TL;DR: SSO reduces login friction, but up to two-thirds of critical business applications still sit outside SSO coverage, leaving weak passwords, informal sharing, and unmanaged contractor access exposed, according to Bitwarden. The security problem is not authentication alone, but the credential layer that remains when SSO does not reach every app.
At a glance
What this is: This analysis shows that SSO simplifies authentication but still leaves a large credential gap across non-SSO applications, vendor access, emergency access, and contractor workflows.
Why it matters: IAM teams need to treat SSO as one control layer, not the full credential strategy, because the biggest exposure often sits in the apps and accounts SSO never touches.
By the numbers:
- 53% of IT decision-makers share passwords via email
- 55% of IT decision makers view third-party contractors and consultants among the highest at-risk groups of supply chain attacks
👉 Read Bitwarden's analysis of SSO blind spots and credential security gaps
Context
Single sign-on reduces password friction, but it does not remove the underlying credential problem across the full application estate. In many organisations, the real governance gap is not the SSO-covered core, but the legacy systems, vendor portals, personal accounts, and new SaaS tools that remain outside it.
That matters for IAM because control consistency breaks down as soon as an application falls outside the SSO boundary. Once access moves to shared passwords, informal vendor handoffs, or manual contractor onboarding, the organisation loses auditability, policy enforcement, and lifecycle control over the credential itself.
Key questions
Q: What breaks when organisations rely on SSO alone for all application access?
A: SSO alone leaves direct-login applications outside central policy, audit, and lifecycle control. Those gaps push users toward reused passwords, informal sharing, and unsafe storage, which means the organisation no longer has a single governance model for access. The result is a fragmented credential estate with inconsistent risk and weak revocation capability.
Q: Why do non-SSO applications increase identity risk in enterprises?
A: Non-SSO applications increase identity risk because they often rely on direct credentials that are harder to monitor, rotate, and revoke. Once access is handled outside the identity provider, controls become inconsistent and exceptions multiply. That makes the non-SSO estate the place where weak passwords and unmanaged access are most likely to persist.
Q: How should teams handle third-party access when SSO is not available?
A: Use a governed access model with auditable sharing, least-privilege scope, and explicit revocation steps. If a vendor or contractor needs access to a non-SSO app, the organisation should avoid ad hoc password sharing and instead tie access to a managed workflow that records ownership, duration, and removal.
Q: Who is accountable for credentials that sit outside SSO controls?
A: Accountability should stay with the application owner and the identity governance team together. The application owner defines the business need, while IAM sets the control standard for password storage, sharing, and revocation. If the credential is outside SSO, it is still inside the organisation's governance boundary and must be treated that way.
Technical breakdown
Why SSO coverage stops at the application boundary
SSO centralises authentication only when applications support federation or can be integrated into the identity provider. Legacy tools, supplier portals, and newly adopted SaaS products often sit outside that trust relationship, so users fall back to direct credentials. The result is a split control plane: one governed by SSO policies and another governed by whatever password practice the user or business unit can sustain. That split creates inconsistent assurance, especially when organisations assume the login layer equals full access governance.
Practical implication: inventory non-SSO apps separately and treat them as a distinct credential-risk population.
How shared passwords weaken vendor and contractor access
When external parties need access, organisations often bypass formal access flows and share credentials informally by email, chat, or conversation. That behaviour destroys accountability because the identity of the person using the credential is no longer tied to the credential itself, and revocation becomes unreliable. For third-party access, the problem is not only who has access, but how quickly access can be removed and how well the organisation can prove that it was removed. Password managers address this by keeping access controlled, auditable, and revocable.
Practical implication: replace informal sharing with auditable delegated access and revocation workflows.
Why password policy enforcement still matters outside SSO
SSO does not eliminate the need for password controls on accounts that remain outside federation. Those credentials still need uniqueness, complexity, storage protection, and lifecycle management. Without a central enforcement layer, users tend to reuse passwords or store them unsafely, which turns non-SSO applications into the weak link in an otherwise well-managed IAM programme. The key issue is not whether SSO exists, but whether every credential path is governed to the same standard.
Practical implication: apply password policy enforcement and secure storage to every direct-login application.
Threat narrative
Attacker objective: The attacker aims to gain persistent access through unmanaged credentials in applications that sit outside the organisation's SSO controls.
- Entry occurs when users or third parties rely on direct credentials for applications outside SSO coverage, creating a separate authentication path that is harder to govern.
- Credential abuse follows when shared, reused, or poorly stored passwords are exposed through email, chat, spreadsheets, or other informal handling channels.
- Impact emerges through unauthorized access to vendor portals, contractor systems, or business apps that were never brought under the same control and audit model as SSO.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SSO is a control plane, not a complete credential strategy. The article's core point is that authentication centralisation does not equal identity governance completeness. Applications outside federation still require password protection, auditability, and lifecycle control, which means IAM teams should stop treating SSO coverage as a proxy for overall security maturity.
Blind spot management is now a first-class IAM problem. The biggest exposure is often not the application covered by the identity provider, but the systems left behind in onboarding queues, supplier ecosystems, and legacy estates. That is where informal credential handling, exception-based access, and weak revocation practices accumulate. The practitioner conclusion is simple: unmanaged access paths deserve the same governance attention as the SSO core.
Vendor and contractor access exposes the weakest link in access governance. The article shows how third-party collaboration becomes risky when access is shared outside a formal delegation model. This maps directly to the governance gap described in the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0 access and oversight functions. The implication for teams is to govern external access as a lifecycle process, not as an ad hoc exception.
Emergency access proves why recovery design must be built into identity architecture. SSO does not provide a complete fallback path when a critical user is unavailable, so organisations that rely on it alone leave continuity dependent on manual workarounds. That is an identity governance failure, not just an operations inconvenience, and it should be treated as part of access resilience planning.
Strong password management closes the governance gap SSO leaves open. The article is effectively describing a split between authentication control and credential stewardship. For IAM and security teams, the practical conclusion is that SSO and password management must be designed together so that every direct-login application still inherits policy, sharing controls, and traceability.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how quickly governance breaks once identity control moves beyond the human user boundary.
- For a deeper baseline on lifecycle and control gaps, read NHI Lifecycle Management Guide for the governance steps that close direct-access blind spots.
What this signals
Credential governance will increasingly be measured by coverage, not convenience. If SSO only protects part of the estate, the next maturity step is proving that non-SSO applications, contractor accounts, and vendor portals are governed to the same standard. The organisations that do this well will be the ones that can show complete credential visibility rather than just good authentication hygiene.
The operational signal to watch is whether access reviews, revocation, and password policy enforcement reach every direct-login path. Where they do not, the IAM programme is carrying hidden risk in exactly the places users, suppliers, and temporary workers are most likely to rely on manual workarounds.
For practitioners
- Map every application outside SSO coverage Build and maintain a separate inventory of legacy tools, vendor portals, personal business accounts, and unintegrated SaaS so they can be governed as a distinct risk class.
- Replace informal password sharing channels Eliminate email, chat, and verbal credential handoffs for vendors and contractors, and move external access to controlled, auditable sharing and delegation workflows.
- Enforce password policy on direct-login systems Apply unique-password generation, secure storage, and policy enforcement to every application that cannot participate in SSO, including legacy and specialist tools.
- Tie contractor access to lifecycle controls Require provisioning and deprovisioning checkpoints for temporary vendors and consultants so access does not outlive the business need or the contract term.
Key takeaways
- SSO reduces authentication friction, but it does not cover the full credential problem across modern enterprises.
- The largest security gaps appear in non-SSO applications, informal vendor sharing, and temporary access workflows that lack consistent governance.
- IAM teams should manage SSO and password controls together so that every direct-login application still inherits policy, auditability, and revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Direct-login systems and unmanaged credentials map to credential rotation and storage risk. |
| NIST CSF 2.0 | PR.AC-1 | SSO gaps are an access control governance issue across the identity estate. |
| NIST Zero Trust (SP 800-207) | The article highlights trust boundaries that must be continuously verified outside SSO. |
Extend access control policy to direct-login apps, third parties, and temporary access paths.
Key terms
- Single Sign-On: A federated authentication pattern that lets a user sign in once and access multiple connected applications. It simplifies login and centralises authentication policy, but it does not automatically govern every application or eliminate the need to secure direct-login accounts outside the federation boundary.
- Direct-Login Application: An application that users access with its own local credentials rather than through a federated identity provider. These systems create separate control paths for password policy, sharing, rotation, and revocation, which is why they often become blind spots in otherwise mature identity programmes.
- Credential Stewardship: The governance discipline that covers how credentials are created, stored, shared, rotated, and revoked. In practice, it is the control layer that keeps passwords and other secrets from becoming unmanaged access tokens, especially in non-SSO environments and third-party workflows.
- Third-Party Access Lifecycle: The joiner-mover-leaver process applied to vendors, consultants, and other external identities. It ensures access is provisioned for a defined business need, monitored while active, and revoked when the relationship or task ends, regardless of whether the system is federated.
What's in the full article
Bitwarden's full article covers the operational detail this post intentionally leaves for the source:
- Examples of the specific application classes that typically fall outside SSO onboarding
- The survey findings behind password sharing behaviour across email, chat, and conversation
- How password managers support emergency access, contractor access, and secure sharing workflows
- The practical distinction between SSO coverage and credential policy enforcement in day-to-day operations
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2025-10-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org