TL;DR: Access now escapes the control surface of traditional identity tools, according to 1Password’s 2025 Annual Report, which says 52% of employees downloaded apps without IT approval, 73% were encouraged to use AI, and 74% of security and IT professionals said SSO is not enough. The real problem is not adoption itself but governance built for a slower, more visible workplace than the one employees actually use.
NHIMG editorial — based on content published by 1Password: 1Password’s Annual Report 2025 on the Access-Trust Gap
By the numbers:
- 52% of employees have downloaded apps without IT approval.
- 74% of security and IT professionals say SSO is not a complete solution for securing identities.
- 34% of employees have accessed a prior employer’s account, data, or apps.
Questions worth separating out
Q: How should security teams close the access-trust gap in SaaS and AI environments?
A: Start by measuring where users actually work, not where the identity programme assumes they work.
Q: When does SSO stop being a complete identity control?
A: SSO stops being complete when it covers only part of the application estate.
Q: What do security teams get wrong about shadow AI governance?
A: They often treat shadow AI as an awareness issue when it is really a control issue.
Practitioner guidance
- Map all non-federated access paths Inventory applications, local accounts, and AI tools that sit outside SSO so you can see where identity governance stops and shadow access begins.
- Extend offboarding checks beyond HR closure Verify that former employees lose access to SaaS, personal accounts, and AI tools, then confirm the access trace is removed from every controlled environment.
- Classify AI tool use by data sensitivity Set policy for what employees may input into AI systems, especially customer, employee, and confidential business data, and tie it to enforcement rather than awareness alone.
What's in the full report
1Password's full annual report covers the operational detail this post intentionally leaves for the source:
- Survey methodology across 5,200 desk-based knowledge workers and the regional breakdowns behind the headline figures
- Country-by-country comparisons for shadow IT, shadow AI, and password behaviour
- The report’s full access-trust gap framing and the supporting data tables behind each finding
- Additional context on how 1Password positions Extended Access Management in relation to unmanaged apps and AI tools
👉 Read 1Password’s annual report on the access-trust gap in the AI era →
Access-trust gap in the AI era: what IAM teams need to know?
Explore further
The access-trust gap is the clearest sign that identity control is now defined by coverage, not by login success. SSO remains useful, but it no longer describes the full control surface when 30% of apps are outside federation and workers continue to adopt tools without IT approval. The governance problem is not a lack of authentication, it is a lack of visibility into where identity actually lives. Practitioners should reframe identity assurance around complete access discovery, not just central sign-in.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when employees keep using former employer accounts or data?
A: Accountability sits with the organisation that failed to trace access across its lifecycle, not just with the worker who reused it. When a former employee can still reach data or accounts, the identity programme has not fully validated offboarding across SaaS and unmanaged access paths. That gap belongs in audit, access review, and lifecycle ownership.
👉 Read our full editorial: The access-trust gap widens as SaaS and AI outpace IAM