Access-trust gap in the AI era: what IAM teams need to know

TL;DR: Access now escapes the control surface of traditional identity tools, according to 1Password’s 2025 Annual Report, which says 52% of employees downloaded apps without IT approval, 73% were encouraged to use AI, and 74% of security and IT professionals said SSO is not enough. The real problem is not adoption itself but governance built for a slower, more visible workplace than the one employees actually use.

NHIMG editorial — based on content published by 1Password: 1Password’s Annual Report 2025 on the Access-Trust Gap

By the numbers:

• 52% of employees have downloaded apps without IT approval.
• 74% of security and IT professionals say SSO is not a complete solution for securing identities.
• 34% of employees have accessed a prior employer’s account, data, or apps.

Questions worth separating out

Q: How should security teams close the access-trust gap in SaaS and AI environments?

A: Start by measuring where users actually work, not where the identity programme assumes they work.

Q: When does SSO stop being a complete identity control?

A: SSO stops being complete when it covers only part of the application estate.

Q: What do security teams get wrong about shadow AI governance?

A: They often treat shadow AI as an awareness issue when it is really a control issue.

Practitioner guidance

• Map all non-federated access paths Inventory applications, local accounts, and AI tools that sit outside SSO so you can see where identity governance stops and shadow access begins.
• Extend offboarding checks beyond HR closure Verify that former employees lose access to SaaS, personal accounts, and AI tools, then confirm the access trace is removed from every controlled environment.
• Classify AI tool use by data sensitivity Set policy for what employees may input into AI systems, especially customer, employee, and confidential business data, and tie it to enforcement rather than awareness alone.

What's in the full report

1Password's full annual report covers the operational detail this post intentionally leaves for the source:

• Survey methodology across 5,200 desk-based knowledge workers and the regional breakdowns behind the headline figures
• Country-by-country comparisons for shadow IT, shadow AI, and password behaviour
• The report’s full access-trust gap framing and the supporting data tables behind each finding
• Additional context on how 1Password positions Extended Access Management in relation to unmanaged apps and AI tools

👉 Read 1Password’s annual report on the access-trust gap in the AI era →

Access-trust gap in the AI era: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →