged middle, where SaaS logins, AI tools, and team-created accounts sit outside central enforcement. That changes the governance model: the perimeter is no longer a list of systems, but a map of where credentials are created, reused, and forgotten. Security teams should reframe control coverage around actual credential lifecycle, not product boundaries.

Credential sprawl will keep expanding as AI tools lower the friction to self-provision access. The article links faster adoption to more unmanaged accounts, which means speed and convenience will continue to outrun formal onboarding unless identity teams redesign the intake path. That has implications for IAM, IGA, and security awareness programmes alike. The practical conclusion is that governance has to meet the user where the account is created.

Wall-to-wall credential management is becoming a baseline expectation for identity programmes. The article’s central signal is that identity governance now needs coverage across provisioned, privileged, and independently adopted accounts. That is especially relevant where departments buy tools first and ask questions later. Practitioners should assume that unmanaged credentials already exist and build controls around discovery, ownership, and retirement.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• For a broader lifecycle lens, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to see how ownership, rotation, and offboarding fit together.

What this signals

Credential shadowing: the real risk is not a single unmanaged login, but the accumulation of accounts that never enter the review cycle. As SaaS and AI adoption accelerates, IAM teams will need discovery and retirement workflows that follow the user journey, not just the IdP. That shift aligns with NIST Cybersecurity Framework 2.0 identify and protect functions.

The practical signal for readers is that credential governance is moving from exception handling to continuous coverage. If unmanaged accounts are not measured, they will not be managed, and the gap will keep widening across departments. For implementation patterns, Guide to the Secret Sprawl Challenge is the closest operational reference.

For practitioners

• Inventory all business-used accounts outside SSO Build a department-level register of SaaS apps, AI tools, and external services that employees access with work email but without federated sign-in. Include owner, purpose, business criticality, and whether the account is covered by lifecycle governance.
• Separate privileged governance from everyday credential governance Keep PAM focused on elevated access, but add a parallel control set for non-privileged credentials created by users in SaaS and AI tools. That includes account discovery, shared-login detection, and retirement workflows.
• Tie offboarding to account creation provenance Require every externally created account to have an internal owner and a defined retirement trigger, such as role change, project end, or vendor removal. Without provenance, offboarding will never be reliable.
• Measure coverage by actual credential surface Track how many active business accounts sit outside SSO and how many remain outside review after 90 days. That tells you whether governance is reaching the real exposure surface or only the managed subset.

Key takeaways

• Credential sprawl creates security exposure in the unmanaged space between SSO and PAM, where business accounts are created without central governance.
• The evidence points to a lifecycle problem, not just an authentication problem, because ownership, review, and offboarding often never attach to those accounts.
• Teams should build discovery and retirement controls for externally created accounts if they want identity governance to cover the real credential surface.

Key terms

• Credential Sprawl: Credential sprawl is the uncontrolled growth of logins, secrets, and accounts across tools, teams, and services. It matters because the organisation loses visibility into where access exists, who owns it, and whether it is still needed. The risk is not only more credentials, but weaker governance over their full lifecycle.
• Shadow Access: Shadow access is business access that exists outside formal identity governance. It usually appears when users create accounts directly in SaaS or AI tools without SSO, procurement, or security review. The access may be legitimate for work, but it is invisible to the controls that normally govern identity, review, and offboarding.
• Identity Fragmentation: Identity fragmentation is the splitting of one organisation's access surface across many disconnected systems and processes. In practice, that means the IdP, PAM, app-specific logins, and department-owned tools each hold part of the truth. When those pieces do not reconcile, governance and incident response both become incomplete.

Deepen your knowledge

Credential sprawl, unmanaged accounts, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to cover the gap between SSO and PAM, it is worth exploring.

This post draws on content published by 1Password: Live Demo The credential sprawl tour: Is your department leaking secrets? Read the original.