Unmanaged SaaS and AI tools outside SSO: are controls keeping up?

TL;DR: Shadow IT is no longer just an app sprawl problem: 52% of employees have downloaded apps without IT approval, and unmanaged SaaS and AI tools can create authenticated access paths that traditional IAM monitoring misses, according to 1Password. The governance issue is not discovery alone, but whether teams can see, review, and revoke non-SSO access before it becomes standing privilege.

NHIMG editorial — here’s why we think this discussion matters

By the numbers:

• 52% of employees have downloaded apps without IT approval.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams govern SaaS and AI tools that sit outside SSO?

A: Start by inventorying every out-of-band access path, including OAuth grants, shared credentials, and vendor-specific admin accounts.

Q: Why do unmanaged SaaS apps create identity risk even when users sign in legitimately?

A: Because valid authentication does not equal valid governance.

Practitioner guidance

• Inventory unmanaged SaaS and AI access paths Pull together OAuth grants, browser-extension sign-ins, shared vault credentials, and vendor-specific admin accounts into one reviewable list so you can see where access lives outside SSO and who owns each grant.
• Classify access by lifecycle state Tag each discovered app or tool as approved, tolerated, or orphaned, then assign a named owner and retirement date so the access object can move through joiner-mover-leaver controls instead of remaining in limbo.
• Review OAuth scopes and token lifetime Compare each third-party connection against actual business need, remove elevated scopes where possible, and shorten token lifetime where the tool does not require persistent access.

What to expect at the briefing

1Password's full webinar recap covers the operational detail this post intentionally leaves for the source:

• A live demo of Vault Insights and Browser Insights for discovering risky logins and unapproved app usage.
• The Account Risk Report workflow for prioritising discovered credentials by exposure level.
• Account Governance actions for taking over or remediating sensitive and shared accounts.
• The AI integration walkthrough covering ChatGPT, Claude, Cursor, and Google Gemini lifecycle administration.

👉 Read 1Password's webinar recap on governing SaaS apps and AI tools outside SSO →

Unmanaged SaaS and AI tools outside SSO: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →