TL;DR: As SaaS, AI tools, and unmanaged devices proliferate, organisations lose visibility across apps and logins, creating access blind spots that traditional SSO and spreadsheet-driven governance cannot reliably close, according to Drata’s partner perspective with 1Password. The core issue is not just more access, but fragmented trust decisions across identities, devices, and workflows that identity programmes now have to govern.
At a glance
What this is: The article argues that expanding SaaS, AI tools, and unmanaged devices are pushing access governance beyond traditional SSO and creating hidden access risks.
Why it matters: It matters because IAM, PAM, IGA, and NHI teams increasingly need device assurance and continuous visibility to govern access decisions that now extend beyond managed users and into AI agents.
👉 Read Drata's partner perspective on closing the access-trust gap with 1Password
Context
SaaS sprawl and unmanaged device usage turn access governance into a moving target. Traditional SSO-centric models assume most access flows through a few controlled entry points, but modern work now includes shadow IT, personal devices, and AI tools that sit outside those assumptions. That creates an identity and device trust gap that programmes cannot close with periodic reviews alone.
The identity angle is genuine here because access decisions increasingly depend on both who or what is requesting access and whether the device or workload can be trusted. For IAM, IGA, PAM, and NHI teams, the practical problem is continuous verification across users, service accounts, and AI agents rather than a one-time permission grant. The starting point is typical for fast-scaling organisations, not exceptional.
1Password’s Enterprise Password Manager secures more than 1.3 billion credentials, and the wider message of the article is that credential volume is no longer the only issue. The bigger challenge is governance fragmentation across identity, access, and compliance signals.
Key questions
A: They should treat access as a continuous decision, not a one-time login event. That means mapping every entry path, attaching policy to the session context, and requiring ownership for both the identity and the device or agent behind the request. Without that, governance remains blind to the real access surface.
Q: Why do unmanaged devices create a governance gap for IAM and compliance teams?
A: Unmanaged devices break the assumption that identity alone is enough to establish trust. If the endpoint is not validated, the organisation cannot know whether access came from a controlled environment, which weakens policy enforcement, audit evidence, and incident response. Device assurance closes that gap by adding context to the access decision.
Q: What do security teams get wrong about shadow access in SaaS environments?
A: They often assume the identity platform already has the full picture. In reality, shadow access builds up in app-specific logins, delegated authorisations, personal devices, and informal tool adoption. The fix is to inventory those paths separately and bring them into a governed access model with clear control ownership.
Q: Who is accountable when AI agents or other non-human identities access sensitive systems?
A: Accountability should sit with the system owner or business owner responsible for the agent, not with a vague platform team. AI agents need named ownership, defined scopes, and reviewable logs because they can act independently within their permissions. If no owner is assigned, the identity is effectively unmanaged.
Technical breakdown
Why SSO no longer covers the full access surface
Single sign-on reduces the number of primary authentication events, but it does not govern every access path once users, devices, SaaS apps, and AI tools multiply. Many organisations now rely on app-specific logins, delegated access, and shadow tools that never enter the central SSO flow. That means identity assurance, entitlement review, and device state become separate control problems unless they are stitched together operationally. The access decision is no longer just whether a user authenticated, but whether the sign-in came from a trusted context with an acceptable risk profile.
Practical implication: map every non-SSO access path and decide which identity, device, and policy controls must apply before granting access.
How device trust changes identity governance
Device trust extends identity governance from the account to the endpoint or managed workstation that initiates the session. In practice, it means access is conditional on posture signals such as managed status, security tooling presence, and policy compliance. This is especially relevant where users operate from personal devices or bring their own productivity tools into the environment. Without device trust, access reviews can approve a user or agent while the actual access path remains unverified, which weakens both control enforcement and audit evidence.
Practical implication: tie access approval to validated device posture so governance decisions reflect the real endpoint, not just the identity record.
Why AI agents and other NHIs belong in the same access model
AI agents are not just another application, because they can act on behalf of users, invoke tools, and execute work with their own runtime identity. That makes them closer to non-human identities than to ordinary software features. When organisations treat AI tools as outside IAM and governance, they create a parallel access estate with unclear ownership, untracked permissions, and weak evidence trails. The right model is to classify agent access, attach ownership, and monitor its activity with the same discipline used for service accounts and privileged automation.
Practical implication: register AI agents as governed identities and include them in access policy, review, and audit workflows.
NHI Mgmt Group analysis
Access trust has become a policy problem, not just an authentication problem. The article’s core signal is that organisations are no longer failing at login alone, they are failing at deciding what should be trusted after login. Once SaaS, unmanaged devices, and AI tools expand the access surface, static policy boundaries collapse. The practical conclusion for IAM and IGA teams is that trust decisions must follow the session, not sit only at the perimeter.
