Extended access management and compliance gaps: what IAM teams miss

TL;DR: Omdia says legacy IAM and MDM were built for a controlled device and app estate, but SaaS, BYOD, shadow IT, and AI have left unmanaged access outside the reach of traditional compliance and cyber insurance checks, according to 1Password’s summary of the report. The compliance problem is now an identity governance problem, because auditability collapses when access is not bound to managed devices, applications, or vendors.

NHIMG editorial — based on content published by 1Password: Omdia report summary on how extended access management closes security gaps

Questions worth separating out

Q: How should security teams handle unmanaged access when preparing for compliance audits?

A: They should first identify every application, device, contractor flow, and shadow AI path that can access sensitive data outside central IAM or MDM.

Q: Why do unmanaged devices and applications create cyber insurance risk?

A: Because insurers increasingly want proof that access is controlled, monitored, and explainable.

Q: What do IAM teams get wrong about compliance in BYOD and SaaS environments?

A: They often assume a written policy is enough.

Practitioner guidance

• Inventory unmanaged access paths Identify every device, application, contractor flow, and shadow AI entry point that can reach sensitive data but does not pass through central IAM or MDM controls.
• Unify audit evidence collection Require each sensitive access path to produce logs, device posture signals, and policy decisions that can be reviewed together during audit or insurance assessment.
• Map compliance controls to access sources Tie RBAC, MFA, vendor access, and incident reporting to the specific systems that enforce them so no control depends on a manual explanation at audit time.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• The specific compliance mappings for ISO 27001, SOC 2, and GDPR that the vendor uses to frame extended access management.
• The platform-level reporting and audit-readiness mechanics that translate access data into evidence for assessors and insurers.
• The device trust and contextual access elements that support compliance claims in mixed managed and unmanaged environments.
• The operational examples of how access governance is presented to reduce audit friction and insurance uncertainty.

👉 Read 1Password's summary of Omdia's findings on extended access management and compliance →

Extended access management and compliance gaps: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →