Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Best ...
Shadow SaaS sprawl:...
 
Notifications
Clear all

Shadow SaaS sprawl: what IAM teams are missing in access governance

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 4368
Topic starter 10/06/2026 11:50 pm  

TL;DR: Unsanctioned SaaS apps increasingly sit outside SSO, IAM, and standard deprovisioning, leaving sensitive data, wasted licenses, and compliance gaps behind, according to 1Password. The core problem is not just discovery, but the fact that traditional identity controls were designed for managed apps, not continuously changing shadow IT.

NHIMG editorial — based on content published by 1Password: Unsanctioned SaaS and shadow IT create hidden access and spend risk

Questions worth separating out

Q: What breaks when SaaS apps are used outside SSO and central IAM?

A: The main failure is lifecycle control.

Q: Why do unsanctioned SaaS apps create both security and cost risk?

A: They create both risks because unmanaged apps can retain sensitive data access while also carrying duplicate or unused licenses.

Q: How do security teams know if SaaS governance is actually working?

A: Look for evidence that discovery is continuous, offboarding reaches unmanaged apps, and renewal decisions reflect live usage.

Practitioner guidance

  • Establish continuous SaaS discovery Inventory apps, users, and licenses on an ongoing basis so shadow IT does not depend on periodic manual audits.
  • Extend deprovisioning beyond SSO-connected apps Map every offboarding path to the apps where access can persist locally, then verify revocation and license reclamation actually reach those tools.
  • Unify security and finance views of SaaS usage Use shared reporting for active accounts, redundant tools, and unused licenses so renewal decisions reflect both risk and spend.

What's in the full article

1Password's full post covers the operational detail this post intentionally leaves for the source:

  • How 1Password SaaS Manager continuously discovers unsanctioned apps across the business
  • How automated offboarding and license reclamation are handled for apps outside the IdP
  • How the product surfaces unused licenses and redundant tools for renewal decisions
  • How the workflow connects IT, security, and finance views of SaaS usage

👉 Read 1Password's analysis of unsanctioned SaaS and shadow IT governance →

Shadow SaaS sprawl: what IAM teams are missing in access governance?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
1password shadow-it saas-governance identity-lifecycle access-revocation
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  1password (79) , shadow-it (41) , saas-governance (40) , identity-lifecycle (74) , access-revocation (7) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.