Zero trust beyond SSO exposes the real credential governance gap

At a glance

What this is: 1Password’s integrated EPM and SaaS Manager features aim to extend governance beyond SSO by surfacing shared and sensitive non-SSO logins, usage signals, and account risk.

Why it matters: IAM teams need a view of credential-based access because SSO coverage alone does not govern the shared logins, browser-stored credentials, and legacy app access that still carry real risk across NHI and human programmes.

👉 Read 1Password’s article on extending governance beyond SSO

Context

Most enterprise access governance still starts and ends with SSO, but that leaves a large slice of real-world access outside the review surface. Shared logins, browser-saved credentials, and credentials tied to individuals can persist even when the account lifecycle changes, which makes revocation and auditability harder than the control model suggests.

For NHI and human identity programmes alike, the problem is not only where a login is stored but whether it can be discovered, transferred, rotated, and revoked with defensible records. That is why zero trust for access needs to include credential-based paths, not just federated applications.

Key questions

Q: How should security teams govern credentials that sit outside SSO?

A: Treat them as part of the identity programme, not as informal exceptions. Build an inventory of direct-login apps, shared accounts, and browser-observed usage, then attach ownership, rotation, and offboarding rules to each one. If an account cannot be discovered, assigned, and revoked, it is not governable and should be treated as a control gap.

Q: Why do non-SSO logins create more governance risk than teams expect?

A: Because they often survive outside normal identity provider logs and review cycles. Shared credentials, individually owned app passwords, and browser-saved logins can remain active after a role change or departure, which creates revocation gaps and audit blind spots. The risk is not only exposure, but the inability to prove who had access when.

Q: How do you know if credential governance is actually working?

A: Look for evidence that every high-risk account has a clear owner, a defined rotation path, and a logged access-change record. If teams still search vaults, chase shared logins, or rely on manual follow-up after role changes, governance is still operationally brittle rather than controlled.

Q: Who should own non-SSO credentials when an employee changes roles or leaves?

A: The organisation should own them, not the individual who happened to use them last. Access transfer, revocation, and rotation need to happen through lifecycle workflows that preserve business continuity while removing unnecessary user control. If that handoff is unclear, the account remains a personal dependency instead of a governed asset.

How it works in practice

Governance beyond SSO depends on credential visibility

SSO centralises authentication for federated apps, but it does not eliminate direct credential use. Many organisations still rely on shared logins, individually owned app passwords, and credentials saved in vaults or browsers. The governance problem is discovery: if IT cannot see which accounts exist, who uses them, and whether they are tied to a business process, access review becomes incomplete. In practice, the control plane has to extend from identity provider records into password manager telemetry, browser usage, and app ownership context so teams can treat non-SSO access as governed access rather than shadow access.

Practical implication: map direct-credential applications into the same governance inventory as federated apps.

Account risk scoring links access paths to business exposure

Risk scoring for accounts usually combines several signals: access risk, data sensitivity, privilege level, and observed attack patterns. That matters because a credential is not equally risky just because it exists. A shared login into a low-value internal tool is different from a privileged account tied to sensitive SaaS data. The useful mechanism is not the score itself, but the way it creates a triage queue for rotation, ownership transfer, or tighter controls. Without that prioritisation, teams either overreact to low-value accounts or miss the ones that can expand blast radius quickly.

Practical implication: use risk-scored account queues to decide which non-SSO credentials need immediate governance attention.

Account governance depends on revocation without password exposure

The hardest operational step is not finding credentials, it is changing control of them safely. Account governance works when IT can transfer ownership, revoke access, and rotate secrets without forcing everyone to see the password. That preserves confidentiality while restoring auditability. It also aligns with zero trust because access should be reassessed continuously rather than assumed to remain valid after hiring, role changes, or offboarding. This is where lifecycle governance and secret management intersect: the account must remain usable to the business while becoming removable from the wrong user at the right time.

Practical implication: build transfer-and-revoke workflows that remove user control before role changes complete.

NHI Mgmt Group analysis

Zero trust fails when it stops at SSO. The article shows that many organisations can govern federated access while leaving direct credentials, browser logins, and shared app accounts outside the policy boundary. That is not a visibility nuance, it is a structural gap in how access governance is defined. The implication is that practitioners must treat non-SSO credentials as first-class identity assets, not exception handling.

Credential-based access still behaves like a lifecycle problem, not a tooling problem. The hard part is not storing passwords, it is knowing who owns them, when they should be rotated, and how control changes when a person changes roles or leaves. That makes revocation and transfer of control the real governance test. The implication is that lifecycle processes must cover direct logins with the same seriousness as provisioned accounts.

Account risk needs to be evaluated by exposure path, not by existence alone. A shared login tied to sensitive SaaS data has a different security meaning than a routine user credential hidden in a browser profile. The article’s account risk framing is useful because it pushes teams toward contextual governance rather than flat inventory. The implication is that practitioners should rank credentials by business use, privilege, and attack value, not just count them.

Browser insight turns unmanaged access into governable evidence. Seeing login activity from extensions or browser telemetry closes part of the shadow access gap that SSO logs cannot capture. That matters for both human IAM and NHI governance because hidden access paths often survive policy changes longer than expected. The implication is that discovery has to follow the actual path of use, not the assumed path of authentication.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• Our research also found that 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.
• For a broader lifecycle view, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding controls that non-SSO access still depends on.

What this signals

Credential-based access is now the hard part of zero trust. As organisations extend controls beyond SSO, the governance challenge shifts from authentication into lifecycle control, ownership transfer, and revocation evidence. Teams that still rely on manual search for shared logins will keep finding that access review happens after exposure, not before it.

Shadow access becomes visible only when browser and vault telemetry are treated as governance inputs. That changes the operating model for both human and machine credentials because the real access path is often not the one recorded in the identity provider. Practitioners should expect more demand for continuous discovery across vaults, extensions, and shared credential stores, not just SSO logs.

Shared logins create identity debt. The more a business allows credentials to persist outside named ownership, the more offboarding becomes a cleanup exercise instead of a control. With 91% of former employee tokens still active after offboarding in our research, the signal is clear: lifecycle discipline, not one-time inventory, is what closes the gap.

For practitioners

• Expand governance inventory beyond SSO apps Add direct-login applications, shared vault entries, and browser-observed logins to the same access inventory used for reviews and offboarding. That gives security and compliance teams a single view of credential-based access paths that would otherwise remain outside federation logs.
• Separate ownership from password visibility Move sensitive accounts into workflows where IT can transfer control, revoke user access, and rotate credentials without exposing the secret to every operator. That preserves confidentiality while creating defensible evidence for audit and lifecycle changes.
• Prioritise accounts by business exposure Score credentials using access risk, data sensitivity, privilege, and attack patterns before deciding which accounts to rotate first. That keeps teams focused on the login paths most likely to widen blast radius or undermine compliance evidence.
• Tie non-SSO access to offboarding triggers Require role-change and leaver workflows to include direct credentials, shared logins, and browser-derived account usage so revocation does not depend on manual searching after the person has moved on.

Key takeaways

• Zero trust does not hold if governance stops at SSO and ignores direct credential paths.
• Credential visibility, ownership transfer, and revocation evidence are the controls that determine whether non-SSO access is actually governed.
• If offboarding and role-change workflows do not cover shared logins and browser-stored credentials, the organisation is carrying hidden access debt.

Key terms

• Non-Sso Access: Access that relies on shared logins, individual application passwords, browser-stored credentials, or other direct secrets rather than federated single sign-on. In governance terms, it often sits outside identity provider logs, so teams must discover it through vault, browser, and application telemetry.
• Account Governance: The process of assigning ownership, controlling use, and revoking access for a specific account or credential. In practice, it connects lifecycle events such as role changes and offboarding to transfer, rotation, and audit logging so access can be managed without exposing secrets.
• Credential-Based Access: Any access path that depends on a secret such as a password, token, API key, or certificate rather than a federated identity assertion. It remains governable only when the organisation can discover where the credential is used, who owns it, and how it can be revoked.

Deepen your knowledge

Non-SSO credential governance and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are closing gaps around shared logins, revocation, and ownership transfer, it is worth exploring.

This post draws on content published by 1Password on extending governance beyond SSO and governing shared logins. Read the original.