TL;DR: Unapproved AI tools, shadow SaaS, and apps outside SSO create unmanaged access sprawl that manual onboarding and offboarding cannot keep up with, according to 1Password. The governance problem is not just visibility, but lifecycle control across discovery, access review, and license reclamation.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern shadow SaaS that appears outside SSO?
A: Start by treating shadow SaaS as an access governance problem, not just an inventory issue.
Q: Why do unmanaged apps outside SSO increase identity risk?
A: Because SSO is often the point where governance, logging, and lifecycle control become dependable.
Practitioner guidance
- Map unmanaged application exposure Compare discovered employee applications against the approved SSO catalogue, then assign an owner to every app that appears outside the current control set.
- Automate access review triggers Trigger SaaS access reviews from observed usage and app status changes, not from a fixed quarterly calendar or manual spreadsheet.
- Tie offboarding to app-level revocation Remove app access when users leave or move roles, and verify that offboarding covers applications outside SSO as well as those in the main directory.
What to expect at the briefing
1Password's full demo covers the operational detail this post intentionally leaves for the source:
- A walkthrough of how SaaS Manager surfaces approved and unapproved apps across employee usage patterns.
- A look at the workflow for discovery, onboarding, offboarding, access requests, access reviews, and license reclamation.
- The demo's framing for reclaiming unused licenses and reducing SaaS spend with employee usage data.
- How the platform positions a single integrated workflow for IT, Finance, and Security teams.
👉 Watch 1Password's demo of SaaS Manager for shadow app discovery and lifecycle control →
Shadow SaaS and unapproved AI tools: what IAM teams need to see?
Explore further
Shadow SaaS is an identity governance failure before it becomes an inventory problem. When employees can adopt applications outside SSO, the organisation loses its authoritative view of who has access to what. That breaks recertification, offboarding, and accountability in the same move. The practitioners' mistake is treating discovery as a reporting exercise rather than the front door to identity control. The implication is straightforward: unmanaged app adoption should be governed as an access lifecycle issue, not as a procurement exception.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to the same research.
A question worth separating out:
Q: How do organisations reduce SaaS waste without creating access risk?
A: Use usage telemetry to identify dormant licenses, then confirm whether the account is still needed before reclaiming it. The safest programmes connect finance and security workflows so cost optimisation does not become accidental access removal. Reclamation should always follow evidence, not assumptions.
👉 Read our full editorial: SaaS sprawl and shadow AI expose unmanaged access gaps