Shadow SaaS governance: what should IAM teams do now?

TL;DR: Shadow IT is not the core problem in 1Password’s analysis of SaaS Manager; the real issue is unmanaged SaaS adoption leaving 34% of applications outside SSO and creating compliance, data governance, and lifecycle blind spots. The practical lesson is that business-led IT only works when discovery, access review, and offboarding are treated as governance controls, not optional cleanup.

NHIMG editorial — based on content published by 1Password: business-led IT and shadow SaaS governance

By the numbers:

• According to IT professionals, 34% of applications sit outside of the company’s SSO.

Questions worth separating out

Q: How should security teams govern shadow SaaS without blocking business productivity?

A: Security teams should treat shadow SaaS as a discovery and lifecycle problem, not a prohibition problem.

Q: Why do unmanaged SaaS apps create identity governance risk?

A: Unmanaged SaaS apps create risk because they sit outside central visibility, which means IT cannot consistently enforce SSO, review entitlements, or offboard access.

Q: What do IAM teams get wrong about business-led IT?

A: The common mistake is assuming business-led IT means losing control.

Practitioner guidance

• Create a continuous SaaS discovery process Inventory applications across business units, then reconcile them against SSO coverage, approved app lists, and procurement records.
• Assign lifecycle owners for every business-led app Require each application to have an accountable owner for onboarding, access review, renewal, and retirement.
• Use SSO coverage to prioritise remediation Target applications outside SSO first, because they are the likeliest to have fragmented authentication, inconsistent offboarding, and weak auditability.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• How 1Password SaaS Manager maps unmanaged apps into inventory and lifecycle workflows
• The specific app discovery and access review steps used to move a tool from shadow status into governed status
• Examples of how IT and business teams can standardise overlapping tools without stopping local productivity
• The product framing around SaaS Manager's visibility and automated discovery features

👉 Read 1Password's analysis of business-led IT and shadow SaaS governance →

Shadow SaaS governance: what should IAM teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →