Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI and SaaS governance gaps are widening as adoption accelerates


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI and SaaS adoption is widening governance gaps as employees use approved and unapproved tools, with 52% downloading apps without IT approval and 27% using unapproved AI-based applications, according to 1Password’s 2025 Annual Report: The Access Trust Gap. The practical issue is not just visibility, but whether access, auditability, and token governance still hold when users and agents operate outside SSO.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

Questions worth separating out

Q: How should security teams govern SaaS and AI tools that sit outside SSO?

A: Security teams should treat out-of-SSO apps as identity-governed assets, not informal productivity tools.

Q: Why do unapproved SaaS and AI apps create identity risk?

A: They create risk because access can be granted once and then continue operating outside normal identity controls.

Q: What breaks when SaaS governance is separated from identity governance?

A: What breaks is accountability.

Practitioner guidance

What's in the full announcement

1Password's full analysis covers the operational detail this post intentionally leaves for the source:

  • The 400-plus integration model used to discover AI and SaaS applications outside SSO.
  • The access governance workflow that includes self-service requests, automated approvals, audit trails, and OAuth token revocation.
  • The spend optimisation model that ties app usage to contracts and token consumption for IT and finance teams.
  • The lifecycle automation approach for removing stale access and reclaiming licenses across HR, identity, finance, and security systems.

👉 Read 1Password's analysis of AI and SaaS governance gaps in the Gartner Magic Quadrant context →

AI and SaaS governance gaps are widening as adoption accelerates?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Unified SaaS governance is now an identity problem, not a software inventory problem. The article shows that SaaS discovery, AI tool oversight, and access governance are converging into one control domain. Once applications and tokens sit outside SSO, the question is no longer how many apps exist, but which identity relationships were created without durable oversight. Practitioners should treat SaaS governance as an extension of identity governance, not a procurement dashboard.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: What should organisations do when employees adopt AI tools without approval?

A: They should classify the tool, determine whether it touches company data, and decide quickly whether to approve, restrict, or remove it. The key is to route the decision through identity and lifecycle controls, not leave it as an isolated policy violation with no technical follow-through.

👉 Read our full editorial: SaaS governance for AI tools and agents is becoming essential



   
ReplyQuote
Share: