TL;DR: Unapproved AI tools, shadow SaaS, and apps outside SSO create unmanaged access sprawl that manual onboarding and offboarding cannot keep up with, according to 1Password. The governance problem is not just visibility, but lifecycle control across discovery, access review, and license reclamation.
At a glance
What this is: This is a demo on SaaS Manager that focuses on discovering unmanaged apps and automating SaaS access governance.
Why it matters: It matters because unmanaged SaaS and shadow AI can bypass SSO, weaken access oversight, and create lifecycle gaps across NHI, autonomous, and human identity programmes.
👉 Watch 1Password's demo of SaaS Manager for shadow app discovery and lifecycle control
Context
SaaS sprawl becomes an identity governance problem when employees adopt applications outside SSO and security teams lose a reliable inventory of what is connected to corporate data. In that environment, access decisions, offboarding, and license control are all forced into manual review cycles that lag behind actual usage.
The article frames the issue around unapproved AI tools, shadow SaaS, and apps outside SSO. For IAM leaders, the practical challenge is not only discovery, but maintaining lifecycle governance across app onboarding, access review, offboarding, and entitlement cleanup as the application surface keeps expanding.
Key questions
Q: How should security teams govern shadow SaaS that appears outside SSO?
A: Start by treating shadow SaaS as an access governance problem, not just an inventory issue. Build discovery that maps observed employee use to approved applications, assign ownership to each unmanaged app, and require offboarding and access review workflows for anything outside SSO. Without that loop, entitlement records drift away from real usage.
Q: Why do unmanaged apps outside SSO increase identity risk?
A: Because SSO is often the point where governance, logging, and lifecycle control become dependable. When users adopt apps outside SSO, offboarding can miss active access, access reviews lose coverage, and ownership becomes unclear. The result is hidden entitlements that persist long after the business need has changed.
Q: What do teams get wrong about SaaS access reviews?
A: They often assume a spreadsheet-based review can catch everything after the fact. In practice, SaaS sprawl changes faster than manual review cycles, so stale access survives between checkpoints. Reviews need current discovery and usage evidence, otherwise they certify an outdated picture of who can access what.
Q: How do organisations reduce SaaS waste without creating access risk?
A: Use usage telemetry to identify dormant licenses, then confirm whether the account is still needed before reclaiming it. The safest programmes connect finance and security workflows so cost optimisation does not become accidental access removal. Reclamation should always follow evidence, not assumptions.
Background and context
Shadow SaaS discovery and unmanaged application visibility
Shadow SaaS appears when users adopt applications without central approval or SSO integration, which means IT never gets a complete control plane for access governance. Discovery has to identify both sanctioned and unsanctioned applications, then reconcile them against known users, business owners, and access paths. Without that baseline, lifecycle controls operate on partial data and entitlement reviews miss the applications that matter most. The technical problem is not just inventory. It is the mismatch between actual user behaviour and the identity system's assumed application map.
Practical implication: build discovery processes that compare observed employee usage with approved app inventories before access review starts.
Automated SaaS lifecycle governance and access reviews
Manual onboarding and offboarding checklists do not scale when application adoption is continuous and decentralized. Automated SaaS lifecycle governance ties discovery, access requests, access reviews, and offboarding into one process so entitlement state changes with real usage rather than calendar reminders. Access reviews are especially important because apps outside SSO often accumulate stale or unowned access that no one revisits. In practice, this is a governance workflow problem as much as an integration problem. If review data is incomplete, the cleanup step becomes guesswork.
Practical implication: automate review and offboarding workflows so stale access and orphaned entitlements are handled from observed usage, not manual memory.
SaaS spend control through license reclamation and usage data
License reclamation depends on linking real employee usage data to application entitlements. Without that linkage, teams can reduce neither waste nor risk, because they cannot distinguish a dormant paid seat from a needed but infrequently used one. Finance, IT, and Security all need the same usage evidence, but for different reasons: cost control, operational ownership, and exposure reduction. The important distinction is that spend optimisation is not separate from access governance. Unused licenses often reveal inactive accounts, weak offboarding, or duplicated point solutions that hide in plain sight.
Practical implication: use usage telemetry to reclaim idle licenses only after confirming the account is no longer required for business access.
NHI Mgmt Group analysis
Shadow SaaS is an identity governance failure before it becomes an inventory problem. When employees can adopt applications outside SSO, the organisation loses its authoritative view of who has access to what. That breaks recertification, offboarding, and accountability in the same move. The practitioners' mistake is treating discovery as a reporting exercise rather than the front door to identity control. The implication is straightforward: unmanaged app adoption should be governed as an access lifecycle issue, not as a procurement exception.
Apps outside SSO create lifecycle blind spots that manual processes cannot close. Manual onboarding and offboarding assumes a known set of applications and a known set of approvers. Shadow SaaS invalidates both assumptions because ownership, access, and usage can change before a checklist is updated. That is why access reviews become stale quickly when they depend on spreadsheet workflows. Practitioners should treat the unmanaged app surface as a recurring governance drift problem.
Unmanaged AI tool adoption is a named concept that broadens SaaS governance beyond classic shadow IT. The post is not only about unsanctioned business apps, but also about employees using unapproved AI tools that may store data, retain tokens, or create new access paths outside central control. That expands the identity surface from software licensing into data handling and session governance. The implication for IAM and security teams is to classify AI tool usage as part of SaaS lifecycle control, not as a separate niche risk.
License reclamation only works when entitlement state follows actual usage. Real employee usage data is the control point that separates legitimate access from waste and exposure. If reclamation runs without that evidence, teams either leave dormant access in place or remove access that still supports business work. The broader lesson is that spend optimisation and access governance are the same operational problem viewed from different angles. Practitioners should align financial, IT, and security workflows around shared usage evidence.
1Password's demo reflects a wider market shift toward unified governance across discovery, access, and cost control. The real signal is that app governance can no longer sit in separate silos for onboarding, review, and license management. As SaaS sprawl grows, identity teams need a single operating model that can see unmanaged apps, close stale access, and support cross-functional ownership. Practitioners should re-evaluate whether their current tooling can enforce lifecycle discipline across the whole app estate.
From our research:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to the same research.
- That lifecycle pattern is why teams should pair cleanup with the NHI Lifecycle Management Guide before they treat app rationalisation as a finance-only exercise.
What this signals
Shadow SaaS is now a governance signal, not a side issue. When employees can create app sprawl faster than central teams can catalogue it, lifecycle controls stop being periodic and become continuous. The programme impact is immediate: IAM, IT, and security need shared discovery data before offboarding or access review can be trusted.
Unmanaged AI tool adoption expands the SaaS problem into data exposure territory. The next governance question is not only which apps exist, but which tools handle sensitive data outside approved controls. Teams should align app discovery with the NIST Cybersecurity Framework 2.0 functions of identify and protect so governance keeps pace with adoption.
Hidden access will keep surfacing unless reclaim and review are linked. A license that is merely idle is not the same as a license that is safely removable. Practitioners should build operational thresholds for review, owner confirmation, and revocation so cost control does not undermine availability.
For practitioners
- Map unmanaged application exposure Compare discovered employee applications against the approved SSO catalogue, then assign an owner to every app that appears outside the current control set.
- Automate access review triggers Trigger SaaS access reviews from observed usage and app status changes, not from a fixed quarterly calendar or manual spreadsheet.
- Tie offboarding to app-level revocation Remove app access when users leave or move roles, and verify that offboarding covers applications outside SSO as well as those in the main directory.
- Reclaim licenses with usage evidence Use real employee usage data to identify dormant seats, then reclaim licenses only after confirming the account is not supporting active business work.
- Consolidate fragmented point controls Review whether discovery, access review, and license management are spread across separate tools, then consolidate where fragmentation is causing duplicated effort or blind spots.
Key takeaways
- Shadow SaaS is an identity governance issue because unmanaged apps break the link between real usage and authoritative access records.
- Manual onboarding and offboarding cannot keep pace with app sprawl, which is why automated discovery and review are now baseline controls.
- Usage-based license reclamation is only safe when it is coupled to offboarding verification and ownership confirmation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Shadow SaaS and stale access map to unmanaged lifecycle and secret exposure risks. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed as users adopt apps outside SSO. |
| NIST Zero Trust (SP 800-207) | AC-4 | Continuous verification is needed when app boundaries extend beyond the SSO perimeter. |
Require policy-based access decisions for SaaS apps that bypass the central trust boundary.
Key terms
- Shadow SaaS: Applications adopted by employees without central approval or full identity governance coverage. Shadow SaaS can sit outside SSO, logging, and lifecycle processes, which leaves security teams with incomplete visibility into access, data handling, and offboarding obligations.
- SaaS lifecycle governance: The operating model for managing application discovery, onboarding, access review, offboarding, and license reclamation. It ensures application access changes with business need and that ownership, entitlement state, and usage evidence stay aligned over time.
- License reclamation: The process of recovering unused software licenses after confirming the account or entitlement is no longer required. In identity programmes, reclamation should be based on usage evidence and ownership checks so cost reduction does not create accidental access loss.
- Access review: A recurring governance control that checks whether users still need the access they have been granted. For SaaS environments, the review must use current discovery and usage data, otherwise it certifies stale entitlements and misses unmanaged applications.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by 1Password: Demo On Demand for 1Password SaaS Manager. Read the original.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org