Shadow IT and shadow AI: what it means for IAM teams

TL;DR: Omdia says legacy IAM and MDM fall short when employees adopt unsanctioned apps, personal devices, and shadow AI, leaving organizations with fragmented visibility, compliance exposure, and audit gaps, according to 1Password’s summary of the report. The real issue is not tool sprawl alone but the access-trust gap that appears when governance cannot keep pace with unmanaged identities and applications.

NHIMG editorial — based on content published by 1Password: its analysis of shadow IT, shadow AI, and the access-trust gap

By the numbers:

• Through 2027, organizations that fail to centrally manage SaaS life cycles will remain five times more susceptible to a cyber incident or data loss due to incomplete visibility into SaaS usage and configuration.
• 72% of employees who regularly use GenAI were either using non-corporate emails as the identifiers of their accounts or were using corporate emails without integrated authentication systems in place.

Questions worth separating out

Q: How should security teams govern shadow IT that employees adopt outside central IAM?

A: Start with discovery, then apply lifecycle control.

Q: Why do unsanctioned apps create more risk than ordinary SaaS sprawl?

A: Unsanctioned apps are riskier because they often sit outside federated identity, logging standards, and offboarding workflows.

Q: What do security teams get wrong about shadow AI governance?

A: They treat shadow AI as a policy issue instead of an identity issue.

Practitioner guidance

• Build discovery around actual app usage Inventory SaaS and AI tools from identity logs, browser telemetry, and access gateways rather than relying on procurement lists or SSO catalogs alone.
• Bind unsanctioned access to lifecycle controls Require offboarding and access review coverage for accounts created outside the standard onboarding flow, including personal-email signups that touch corporate data.
• Separate corporate data from unmanaged tools Restrict copy-and-paste, upload, and connector permissions where shadow AI or shadow SaaS cannot be brought under policy, logging, and retention rules.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• How 1Password Extended Access Management discovers unsanctioned apps and maps how they are accessed.
• The article’s explanation of automated provisioning and de-provisioning for apps that are not covered by SSO.
• The discussion of audit trails and actionable insights for incident response and SaaS rationalisation.
• The specific framing of the Access-Trust Gap and how the vendor positions it across shadow IT and shadow AI.

👉 Read 1Password’s analysis of shadow IT, shadow AI, and the access-trust gap →

Shadow IT and shadow AI: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →