TL;DR: Credential sprawl now extends across SaaS apps, AI tools, and unmanaged accounts outside SSO, with 54% of organisations dissatisfied with their current secrets management solution because not all secrets are secured, according to Akeyless research. The control gap is no longer theoretical: departments are building access paths faster than security teams can govern them.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: What breaks when employees create accounts outside SSO and PAM coverage?
A: Accounts created outside SSO and PAM usually lack central ownership, lifecycle records, and consistent authentication controls.
Q: Why do unmanaged SaaS and AI tool logins increase IAM risk?
A: Unmanaged logins bypass the identity processes that give teams visibility into access, ownership, and offboarding.
Practitioner guidance
- Inventory unmanaged credentials across departments Start with SaaS apps, AI tools, and business systems that allow account creation outside SSO.
- Extend governance beyond privileged access Do not limit review cycles to PAM-scoped accounts.
- Create lifecycle ownership for shadow accounts Assign accountable owners to any account that was created with a work email and never provisioned through the identity platform.
What to expect at the briefing
1Password's full webinar covers the operational detail this post intentionally leaves for the source:
- Department-by-department examples of where credential sprawl is forming outside SSO
- Walkthroughs of how 1Password EPM is positioned to close gaps left by SSO and PAM
- Live use cases showing how teams can govern credentials without changing day-to-day work
- Details on the alternate session for viewers in different time zones
👉 Read 1Password's live demo on credential sprawl and AI tool access →
Credential sprawl outside SSO: what IAM teams need to fix by June 30, 2026?
Explore further
Credential sprawl is a governance failure, not just an authentication problem. SSO and PAM solve different parts of the identity surface, but neither controls the long tail of accounts created directly by business users in SaaS or AI tools. That means the real exposure sits in identities that were never formally provisioned yet still hold operational access. Practitioners should treat unmanaged credential creation as an identity governance blind spot, not a user convenience issue.
A few things that frame the scale:
- 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management, according to The 2024 State of Secrets Management Survey.
- 88% of security professionals are concerned about secrets sprawl, with 49% of those in larger organisations described as "very concerned".
A question worth separating out:
Q: Who should own the gap between SSO, PAM, and unmanaged credentials?
A: Ownership should sit with identity governance, but execution must be shared with application, department, and security teams. The key is to make every credential accountable to a named business and technical owner, because no single tool can close the gap if the organisation has not defined responsibility for it.
👉 Read our full editorial: Credential sprawl is outpacing SSO and PAM controls in 2026