AI and SaaS governance gaps are widening as adoption accelerates

TL;DR: AI and SaaS adoption is widening governance gaps as employees use approved and unapproved tools, with 52% downloading apps without IT approval and 27% using unapproved AI-based applications, according to 1Password’s 2025 Annual Report: The Access Trust Gap. The practical issue is not just visibility, but whether access, auditability, and token governance still hold when users and agents operate outside SSO.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• 52% of employees have downloaded apps without IT approval.
• 27% have worked on AI-based applications their employer did not approve.

Questions worth separating out

Q: How should security teams govern SaaS and AI tools that sit outside SSO?

A: Security teams should treat out-of-SSO apps as identity-governed assets, not informal productivity tools.

Q: Why do unapproved SaaS and AI apps create identity risk?

A: They create risk because access can be granted once and then continue operating outside normal identity controls.

Q: What breaks when SaaS governance is separated from identity governance?

A: What breaks is accountability.

Practitioner guidance

• Map app discovery across all identity sources Combine identity provider, browser, device, finance, and vault data to identify applications that never passed through SSO.
• Review OAuth consent as a lifecycle event Add consent review, token scope checks, and revocation triggers to the same workflow used for access removal.
• Tie SaaS governance to offboarding and role change When an employee changes team, cost centre, or employment status, verify whether connected SaaS apps and AI tools are still justified.

What's in the full announcement

1Password's full analysis covers the operational detail this post intentionally leaves for the source:

• The 400-plus integration model used to discover AI and SaaS applications outside SSO.
• The access governance workflow that includes self-service requests, automated approvals, audit trails, and OAuth token revocation.
• The spend optimisation model that ties app usage to contracts and token consumption for IT and finance teams.
• The lifecycle automation approach for removing stale access and reclaiming licenses across HR, identity, finance, and security systems.

👉 Read 1Password's analysis of AI and SaaS governance gaps in the Gartner Magic Quadrant context →

AI and SaaS governance gaps are widening as adoption accelerates?

Explore further

View Full Forum →  |  NHI Foundation Course →