SaaS sprawl and shadow IT: where identity governance breaks down

TL;DR: SaaS sprawl starts with fast self-service adoption and ends with hidden access, unused licenses, and audit gaps, according to 1Password. The governance problem is not discovery alone, but the lack of repeatable lifecycle controls for onboarding, offboarding, access reviews, and renewals across unmanaged apps.

NHIMG editorial — based on content published by 1Password: a guide to SaaS management tips and advice

By the numbers:

• 52% of employees use apps not approved by IT.
• 38% of employees retain access to data after leaving a company.
• 70% of professionals agree SSO isn't a complete solution for securing identity.

Questions worth separating out

Q: How should security teams govern SaaS sprawl across the full identity lifecycle?

A: Security teams should treat SaaS sprawl as a lifecycle governance issue, not just a discovery problem.

Q: Why does SSO not solve SaaS access governance on its own?

A: SSO centralises authentication, but it does not eliminate app-local licenses, OAuth tokens, file ownership, or external sharing links.

Q: What breaks when SaaS access reviews rely on spreadsheets?

A: Spreadsheets freeze access data in time, so reviewers work from stale exports while roles, teams, and app usage keep changing.

Practitioner guidance

• Implement continuous SaaS discovery workflows Move discovery out of spreadsheet mode and into a workflow that captures new apps, assigns ownership, records business purpose, and routes each app into review before it becomes normalised.
• Treat offboarding as end-to-end deprovisioning Remove SSO access, revoke app-local tokens, reclaim licenses, and transfer ownership of shared files and calendars so the leaver motion closes every downstream access path.
• Automate access reviews with usage context Combine role, department, risk, and actual login or activity data so reviewers can revoke or adjust access directly instead of working from static exports.

What's in the full article

1Password's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step workflow patterns for automating SaaS discovery and routing new apps into review.
• Detailed offboarding motion for reclaiming licenses, transferring ownership, and notifying managers.
• Operational examples for replacing spreadsheets with repeatable access review workflows.
• Renewal workflow detail for aligning IT, procurement, and finance on the same SaaS data set.

👉 Read 1Password's guide to SaaS discovery, offboarding, and access reviews →

SaaS sprawl and shadow IT: where identity governance breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →