SaaS sprawl is exposing the access-trust gap in enterprise IAM

At a glance

What this is: This is a 1Password analysis of how SaaS sprawl, shadow IT, and AI usage are outgrowing traditional IAM and IGA controls.

Why it matters: It matters because IAM, PAM, and lifecycle teams need visibility and automated offboarding across sanctioned and unsanctioned apps, not just stronger login controls.

By the numbers:

• 52% of employees admit to downloading work apps without IT approval.
• 70% of security leaders say SSO is insufficient for managing employee identities.
• 38% of breached organizations linked incidents to unmanaged applications.

👉 Read 1Password's analysis of the access-trust gap in SaaS governance

Context

SaaS sprawl is a governance problem before it is a tooling problem. When employees can add apps outside SSO, IAM can authenticate what it sees but it cannot govern what it never discovers, which leaves access, data handling, and offboarding fragmented across shadow IT, team-managed tools, and AI usage outside policy.

The primary identity issue here is not whether users can sign in. It is whether security teams can maintain a current inventory of applications, accounts, and data paths across managed and unmanaged SaaS. That is why SaaS management has become part of the identity stack, especially where Joiner, Mover, Leaver processes now span human users, business-owned apps, and unsanctioned services.

Key questions

Q: How should security teams govern SaaS apps that sit outside SSO?

A: Security teams should treat unfederated SaaS as part of the identity estate, not as a side channel. That means continuous discovery, app ownership assignment, lifecycle automation, and periodic access review. If an application can store data or credentials, it needs the same governance discipline as a managed app, even when users created the account themselves.

Q: Why do shadow IT apps create identity risk even when users still have valid SSO access?

A: Because SSO only covers the apps behind the federation boundary. Users can still create local accounts, keep old subscriptions active, and retain access after role changes or exits. The risk is not that authentication fails, but that identity governance never reached the systems where the data and accounts actually live.

Q: What breaks when JML processes are still manual in a SaaS-heavy environment?

A: Manual JML creates delays, missed revocations, and orphaned accounts. In SaaS-heavy environments, those failures leave former employees and business teams with active access long after it should have ended. The practical consequence is not just higher breach exposure, but weaker auditability and unnecessary license spend.

Q: Who is accountable when unsanctioned SaaS stores sensitive business data?

A: Accountability usually falls between IT, security, and the business team that adopted the application. That ambiguity is the problem. Organisations need named application owners, explicit offboarding responsibility, and policy enforcement that reaches outside the IdP so there is a clear owner for access, data handling, and retirement.

Technical breakdown

Why SSO stops at the login screen

Single sign-on authenticates a user and can revoke a federated session, but it does not govern the full lifecycle of every application account. Unfederated SaaS, locally created accounts, and browser-installed tools sit outside that boundary. That creates a split between identity control and application reality. In practice, IAM confirms who entered the front door, while SaaS discovery determines what doors were opened elsewhere. The governance gap is visibility, not just authentication.

Practical implication: map every app beyond the IdP boundary so access decisions are tied to actual usage, not only federated login records.

How shadow IT turns lifecycle management into risk

Shadow IT is not merely unsanctioned software. It is a parallel identity estate with its own accounts, permissions, and data retention behavior. When joiner, mover, and leaver workflows are manual, orphaned accounts and stale access persist after role changes or departures. That persistence creates audit gaps and increases the likelihood that former users can still reach business data. The core issue is lifecycle inconsistency across systems that were never brought under one governance model.

Practical implication: extend JML processes to every SaaS application that can hold business data, not only the ones under central IT control.

Why SaaS management is becoming identity infrastructure

A SaaS management platform functions as a control plane for discovery, offboarding, license reclamation, and policy enforcement across apps that IAM alone cannot continuously manage. By connecting identity data with HR, finance, browser, and app telemetry, it creates a usable inventory of access and cost. That matters because governance failures now show up as security risk, compliance drift, and wasted spend at the same time. The architecture is less about replacing IAM than about extending its reach into the application layer.

Practical implication: treat SaaS management as an extension of identity governance and integrate it with HR, finance, and access review workflows.

Threat narrative

Attacker objective: The objective is persistence in ungoverned access paths that allow data exposure, policy bypass, and weak accountability across SaaS estates.

1. Entry happens when employees create or download work apps outside IT approval, bypassing central visibility and control.
2. Escalation occurs when unsanctioned apps and unmanaged accounts accumulate privileges, retain stale access, or store sensitive data without consistent oversight.
3. Impact follows when orphaned accounts, missed deprovisioning, and inaccessible audit trails create breach exposure, compliance failure, and unnecessary software spend.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access-trust gap management is now a core identity discipline, not a procurement cleanup task. The article describes a world where apps appear faster than security can inventory them, and that changes the identity problem from authorization to governance. Once unmanaged SaaS becomes normal, the security team is no longer reviewing a complete access estate. Practitioners should treat continuous discovery as part of identity governance, not as a separate operations function.

