TL;DR: Unsanctioned SaaS apps increasingly sit outside SSO, IAM, and standard deprovisioning, leaving sensitive data, wasted licenses, and compliance gaps behind, according to 1Password. The core problem is not just discovery, but the fact that traditional identity controls were designed for managed apps, not continuously changing shadow IT.
At a glance
What this is: This is an analysis of how unsanctioned SaaS expands identity risk by operating outside standard provisioning, deprovisioning, and visibility controls.
Why it matters: It matters because IAM, IGA, and security teams need a governance model that can find, revoke, and reclaim access even when apps are never enrolled in SSO or central IT workflows.
👉 Read 1Password's analysis of unsanctioned SaaS and shadow IT governance
Context
Unsanctioned SaaS is software adopted outside central IT approval, usually by a team or employee who can sign up in minutes. The governance gap is that these apps often never enter the systems that normally manage identities, access reviews, or offboarding, which leaves security and finance working from incomplete records.
For identity programmes, the issue is broader than shadow IT detection. When applications are outside SSO and standard joiner-leaver processes, access persistence, license sprawl, and audit blind spots become the default condition. That is why SaaS governance now belongs in the same conversation as NHI lifecycle control and identity visibility.
Key questions
Q: What breaks when SaaS apps are used outside SSO and central IAM?
A: The main failure is lifecycle control. If an app is not tied to SSO or the identity provider, offboarding, recertification, and access logging may never reach it. That leaves active accounts, orphaned licenses, and audit gaps even when the business believes access was removed.
Q: Why do unsanctioned SaaS apps create both security and cost risk?
A: They create both risks because unmanaged apps can retain sensitive data access while also carrying duplicate or unused licenses. Security teams lose visibility into who can access the app, and finance loses the ability to see whether the software is still needed.
Q: How do security teams know if SaaS governance is actually working?
A: Look for evidence that discovery is continuous, offboarding reaches unmanaged apps, and renewal decisions reflect live usage. If point-in-time audits, spreadsheets, or manual follow-up are still carrying the process, governance is lagging behind adoption.
Q: What should organisations do first when shadow SaaS keeps appearing?
A: Start with discovery and ownership. Identify which business units are introducing tools, confirm how those apps are provisioned and deprovisioned, and then close the gap between application usage, access removal, and license recovery.
Technical breakdown
Why unsanctioned SaaS escapes IAM and SSO controls
IAM and SSO work well when an application is known, onboarded, and tied to a central identity provider. Unsanctioned SaaS breaks that model because the app was never enrolled in the control plane, so there is no federated policy path, no standard entitlement record, and often no deprovisioning hook. In practice, that means the identity system can only govern what it can see, while the business is using a separate stack of tools invisible to security operations.
Practical implication: build discovery outside the SSO directory so governance starts with visibility, not just access enforcement.
How access persistence turns shadow SaaS into exposure
The risk is not only that a team adopted an unsanctioned app, but that access can remain active after the employee leaves or changes role. When offboarding depends on HRIS or IdP triggers, any app outside that path keeps its own local accounts, licenses, and session access. That creates a separate lifecycle with no authoritative termination event. The result is a standing access problem disguised as a productivity tool problem.
Practical implication: treat every unsanctioned app as a separate lifecycle domain until you can prove revocation reaches it.
Why license sprawl is an identity governance issue
SaaS sprawl is often discussed as a cost problem, but it is also an identity problem because unused licenses usually reflect unmanaged accounts and duplicated access paths. When finance sees spend and security sees risk, neither function gets a full entitlement picture. That fragmentation makes recertification, audit response, and least-privilege enforcement less reliable. Governance fails when the organisation cannot connect usage, ownership, and revocation across departments.
Practical implication: combine access governance with license intelligence so entitlement cleanup and spend control happen together.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Shadow SaaS creates an identity perimeter that the enterprise did not design for. The article shows that modern app adoption now happens faster than traditional provisioning and deprovisioning can follow. That means the governance boundary has moved from the managed application estate to the unmanaged purchase path, where access control, auditing, and ownership are all weaker. Practitioners should treat unsanctioned SaaS as a first-class identity surface, not as a side issue for IT hygiene.
Access that is never enrolled cannot be cleanly revoked. This is the central control gap the article exposes. If an application is outside SSO, HRIS-triggered deprovisioning, and standard access review, then the organisation has no authoritative lifecycle event to remove accounts or reclaim licenses. The implication is not just better tooling, but a rethink of where identity governance begins and ends across the SaaS estate.
License waste and security exposure are the same governance failure expressed differently. The article connects redundant tools, unused spend, and lingering access, which are usually managed in separate workflows. That separation is what lets shadow SaaS persist: finance sees renewal pressure, security sees unknown access, and IT sees only fragments. Practitioners should unify entitlement visibility so duplicate software, dormant access, and offboarding gaps are handled together.
Continuous discovery is now a baseline requirement for modern SaaS governance. Point-in-time audits go stale as soon as employees can create accounts in minutes. The practical lesson is that annual review cycles are too slow for a work environment where applications appear weekly and ownership is decentralised. Security and identity teams need a live inventory model that can support revocation, recertification, and license recovery at the speed of adoption.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For a deeper operational lens, NHI Lifecycle Management Guide helps teams connect discovery, provisioning, rotation, and offboarding into one governance model.
What this signals
Shadow SaaS is converging with broader identity sprawl, which is why teams need a single view of apps, accounts, and entitlements rather than separate reporting streams for security, finance, and operations. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the same visibility problem is already familiar in adjacent identity domains.
Identity perimeter drift: this is the practical pattern behind unsanctioned SaaS adoption. The perimeter is no longer a network boundary, but a set of join, use, and revoke events that happen outside IT's default workflow. Teams that do not model that drift will keep finding access problems only after renewal, offboarding, or audit pressure forces the issue.
For practitioners
- Establish continuous SaaS discovery Inventory apps, users, and licenses on an ongoing basis so shadow IT does not depend on periodic manual audits. Prioritise discovery sources that reveal apps adopted outside the IdP and outside formal procurement.
- Extend deprovisioning beyond SSO-connected apps Map every offboarding path to the apps where access can persist locally, then verify revocation and license reclamation actually reach those tools. HRIS and IdP triggers alone are not enough when the app is unmanaged.
- Unify security and finance views of SaaS usage Use shared reporting for active accounts, redundant tools, and unused licenses so renewal decisions reflect both risk and spend. This reduces the chance that duplicate software survives simply because no team sees the full picture.
- Treat unsanctioned apps as separate lifecycle domains Require each business unit or application owner to prove how joiner, mover, and leaver events are handled for software outside central IT control. If there is no offboarding evidence, assume access persists.
Key takeaways
- Unsanctioned SaaS is an identity governance problem because access can exist outside the systems that normally revoke it.
- The article's core evidence is operational, not theoretical: shadow apps create lingering access, duplicate spend, and compliance gaps at the same time.
- Teams need continuous discovery and offboarding coverage for unmanaged apps, or central IAM will keep missing the actual control point.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unmanaged SaaS access often persists because credentials are not rotated or revoked cleanly. |
| NIST CSF 2.0 | PR.AC-4 | The article centers on controlling and revoking access across unknown SaaS tools. |
| NIST Zero Trust (SP 800-207) | Continuous verification is undermined when apps sit outside the identity control plane. |
Extend zero-trust verification to discovered SaaS apps before they become shadow dependencies.
Key terms
- Unsanctioned SaaS: Software adopted and used outside the organisation's approved procurement or identity governance process. It matters because access, data handling, and offboarding often happen locally instead of through central controls, leaving security and compliance teams blind to active accounts and lingering entitlements.
- Shadow IT: Technology used without formal approval or visibility from central IT and security teams. In identity terms, it creates a parallel access environment where accounts, licenses, and permissions may exist outside standard lifecycle management, making governance incomplete even when official systems look clean.
- Access Reclamation: The process of removing access and recovering licenses or entitlements when an account is no longer needed. For unmanaged SaaS, reclamation is often the missing control because the app is not connected to standard deprovisioning paths, so access can outlive employment or need.
Deepen your knowledge
SaaS governance, shadow IT discovery, and offboarding coverage are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment is already dealing with unmanaged applications and fragmented lifecycle control, it is a practical place to start.
This post draws on content published by 1Password: Unsanctioned SaaS and shadow IT create hidden access and spend risk. Read the original.
Published by the NHIMG editorial team on 2026-02-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
