Notifications
Clear all
Topic starter
11/06/2026 11:02 pm
TL;DR: 52% of employees download work apps without IT approval, 37% do not always follow AI usage policies, and 70% of security leaders say SSO is insufficient for managing employee identities, according to 1Password’s annual report, underscoring how SaaS sprawl outpaces centralized governance. The access problem is no longer login alone, but discovery, lifecycle control, and policy enforcement across managed and unmanaged apps.
NHIMG editorial — based on content published by 1Password: the 2025 Annual Report on the access-trust gap and SaaS management
By the numbers:
- 52% of employees admit to downloading work apps without IT approval.
- 70% of security leaders say SSO is insufficient for managing employee identities.
- 38% of breached organizations linked incidents to unmanaged applications.
Questions worth separating out
Q: How should security teams govern SaaS apps that sit outside SSO?
A: Security teams should treat unfederated SaaS as part of the identity estate, not as a side channel.
Q: Why do shadow IT apps create identity risk even when users still have valid SSO access?
A: Because SSO only covers the apps behind the federation boundary.
Q: What breaks when JML processes are still manual in a SaaS-heavy environment?
A: Manual JML creates delays, missed revocations, and orphaned accounts.
Practitioner guidance
- Expand discovery beyond SSO coverage Inventory every application discovered through IdP logs, browser telemetry, HR records, and finance spend so the access estate includes both sanctioned and shadow SaaS.
- Automate JML across all account-holding apps Route joiner, mover, and leaver events into offboarding and license-reclamation workflows for every SaaS system that stores business data.
- Reconcile active accounts with actual usage Run periodic reviews that compare provisioned access, dormant accounts, and recent application activity so stale entitlements are removed before audit time.
What's in the full article
1Password's full report covers the operational detail this post intentionally leaves for the source:
- Browser, IdP, HR, and finance integration patterns used to uncover unsanctioned SaaS at scale
- Implementation examples for automating deprovisioning, license reclamation, and app ownership workflows
- Customer evidence showing how teams reduced manual offboarding effort and recovered unused licenses
- Audit and compliance use cases that connect SaaS visibility to SOC 2 and ISO 27001 evidence
👉 Read 1Password's analysis of the access-trust gap in SaaS governance →
SaaS sprawl and shadow IT: what IAM teams are missing now?
Explore further
12/06/2026 7:32 am
Access-trust gap management is now a core identity discipline, not a procurement cleanup task. The article describes a world where apps appear faster than security can inventory them, and that changes the identity problem from authorization to governance. Once unmanaged SaaS becomes normal, the security team is no longer reviewing a complete access estate. Practitioners should treat continuous discovery as part of identity governance, not as a separate operations function.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when unsanctioned SaaS stores sensitive business data?
A: Accountability usually falls between IT, security, and the business team that adopted the application. That ambiguity is the problem. Organisations need named application owners, explicit offboarding responsibility, and policy enforcement that reaches outside the IdP so there is a clear owner for access, data handling, and retirement.
👉 Read our full editorial: SaaS sprawl is exposing the access-trust gap in enterprise IAM
