Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI token sprawl and SaaS access gaps: what teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: 27% of knowledge workers are using unapproved AI applications, while 52% have created new AI or SaaS accounts without IT approval and 34% of company apps sit outside SSO, leaving access, spend, and offboarding gaps unresolved, according to 1Password. The governance problem is no longer just shadow IT, but unmanaged AI usage, unfederated access, and token-based spend that traditional IAM cannot fully see or control.

NHIMG editorial — based on content published by 1Password: 1Password’s analysis of SaaS Manager, AI token visibility, and access governance

By the numbers:

Questions worth separating out

Q: How should security teams govern AI and SaaS access that sits outside SSO?

A: Security teams should treat unfederated apps as separate governance objects, not as extensions of the identity provider.

Q: Why do unmanaged AI tools create IAM and finance risk at the same time?

A: Unmanaged AI tools combine access sprawl with consumption-based spend, so identity teams can lose visibility at the same moment finance loses cost predictability.

Q: What breaks when offboarding only disables the identity provider account?

A: Directory disablement alone fails when apps are outside SSO, tokens remain valid, or vendor-side provisioning is incomplete.

Practitioner guidance

  • Inventory access outside SSO Build a separate register of apps reached through browser sign-ins, OAuth grants, and local credentials so unfederated access is visible alongside directory-managed access.
  • Reconcile AI usage with identity and finance data Join app discovery, user identity, and cost centre data so token overages, unmanaged tools, and dormant spend can be tied to accountable owners.
  • Prove offboarding reaches the application layer Require evidence that access was removed from the app itself, not just the directory, before closing leaver and mover records.

What's in the full article

1Password's full research covers the operational detail this post intentionally leaves for the source:

  • The exact SaaS Manager discovery signals across identity providers, finance systems, browser extensions, and vaults.
  • The workflow mechanics for reclaiming unused licenses and deprovisioning access through the platform.
  • The AI token burn-rate and contract extraction features that support spend forecasting and renewal decisions.
  • The vendor's examples of how the MCP Server exposes AI agent access events for governance workflows.

👉 Read 1Password’s analysis of AI token sprawl and SaaS access governance →

AI token sprawl and SaaS access gaps: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Unapproved AI and SaaS adoption is now an access governance problem, not a shadow IT side note. When employees connect tools through browser logins and OAuth grants, the identity provider no longer has the full picture of who can reach what. That changes the governance boundary from directory management to application-state management. Practitioners should treat every out-of-SSO application as a live control gap, not a procurement exception.

A few things that frame the scale:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, showing how AI tooling can introduce fresh credential exposure at protocol boundaries.

A question worth separating out:

Q: Who should own governance for AI token usage and SaaS sprawl?

A: Ownership should be shared across IAM, security, and finance, because the problem crosses entitlement control, data exposure, and budget management. IAM can define and revoke access, security can evaluate risk and shadow AI, and finance can monitor consumption and renewal exposure. No single team can close the gap on its own.

👉 Read our full editorial: 1Password’s SaaS governance gap analysis for AI and access



   
ReplyQuote
Share: