AI governance gaps are widening. What should IAM teams do?

TL;DR: A survey of more than 5,000 workers and security professionals finds that 73% of employees are encouraged to use AI while 37% say they do not always follow policy, and 27% have worked on unapproved AI applications, according to 1Password. The real problem is not AI adoption itself but the absence of enforceable access controls and inventory discipline.

NHIMG editorial — based on content published by 1Password: The Access-Trust Gap in AI governance

By the numbers:

• 73% of employees are encouraged to use AI for some part of their workloads, but 37% admit they do not always follow their company’s AI policies.
• 27% of employees have worked on AI-based applications that their employers did not approve.
• Only 6% of IT and security professionals believe their company lacks an AI policy.

Questions worth separating out

Q: How should security teams govern employee use of AI tools?

A: They should govern AI tools as part of the access control plane, not just as acceptable-use software.

Q: Why do SSO and MDM fall short for AI governance?

A: SSO and MDM were designed for a world where managed devices and approved apps define the boundary.

Q: What do organisations get wrong about shadow AI?

A: They often treat shadow AI as a communications or awareness problem.

Practitioner guidance

• Build a full AI tool inventory Continuously discover AI tools across managed and unmanaged environments, then classify them by approval status, data exposure risk, and access path.
• Tie AI policy to device trust checks Block access to managed applications when a device is running a blocklisted AI tool or using an unsanctioned account.
• Route users toward sanctioned AI services Give employees a self-serve path to approved AI tools so convenience does not push them into shadow AI.

What's in the full article

1Password's full blog post covers the operational detail this post intentionally leaves for the source:

• How 1Password SaaS Manager discovers and inventories AI tools across managed and unmanaged environments.
• How Device Trust blocks authentication when blocklisted AI tools are detected on employee devices.
• How the self-serve app hub is positioned to steer users toward sanctioned AI services.
• How the report frames plain-language policy explanations to reduce bypass behaviour and improve compliance.

👉 Read 1Password’s analysis of the 2025 Access-Trust Gap and AI governance →

AI governance gaps are widening. What should IAM teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →