The access-trust gap widens as SaaS and AI outpace IAM

At a glance

What this is: A 1Password annual report argues that SaaS sprawl, shadow AI, and unmanaged access are widening the access-trust gap beyond what SSO and legacy identity controls can cover.

Why it matters: IAM, NHI, and workforce identity teams need to treat access as continuous and contextual because unmanaged apps and AI use now sit outside the control assumptions of classic programmes.

By the numbers:

• 52% of employees have downloaded apps without IT approval.
• 74% of security and IT professionals say SSO is not a complete solution for securing identities.
• 34% of employees have accessed a prior employer’s account, data, or apps.

👉 Read 1Password’s annual report on the access-trust gap in the AI era

Context

The access-trust gap is the space between what identity teams believe they control and the reality of how employees reach applications, data, and AI tools. In practice, that gap grows when SaaS adoption and AI usage move faster than governance, leaving unmanaged access paths that sit outside conventional IAM visibility.

For practitioners, the issue is not whether SSO exists but whether it still represents the actual control plane for identity risk. When shadow IT, shadow AI, and unmanaged accounts proliferate, workforce IAM, NHI governance, and offboarding processes all have to account for access that never entered the approved lifecycle in the first place.

That makes this report relevant beyond workforce login hygiene. It is a signal that identity programmes need broader control coverage, especially where unmanaged apps, AI tools, and non-federated access create hidden privilege and review blind spots.

Key questions

Q: How should security teams close the access-trust gap in SaaS and AI environments?

A: Start by measuring where users actually work, not where the identity programme assumes they work. Security teams should inventory unmanaged apps, non-federated accounts, and AI tools, then apply policy, offboarding, and monitoring to the uncovered paths first. The goal is to make hidden access visible enough that governance can follow it.

Q: When does SSO stop being a complete identity control?

A: SSO stops being complete when it covers only part of the application estate. If workers can reach SaaS apps, local accounts, or AI tools outside federation, then authentication is centralised but governance is not. That is the point where identity risk shifts from login management to access discovery and lifecycle control.

Q: What do security teams get wrong about shadow AI governance?

A: They often treat shadow AI as an awareness issue when it is really a control issue. If employees can share sensitive data with unapproved AI tools from unmanaged devices, the organisation has lost policy enforcement, auditability, and data handling control. Governance needs to cover the tool, the device, and the data path together.

Q: Who is accountable when employees keep using former employer accounts or data?

A: Accountability sits with the organisation that failed to trace access across its lifecycle, not just with the worker who reused it. When a former employee can still reach data or accounts, the identity programme has not fully validated offboarding across SaaS and unmanaged access paths. That gap belongs in audit, access review, and lifecycle ownership.

Technical breakdown

Why SSO no longer covers the full access surface

Single sign-on centralises authentication for federated applications, but it does not automatically govern every account, session, or app a worker uses. When 30% of apps sit outside SSO, the identity system becomes partial rather than complete, and offboarding, policy enforcement, and session visibility all weaken. The technical issue is coverage, not just convenience: any access path that bypasses federation also bypasses the usual evidence trail for review and response.

Practical implication: Practitioners should inventory non-federated apps and treat them as governance gaps, not exceptions.

Shadow AI creates unreviewable data flows and policy drift

Shadow AI is not only a usage problem, it is a data control problem. When employees paste company information into unapproved tools or use AI on personal devices, the organisation loses enforceable context around where data goes, what is retained, and which policy applies. That breaks the assumption that access decisions are made inside a managed environment with observable authentication and audit records.

Practical implication: Teams should map AI tool use to data sensitivity and policy enforcement, not just user awareness.

Why offboarding now needs cross-app identity tracing

Offboarding fails when identity records and application access are not linked across managed and unmanaged environments. If employees retain access to a former employer’s account or data, the problem is not merely leftover credentials, it is broken lifecycle visibility across app estates. In identity terms, the lifecycle ended in HR, but access persisted in systems that were never fully federated or reviewed.

Practical implication: Security teams should verify post-employment access paths across SaaS, local accounts, and AI tools.

NHI Mgmt Group analysis

The access-trust gap is the clearest sign that identity control is now defined by coverage, not by login success. SSO remains useful, but it no longer describes the full control surface when 30% of apps are outside federation and workers continue to adopt tools without IT approval. The governance problem is not a lack of authentication, it is a lack of visibility into where identity actually lives. Practitioners should reframe identity assurance around complete access discovery, not just central sign-in.

Shadow AI is becoming an identity governance problem, not just a data-leak problem. The report shows employees sharing company and customer data into AI tools that security teams do not control, which means the access decision occurs outside the normal approval and monitoring chain. That erodes policy enforcement, auditability, and user accountability at the same time. Practitioners should treat AI usage as part of identity governance and data governance together.

Legacy identity tools were designed for managed endpoints and approved apps, not for workers who assemble their own access stack. The combination of SaaS sprawl, unapproved software, and personal-device AI use means identity assurance must follow the worker across more contexts than traditional IAM and IGA were built to observe. That does not make those controls obsolete, but it does mean they are now only one layer in a broader access governance model. Practitioners should expand control boundaries or accept blind spots.

Access-trust gap: the missing control is not another login layer, it is lifecycle-aware oversight of every place identity can operate. The report’s strongest signal is that control failure now comes from disconnected access paths, not isolated authentication weaknesses. That has implications for workforce IAM, NHI governance, and offboarding alike, because each depends on knowing where access exists before it can be governed. Practitioners should align control coverage to actual usage, not intended architecture.

Compromised assumptions matter more than individual policy violations in this market shift. The report illustrates that security teams are still asking static identity controls to govern dynamic behaviour across apps, devices, and AI tools. That assumption fails when access becomes fragmented and user-driven, because the programme can no longer depend on a single authoritative control plane. Practitioners should re-baseline identity governance against real usage patterns and not policy intent.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• For a broader lifecycle lens, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows why discovery and offboarding must stay linked.

What this signals

Access control programmes now need to measure uncovered pathways, not just managed coverage. A workforce can appear compliant while still relying on unapproved apps and AI tools, so the next maturity step is to quantify where identity governance does not reach. The control objective is less about perfect centralisation and more about knowing the residual risk with enough precision to act on it.

The strongest operational signal in this report is that identity, data, and AI governance are converging in the same failure zone. When employees can move from sanctioned systems into personal devices and unapproved tools without friction, the programme needs coordinated policy, discovery, and offboarding instead of separate control towers.

One useful concept here is access-trust gap: the distance between authorised identity design and actual worker behaviour. The practical implication is that teams should build reporting around real application usage, unmanaged access, and post-employment traceability so the programme reflects the environment it is supposed to secure.

For practitioners

• Map all non-federated access paths Inventory applications, local accounts, and AI tools that sit outside SSO so you can see where identity governance stops and shadow access begins.
• Extend offboarding checks beyond HR closure Verify that former employees lose access to SaaS, personal accounts, and AI tools, then confirm the access trace is removed from every controlled environment.
• Classify AI tool use by data sensitivity Set policy for what employees may input into AI systems, especially customer, employee, and confidential business data, and tie it to enforcement rather than awareness alone.
• Measure control coverage, not just sign-in success Track the share of applications and workflows governed by SSO, and use the uncovered remainder as the priority list for remediation and policy expansion.

Key takeaways

• The report’s core warning is that identity governance is only as strong as its least visible access path.
• The scale is already measurable, with most organisations lacking full visibility into unmanaged app and AI use.
• Practitioners should prioritise access discovery, lifecycle tracing, and policy enforcement across SaaS and AI environments.

Key terms

• Access-trust gap: The distance between the access an organisation believes it controls and the access workers actually use. It appears when identity systems cover only part of the real application estate, leaving shadow IT, unmanaged accounts, and AI tools outside normal governance and audit.
• Shadow AI: AI tools and workflows used without formal approval, visibility, or policy enforcement. In identity programmes, shadow AI matters because users can move sensitive data into systems that do not participate in normal access control, logging, or offboarding processes.
• Non-federated access: Application or account access that does not pass through the organisation’s central identity federation layer. This creates governance gaps because authentication, policy enforcement, and evidence collection no longer happen in the same control path as the rest of the programme.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by 1Password: 1Password’s Annual Report 2025 on the Access-Trust Gap. Read the original.