Hidden access is the named concept this article makes unavoidable. Hidden access is the accumulated set of app connections, device states, delegated permissions, and AI-mediated sign-ins that sit outside central visibility. That matters because control loss usually starts in the spaces between tools, not in the core identity platform. Programmes that cannot see these paths cannot govern them, so visibility is now a prerequisite to control.
Device assurance is becoming an identity control, not a separate compliance checkbox. The article shows that device health and access policy are converging operationally. If the device cannot be trusted, the identity sitting on top of it cannot be treated as fully trusted either. That shifts device posture from an endpoint concern into IAM and PAM decision-making, especially where sensitive SaaS and NHI workflows intersect.
Agentic AI will intensify the same governance gap if it is left outside identity programmes. The article explicitly links its access model to AI agents, which is the right direction of travel. AI agents expand the number of governed actors that can initiate access, and their activity is harder to audit when controls remain user-centric. The practitioner takeaway is to extend governance before agent usage scales further.
Unified control surfaces will matter more than point integrations. This article reflects a broader market move toward tying access management, SaaS governance, and compliance evidence into one operational model. That does not remove the need for strong IAM, PAM, or NHI controls, but it does show that fragmented tooling leaves too many blind spots. Teams should treat integration depth and evidence quality as core procurement criteria.
What this signals
Hidden access is becoming a programme-level risk metric. As SaaS adoption, unmanaged devices, and AI tools expand, teams need to measure how much of their access surface is outside direct governance rather than assuming central IAM visibility is complete. The operational question is no longer whether identities are authenticated, but whether the surrounding trust context is verifiable at the moment access is used.
Device posture and identity posture are converging. That means IAM, IGA, PAM, and NHI teams should expect more access decisions to depend on endpoint assurance, evidence quality, and continuous policy checks. For practitioners, the near-term signal to watch is whether access reviews can be tied to live context instead of stale records.
AI agents now need the same governance discipline as service accounts. When agent activity can invoke tools or access sensitive apps, the organisation needs ownership, scope control, and auditability. The more agents operate outside those controls, the more governance debt accumulates, which is why the control model should be extended before scale accelerates further.
For practitioners
- Inventory all non-SSO access paths Document every SaaS login, delegated connection, and AI tool access path that bypasses central SSO so you can assign a control owner and review cadence to each one.
- Make device posture a pre-access condition Require validated device status before access is granted to sensitive applications, including checks for managed status, security tooling, and compliance state.
- Bring AI agents into identity governance Register AI agents and other non-human identities as governed actors, then attach owners, access scopes, and review workflows to their runtime permissions.
- Replace spreadsheet-led evidence collection Move compliance evidence capture into integrated workflows so access and device posture can be audited continuously rather than reconstructed after the fact.
- Define remediation paths for non-compliant devices Use guided self-remediation and automated quarantine or step-up controls so access can be restored only after the device returns to policy.
Key takeaways
- The article shows that modern access risk now sits in the spaces between identity, device, and SaaS governance.
- As AI tools and unmanaged endpoints proliferate, access visibility becomes a continuous control problem rather than a periodic review problem.
- Organisations that cannot validate device trust and agent ownership will struggle to produce reliable compliance evidence or contain hidden access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | The article centres on access permissions and trust decisions across SaaS and devices. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the control principle behind access and device trust decisions. |
| OWASP Agentic AI Top 10 | The article explicitly includes AI agents as governed access actors. | |
| NIST AI RMF | GOVERN | AI agents and access governance require ownership, accountability, and policy oversight. |
Map non-SSO access paths to PR.AC-4 and enforce context-aware approval before access is granted.
Key terms
- Hidden Access: Hidden access is any app, device, delegated permission, or login path that exists outside central identity visibility. It becomes a governance problem when organisations cannot see who or what is using the access, which policies apply, or how to audit the resulting activity.
- Device Trust: Device trust is the practice of using endpoint posture and managed-state signals to decide whether access should be allowed. It adds context to identity decisions by checking whether the device itself meets policy before sensitive systems or data can be reached.
- Access-Trust Gap: The access-trust gap is the difference between an identity being authenticated and the environment being trusted enough to grant access. It usually appears when SaaS sprawl, personal devices, and AI tools outgrow the controls used to make access decisions.
- Agentic AI Identity: Agentic AI identity is the governed identity assigned to an AI system that can act, call tools, or access data during runtime. It needs ownership, permissions, and auditability because the agent can make access decisions or execute tasks independently within its allowed scope.
What's in the full article
Drata's full partner perspective covers the operational detail this post intentionally leaves for the source:
- How the Drata and 1Password Device Trust integration maps device checks into continuous compliance evidence.
- Which device controls are being validated before access is granted, including posture and security tooling signals.
- How automated self-remediation reduces access disruption when devices fall out of compliance.
- Where the partner model claims to reduce manual evidence collection across security and audit workflows.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps identity and security practitioners build the control model needed for modern access estates.
Published by the NHIMG editorial team on 2026-02-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org