Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI governance gaps are widening. What should IAM teams do?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: A survey of more than 5,000 workers and security professionals finds that 73% of employees are encouraged to use AI while 37% say they do not always follow policy, and 27% have worked on unapproved AI applications, according to 1Password. The real problem is not AI adoption itself but the absence of enforceable access controls and inventory discipline.

NHIMG editorial — based on content published by 1Password: The Access-Trust Gap in AI governance

By the numbers:

Questions worth separating out

Q: How should security teams govern employee use of AI tools?

A: They should govern AI tools as part of the access control plane, not just as acceptable-use software.

Q: Why do SSO and MDM fall short for AI governance?

A: SSO and MDM were designed for a world where managed devices and approved apps define the boundary.

Q: What do organisations get wrong about shadow AI?

A: They often treat shadow AI as a communications or awareness problem.

Practitioner guidance

  • Build a full AI tool inventory Continuously discover AI tools across managed and unmanaged environments, then classify them by approval status, data exposure risk, and access path.
  • Tie AI policy to device trust checks Block access to managed applications when a device is running a blocklisted AI tool or using an unsanctioned account.
  • Route users toward sanctioned AI services Give employees a self-serve path to approved AI tools so convenience does not push them into shadow AI.

What's in the full article

1Password's full blog post covers the operational detail this post intentionally leaves for the source:

  • How 1Password SaaS Manager discovers and inventories AI tools across managed and unmanaged environments.
  • How Device Trust blocks authentication when blocklisted AI tools are detected on employee devices.
  • How the self-serve app hub is positioned to steer users toward sanctioned AI services.
  • How the report frames plain-language policy explanations to reduce bypass behaviour and improve compliance.

👉 Read 1Password’s analysis of the 2025 Access-Trust Gap and AI governance →

AI governance gaps are widening. What should IAM teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

AI governance has become an access-control discipline, not a policy memo. The report shows that employees are already using AI in ways the organisation cannot consistently approve or observe. That means the control problem is no longer awareness alone. Practitioners need to treat AI usage as a governed access path with discovery, approval, and enforcement requirements, not as a side policy for end users.

A few things that frame the scale:

  • 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
  • Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.

A question worth separating out:

Q: Who is accountable when employees use unapproved AI tools?

A: Accountability sits with the organisation’s governance model, not with the individual control alone. Security, IAM, and platform teams need clear ownership for discovery, policy enforcement, and exception handling so that unsanctioned AI use is addressed before sensitive data leaves approved boundaries.

👉 Read our full editorial: Access-trust gaps in AI governance are widening fast



   
ReplyQuote
Share: