TL;DR: Omdia says legacy IAM and MDM fall short when employees adopt unsanctioned apps, personal devices, and shadow AI, leaving organizations with fragmented visibility, compliance exposure, and audit gaps, according to 1Password’s summary of the report. The real issue is not tool sprawl alone but the access-trust gap that appears when governance cannot keep pace with unmanaged identities and applications.
NHIMG editorial — based on content published by 1Password: its analysis of shadow IT, shadow AI, and the access-trust gap
By the numbers:
- Through 2027, organizations that fail to centrally manage SaaS life cycles will remain five times more susceptible to a cyber incident or data loss due to incomplete visibility into SaaS usage and configuration.
- 72% of employees who regularly use GenAI were either using non-corporate emails as the identifiers of their accounts or were using corporate emails without integrated authentication systems in place.
Questions worth separating out
Q: How should security teams govern shadow IT that employees adopt outside central IAM?
A: Start with discovery, then apply lifecycle control.
Q: Why do unsanctioned apps create more risk than ordinary SaaS sprawl?
A: Unsanctioned apps are riskier because they often sit outside federated identity, logging standards, and offboarding workflows.
Q: What do security teams get wrong about shadow AI governance?
A: They treat shadow AI as a policy issue instead of an identity issue.
Practitioner guidance
- Build discovery around actual app usage Inventory SaaS and AI tools from identity logs, browser telemetry, and access gateways rather than relying on procurement lists or SSO catalogs alone.
- Bind unsanctioned access to lifecycle controls Require offboarding and access review coverage for accounts created outside the standard onboarding flow, including personal-email signups that touch corporate data.
- Separate corporate data from unmanaged tools Restrict copy-and-paste, upload, and connector permissions where shadow AI or shadow SaaS cannot be brought under policy, logging, and retention rules.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How 1Password Extended Access Management discovers unsanctioned apps and maps how they are accessed.
- The article’s explanation of automated provisioning and de-provisioning for apps that are not covered by SSO.
- The discussion of audit trails and actionable insights for incident response and SaaS rationalisation.
- The specific framing of the Access-Trust Gap and how the vendor positions it across shadow IT and shadow AI.
👉 Read 1Password’s analysis of shadow IT, shadow AI, and the access-trust gap →
Shadow IT and shadow AI: what it means for IAM teams?
Explore further
Shadow AI is now a lifecycle problem, not just an acceptable-use problem. When employees can create AI accounts with non-corporate identities or with corporate email outside integrated authentication, the organisation loses the ability to tie usage to a governed identity lifecycle. That means offboarding, review, and policy enforcement no longer operate on the actual access path. The practitioner conclusion is straightforward: governance has to follow the account, not the corporate directory entry.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from that report shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations.
A question worth separating out:
Q: How can organisations reduce exposure from unmanaged SaaS and AI tools?
A: Focus on the highest-risk applications first, especially those that handle sensitive data or bypass SSO. Then pair discovery with de-provisioning, logging, and review so access can be removed when the user changes role or leaves. Without that lifecycle discipline, inventory alone will not reduce exposure.
👉 Read our full editorial: Shadow IT and shadow AI expose the access-trust gap