TL;DR: SaaS Manager is being used to surface blind spots, reduce unnecessary SaaS spend, and automate provisioning, deprovisioning, and access reviews across the employee lifecycle, according to 1Password. The real issue is not tooling breadth but whether lifecycle governance can keep pace with app sprawl and manual IT overhead.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should teams govern SaaS access across the employee lifecycle?
A: Teams should connect identity lifecycle events to SaaS provisioning, deprovisioning, and review workflows so access changes with role, transfer, and exit events.
Q: Why do hidden SaaS apps create access governance risk?
A: Hidden SaaS apps create risk because governance depends on knowing what exists, who owns it, and which accounts still have active access.
Practitioner guidance
- Map the full SaaS estate before cleaning up access Inventory sanctioned and unsanctioned applications, owners, and current entitlement paths so reviews and deprovisioning are based on complete scope rather than partial visibility.
- Tie joiner-mover-leaver events to SaaS entitlement changes Automate provisioning and deprovisioning triggers from HR or directory state so access removal happens when role or employment status changes, not after manual follow-up.
- Make access reviews produce removals, not just attestations Require approvers to confirm business need, usage, and ownership, then route revoked access directly into remediation workflows so the review has a measurable outcome.
What to expect at the briefing
1Password's full webinar covers the operational detail this post intentionally leaves for the source:
- How 1Password says SaaS Manager eliminates blind spots in the SaaS environment
- How the webinar describes provisioning and deprovisioning automation across the employee lifecycle
- What the fireside chat says about reducing unnecessary SaaS spend and manual IT overhead
- Which recent product portfolio updates may affect existing 1Password deployments
👉 Watch 1Password's quarterly security spotlight on SaaS visibility and lifecycle automation →
SaaS visibility and lifecycle access: what 1Password customers should watch?
Explore further
Lifecycle governance, not point tooling, is the real control plane in SaaS sprawl. The webinar points to a familiar problem: organisations often discover that access, spend, and ownership drift faster than manual processes can keep up. That is not just an IT efficiency issue, because untracked SaaS access creates hidden governance exposure across human identities and delegated administration. The practical conclusion is that lifecycle control must be treated as the operating model, not a periodic clean-up exercise.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when SaaS access is not revoked on time?
A: Accountability usually sits across identity operations, application owners, and the business manager who approved the access. If ownership is unclear, revoked access lingers and no one can prove who should have closed the loop. Governance works when every entitlement has a responsible owner and a revocation path.
👉 Read our full editorial: 1Password’s SaaS visibility push changes employee lifecycle access