Shadow SaaS creates an orphaned-account problem that IAM cannot see on its own. Manual lifecycle processes leave active accounts behind after role changes and exits, especially when apps live outside SSO. That failure mode is not lack of policy on paper, it is lack of enforcement across the actual application surface. The practical conclusion is that JML coverage must extend beyond federated apps to every account-holding service.

Visibility is the new control boundary for SaaS governance. The article’s strongest point is that security teams cannot reclaim what they do not know exists, whether the asset is an app, a license, or an AI tool. That shifts identity governance toward continuous inventory, policy-driven offboarding, and audit-ready proof of who accessed what. Practitioners should build for discovery first and enforcement second.

SaaS management is converging with identity, compliance, and spend governance into one operating model. The report links access control, auditability, and license efficiency because the same unmanaged app can create all three problems at once. That means identity programs can no longer be measured only by authentication coverage or directory hygiene. Teams should evaluate whether their governance model can handle unsanctioned apps, not just sanctioned ones.

The access-trust gap is a programme design issue, not an employee discipline issue. When 37% of employees say they do not always follow AI usage policies, the control failure sits in the operating model, not only in user behaviour. The lesson is that policy alone does not scale without discovery, enforcement, and lifecycle automation. Security leaders should reframe SaaS governance as a continuous control system.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
• That visibility problem is why the NHI Lifecycle Management Guide matters: discovery, rotation, and offboarding only work when the estate is visible first.

What this signals

Access-trust gaps will keep widening unless identity teams shift from directory control to estate control. The practical signal for programmes is that SSO coverage can no longer be treated as a proxy for governance maturity. Teams should expect more demand for continuous discovery, ownership mapping, and offboarding automation across SaaS and AI tools, especially where browser-driven adoption bypasses central approval.

Shadow SaaS is becoming a lifecycle issue as much as a security issue. The organisations that cope best will be the ones that connect access reviews to real application inventories and tie them into HR and finance signals. That creates a cleaner path for deprovisioning, audit evidence, and cost control in one workflow.

SaaS governance is moving toward a unified control model that links identity, compliance, and spend. For practitioners, that means prioritising systems that can surface unmanaged apps and prove who can access them, rather than relying on spreadsheets and one-time clean-up projects. The category is increasingly about operational control, not just visibility for its own sake.

For practitioners

• Expand discovery beyond SSO coverage Inventory every application discovered through IdP logs, browser telemetry, HR records, and finance spend so the access estate includes both sanctioned and shadow SaaS.
• Automate JML across all account-holding apps Route joiner, mover, and leaver events into offboarding and license-reclamation workflows for every SaaS system that stores business data.
• Reconcile active accounts with actual usage Run periodic reviews that compare provisioned access, dormant accounts, and recent application activity so stale entitlements are removed before audit time.
• Tie AI usage policy to application controls Block or monitor unsanctioned AI tools with the same governance pipeline used for other shadow SaaS so policy violations become visible and actionable.

Key takeaways

• SaaS sprawl creates an identity governance gap that SSO alone cannot close.
• Manual lifecycle processes leave orphaned access, weaker auditability, and avoidable risk across unmanaged applications.
• Continuous discovery and automated offboarding are now core requirements for governing SaaS, shadow IT, and AI tool adoption.

Key terms

• Shadow SaaS: Shadow SaaS is any application used for work that security and IT have not formally approved or inventoried. These tools often sit outside single sign-on and standard lifecycle processes, which makes account ownership, data handling, and offboarding harder to govern.
• Access-trust gap: The access-trust gap is the mismatch between who can access tools in practice and what the identity programme believes it controls. It appears when users adopt apps outside central visibility, so authentication, auditability, and lifecycle management no longer cover the full working environment.
• Joiner, mover, leaver process: A joiner, mover, leaver process governs how access is created, changed, and removed as people enter, change roles, or leave an organisation. In SaaS-heavy environments it must reach every application account, not just directory-managed systems, or stale access and orphaned accounts will remain.
• SaaS management platform: A SaaS management platform is a control layer that discovers applications, tracks ownership, and automates onboarding, offboarding, and licensing across the software estate. Its value is not just cost control; it extends identity governance into applications that standard IAM cannot continuously manage.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: the 2025 Annual Report on the access-trust gap and SaaS management. Read the original.