Beyond SSO: what credential governance gaps still need fixing?

TL;DR: Most organisations can identify apps behind SSO, but far fewer can see the shared and sensitive logins teams use outside it, creating governance blind spots that complicate revocation, rotation, and auditability, according to 1Password. The underlying issue is that zero trust breaks down when credential-based access sits outside the control plane, not because the apps themselves are hard to secure.

NHIMG editorial — what this means for IAM teams

Questions worth separating out

Q: How should security teams govern credentials that sit outside SSO?

A: Treat them as part of the identity programme, not as informal exceptions.

Q: Why do non-SSO logins create more governance risk than teams expect?

A: Because they often survive outside normal identity provider logs and review cycles.

Q: How do you know if credential governance is actually working?

A: Look for evidence that every high-risk account has a clear owner, a defined rotation path, and a logged access-change record.

Practitioner guidance

• Expand governance inventory beyond SSO apps Add direct-login applications, shared vault entries, and browser-observed logins to the same access inventory used for reviews and offboarding.
• Separate ownership from password visibility Move sensitive accounts into workflows where IT can transfer control, revoke user access, and rotate credentials without exposing the secret to every operator.
• Prioritise accounts by business exposure Score credentials using access risk, data sensitivity, privilege, and attack patterns before deciding which accounts to rotate first.

What's in the full announcement

1Password's full article covers the operational detail this post intentionally leaves for the source:

• How the integrated vault insights and browser insights are expected to surface non-SSO application usage.
• What the account risk report weighs when ranking sensitive accounts for governance action.
• How account governance is intended to transfer control to IT without exposing passwords to users.
• Which compliance use cases the vendor associates with logged access changes and credential rotation.

👉 Read 1Password’s article on extending governance beyond SSO →

Beyond SSO: what credential governance gaps still need fixing?

Explore further

View Full Forum →  |  NHI Foundation Course →