Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential sprawl beyond SSO and PAM on June 18


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9063
Topic starter  

TL;DR: Credential sprawl is spreading across departments, SaaS apps, and AI tools outside SSO, leaving unmanaged accounts and reused passwords in the gaps between SSO and PAM, according to 1Password. The practical issue is not tool absence but governance blind spots across provisioned and unprovisioned identities.

NHIMG editorial — here’s why we think this discussion matters

Questions worth separating out

Q: How should security teams govern accounts created outside SSO?

A: Security teams should treat every externally created business account as an identity asset with an owner, a purpose, and a retirement trigger.

Q: Why do SSO and PAM still leave credential sprawl risk behind?

A: SSO covers federated applications and PAM covers elevated access, but credential sprawl lives in the unmanaged middle.

Practitioner guidance

  • Inventory all business-used accounts outside SSO Build a department-level register of SaaS apps, AI tools, and external services that employees access with work email but without federated sign-in.
  • Separate privileged governance from everyday credential governance Keep PAM focused on elevated access, but add a parallel control set for non-privileged credentials created by users in SaaS and AI tools.
  • Tie offboarding to account creation provenance Require every externally created account to have an internal owner and a defined retirement trigger, such as role change, project end, or vendor removal.

What to expect at the briefing

1Password's live demo covers the operational detail this post intentionally leaves for the source:

  • Department-by-department use cases showing where credential sprawl is growing fastest across AI tools and SaaS apps
  • Live walkthrough of the control gaps that remain when SSO and PAM are the only governance layers in place
  • Practical examples of how wall-to-wall credential management can be applied without disrupting day-to-day work
  • Alternate session registration for teams that need a time-zone-friendly briefing

👉 Register for 1Password's live demo on credential sprawl and secret leakage →

Credential sprawl beyond SSO and PAM on June 18?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8499
 

Credential sprawl is an identity governance problem, not a password hygiene problem. The article shows that exposure is concentrated in the gap between SSO-covered apps and privileged accounts managed by PAM. That gap is where employees create business-critical access that no one inventories, certifies, or retires on schedule. Practitioners should treat it as a lifecycle failure across NHI and human identity programmes.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who should be accountable for unmanaged business accounts?

A: Accountability should sit with the business owner, but operational control belongs with IAM and security. If no owner is assigned, the account will drift outside lifecycle management and become difficult to retire. Governance only works when ownership, technical enforcement, and offboarding are linked.

👉 Read our full editorial: Credential sprawl is exposing gaps beyond SSO and PAM on June 18



   
ReplyQuote
Share: