Notifications
Clear all
Topic starter
11/06/2026 11:10 pm
TL;DR: 52% of employees have downloaded applications without IT approval and 34% of company apps are not protected by SSO, according to 1Password’s Access-Trust Gap research, highlighting how SaaS governance breaks down when discovery and lifecycle controls lag usage. The real issue is not just shadow IT, but unmanaged access across sanctioned and unsanctioned apps alike.
NHIMG editorial — based on content published by 1Password: Access-Trust Gap research on SaaS governance and lifecycle control
By the numbers:
- 52% of employees have downloaded applications without IT’s approval.
- On average, 34% of a company’s apps are not protected by SSO.
Questions worth separating out
Q: How should security teams govern SaaS apps that sit outside SSO?
A: Security teams should treat non-SSO apps as governed assets, not exceptions.
Q: Why do unmanaged SaaS apps create access risk even when SSO is in place?
A: Because SSO only governs the apps it covers.
Q: What should teams get wrong about offboarding in SaaS environments?
A: They often assume disabling the primary account is enough.
Practitioner guidance
- Build continuous SaaS discovery into the access stack Continuously inventory browser-based and locally hosted apps, then classify which ones are federated, which ones use local credentials, and which ones are unmanaged.
- Measure SSO coverage as a governance metric Track the percentage of apps protected by SSO, but also separate out non-federated apps that still hold business data or third-party integrations.
- Extend offboarding beyond the directory When an employee leaves, revoke access in SaaS apps, remove OAuth grants, and validate that local app accounts no longer exist.
What's in the full article
1Password's full blog covers the operational detail this post intentionally leaves for the source:
- How 1Password SaaS Manager discovers work-related apps across browser and local usage patterns.
- The access review and onboarding/offboarding workflow details behind its SaaS governance model.
- How risky OAuth tokens are identified and revoked when third-party app access is already in place.
👉 Read 1Password’s analysis of the Access-Trust Gap in SaaS governance →
Shadow IT and SaaS access gaps: what IAM teams need now?
Explore further
12/06/2026 7:42 am
SaaS access governance fails when discovery is treated as optional. The article shows that employees can add applications faster than IT can inventory them, which means governance starts after exposure has already occurred. That is not a visibility nuisance, it is a control boundary failure. Practitioners should treat unmanaged app discovery as the prerequisite for every downstream access decision.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: How do organisations know if SaaS governance is actually working?
A: They should look for high discovery coverage, low numbers of unmanaged apps, and complete revocation during offboarding. A working programme can show which apps are federated, which are not, and which third-party grants were removed. If those facts are unclear, governance exists on paper but not in practice.
👉 Read our full editorial: SaaS access governance is failing beyond SSO coverage
