TL;DR: Most organisations can identify apps behind SSO, but far fewer can see the shared and sensitive logins teams use outside it, creating governance blind spots that complicate revocation, rotation, and auditability, according to 1Password. The underlying issue is that zero trust breaks down when credential-based access sits outside the control plane, not because the apps themselves are hard to secure.
NHIMG editorial — what this means for IAM teams
Questions worth separating out
Q: How should security teams govern credentials that sit outside SSO?
A: Treat them as part of the identity programme, not as informal exceptions.
Q: Why do non-SSO logins create more governance risk than teams expect?
A: Because they often survive outside normal identity provider logs and review cycles.
Q: How do you know if credential governance is actually working?
A: Look for evidence that every high-risk account has a clear owner, a defined rotation path, and a logged access-change record.
Practitioner guidance
- Expand governance inventory beyond SSO apps Add direct-login applications, shared vault entries, and browser-observed logins to the same access inventory used for reviews and offboarding.
- Separate ownership from password visibility Move sensitive accounts into workflows where IT can transfer control, revoke user access, and rotate credentials without exposing the secret to every operator.
- Prioritise accounts by business exposure Score credentials using access risk, data sensitivity, privilege, and attack patterns before deciding which accounts to rotate first.
What's in the full announcement
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How the integrated vault insights and browser insights are expected to surface non-SSO application usage.
- What the account risk report weighs when ranking sensitive accounts for governance action.
- How account governance is intended to transfer control to IT without exposing passwords to users.
- Which compliance use cases the vendor associates with logged access changes and credential rotation.
👉 Read 1Password’s article on extending governance beyond SSO →
Beyond SSO: what credential governance gaps still need fixing?
Explore further
Zero trust fails when it stops at SSO. The article shows that many organisations can govern federated access while leaving direct credentials, browser logins, and shared app accounts outside the policy boundary. That is not a visibility nuance, it is a structural gap in how access governance is defined. The implication is that practitioners must treat non-SSO credentials as first-class identity assets, not exception handling.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- Our research also found that 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.
A question worth separating out:
Q: Who should own non-SSO credentials when an employee changes roles or leaves?
A: The organisation should own them, not the individual who happened to use them last. Access transfer, revocation, and rotation need to happen through lifecycle workflows that preserve business continuity while removing unnecessary user control. If that handoff is unclear, the account remains a personal dependency instead of a governed asset.
👉 Read our full editorial: Zero trust beyond SSO exposes the real credential governance gap