TL;DR: AI and SaaS adoption is widening governance gaps as employees use approved and unapproved tools, with 52% downloading apps without IT approval and 27% using unapproved AI-based applications, according to 1Password’s 2025 Annual Report: The Access Trust Gap. The practical issue is not just visibility, but whether access, auditability, and token governance still hold when users and agents operate outside SSO.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 52% of employees have downloaded apps without IT approval.
- 27% have worked on AI-based applications their employer did not approve.
Questions worth separating out
Q: How should security teams govern SaaS and AI tools that sit outside SSO?
A: Security teams should treat out-of-SSO apps as identity-governed assets, not informal productivity tools.
Q: Why do unapproved SaaS and AI apps create identity risk?
A: They create risk because access can be granted once and then continue operating outside normal identity controls.
Q: What breaks when SaaS governance is separated from identity governance?
A: What breaks is accountability.
Practitioner guidance
- Map app discovery across all identity sources Combine identity provider, browser, device, finance, and vault data to identify applications that never passed through SSO.
- Review OAuth consent as a lifecycle event Add consent review, token scope checks, and revocation triggers to the same workflow used for access removal.
- Tie SaaS governance to offboarding and role change When an employee changes team, cost centre, or employment status, verify whether connected SaaS apps and AI tools are still justified.
What's in the full announcement
1Password's full analysis covers the operational detail this post intentionally leaves for the source:
- The 400-plus integration model used to discover AI and SaaS applications outside SSO.
- The access governance workflow that includes self-service requests, automated approvals, audit trails, and OAuth token revocation.
- The spend optimisation model that ties app usage to contracts and token consumption for IT and finance teams.
- The lifecycle automation approach for removing stale access and reclaiming licenses across HR, identity, finance, and security systems.
👉 Read 1Password's analysis of AI and SaaS governance gaps in the Gartner Magic Quadrant context →
AI and SaaS governance gaps are widening as adoption accelerates?
Explore further
Unified SaaS governance is now an identity problem, not a software inventory problem. The article shows that SaaS discovery, AI tool oversight, and access governance are converging into one control domain. Once applications and tokens sit outside SSO, the question is no longer how many apps exist, but which identity relationships were created without durable oversight. Practitioners should treat SaaS governance as an extension of identity governance, not a procurement dashboard.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What should organisations do when employees adopt AI tools without approval?
A: They should classify the tool, determine whether it touches company data, and decide quickly whether to approve, restrict, or remove it. The key is to route the decision through identity and lifecycle controls, not leave it as an isolated policy violation with no technical follow-through.
👉 Read our full editorial: SaaS governance for AI tools and agents is becoming essential