TL;DR: SaaS oversight is becoming an identity lifecycle problem, not just an inventory problem, as 1Password’s quarterly security spotlight says SaaS Manager is being used to control SaaS spend, automate provisioning and deprovisioning, and streamline access reviews across the employee lifecycle, according to 1Password.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should teams govern SaaS access across the employee lifecycle?
A: They should bind SaaS access to joiner, mover, and leaver events, then automate provisioning, access reviews, and deprovisioning from the same identity record.
Q: Why do access reviews often fail in SaaS environments?
A: They fail when reviewers do not have enough context to judge whether access is still needed.
Practitioner guidance
- Map SaaS applications to lifecycle events Tie every application to a joiner, mover, and leaver trigger so provisioning and removal follow the same authoritative identity record.
- Automate deprovisioning for offboarding and role changes Remove access when employment status, contractor status, or job function changes rather than relying on manual cleanup after the fact.
- Require usage context in access reviews Give reviewers app ownership, last-use data, and entitlement scope so they can decide whether access is still justified.
What to expect at the briefing
1Password's full webinar covers the operational detail this post intentionally leaves for the source:
- The live walkthrough of how SaaS Manager is being used to automate provisioning and deprovisioning across the employee lifecycle.
- The discussion of how full SaaS visibility exposed unnecessary spend and access blind spots.
- The fireside chat format with Wendy Nather and Jordan Rickards, which adds implementation context beyond the summary here.
- The broader portfolio update section, which covers recent product changes not unpacked in this analysis.
👉 Register for 1Password's quarterly security spotlight on SaaS governance →
SaaS Manager and access reviews: what this means for IAM teams?
Explore further
SaaS visibility gaps are now lifecycle gaps, not just shadow IT gaps. When teams cannot see the full application estate, they also cannot reliably govern provisioning, access reviews, or deprovisioning. That is why the operational problem sits inside identity governance, not outside it. Practitioners should treat visibility as the prerequisite for every downstream control.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation delays are still a governance problem, not just a technical one.
A question worth separating out:
Q: What is the difference between access review and deprovisioning?
A: Access review decides whether access should continue, while deprovisioning removes access that is no longer justified. Reviews are governance decisions and deprovisioning is the enforcement step. Strong programmes need both, because review without removal leaves stale access in place.
👉 Read our full editorial: 1Password roadmap review shows SaaS governance moving into IAM