Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow SaaS governance: what should IAM teams do now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Shadow IT is not the core problem in 1Password’s analysis of SaaS Manager; the real issue is unmanaged SaaS adoption leaving 34% of applications outside SSO and creating compliance, data governance, and lifecycle blind spots. The practical lesson is that business-led IT only works when discovery, access review, and offboarding are treated as governance controls, not optional cleanup.

NHIMG editorial — based on content published by 1Password: business-led IT and shadow SaaS governance

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow SaaS without blocking business productivity?

A: Security teams should treat shadow SaaS as a discovery and lifecycle problem, not a prohibition problem.

Q: Why do unmanaged SaaS apps create identity governance risk?

A: Unmanaged SaaS apps create risk because they sit outside central visibility, which means IT cannot consistently enforce SSO, review entitlements, or offboard access.

Q: What do IAM teams get wrong about business-led IT?

A: The common mistake is assuming business-led IT means losing control.

Practitioner guidance

  • Create a continuous SaaS discovery process Inventory applications across business units, then reconcile them against SSO coverage, approved app lists, and procurement records.
  • Assign lifecycle owners for every business-led app Require each application to have an accountable owner for onboarding, access review, renewal, and retirement.
  • Use SSO coverage to prioritise remediation Target applications outside SSO first, because they are the likeliest to have fragmented authentication, inconsistent offboarding, and weak auditability.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

  • How 1Password SaaS Manager maps unmanaged apps into inventory and lifecycle workflows
  • The specific app discovery and access review steps used to move a tool from shadow status into governed status
  • Examples of how IT and business teams can standardise overlapping tools without stopping local productivity
  • The product framing around SaaS Manager's visibility and automated discovery features

👉 Read 1Password's analysis of business-led IT and shadow SaaS governance →

Shadow SaaS governance: what should IAM teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Shadow SaaS is an identity governance problem, not a behaviour problem. The article correctly moves away from treating business-led IT as employee defiance. The real issue is that identity and access workflows lose sight of applications once adoption happens outside central approval paths. That creates unmanaged access, incomplete reviews, and unclear ownership across the application lifecycle. Practitioners should treat shadow SaaS as a governance boundary failure, not a user-discipline issue.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How do organisations know when a SaaS app should be brought under formal governance?

A: A SaaS app should be brought under formal governance when it is used by multiple teams, handles company data, or sits outside SSO and access review processes. Those are the signals that a convenience tool has become part of the operating environment and needs lifecycle control.

👉 Read our full editorial: Business-led IT and shadow SaaS: governance gaps to close



   
ReplyQuote
Share: