Skip to Main Content
Back to blog

The unmanaged stack: Governing SaaS apps and AI tools outside SSO

by Rachel Sudbeck

May 29, 2026 - 6 min

An illustration of a cityscape at night, but most of the buildings are large screens: phones, laptops, etc. The moon features the 1Password logo in its center.

Related Categories

In the constantly evolving world of enterprise tech, there’s one thing that IT and security teams have always been able to count on: users won’t follow policy if they think it’s standing in the way of their productivity. 

Case in point: 1Password’s most recent annual report found that 52% of employees have downloaded apps without IT approval. These shadow IT apps typically sit outside a company’s SSO provider, and introduce both unmanaged risk and cost. 

That governance gap has become more pressing with the growing adoption of AI tools and agents, which introduce new and worsening threats. This issue was the focus of 1Password’s recent webinar, “The unmanaged stack: Governing SaaS apps and AI tools outside SSO.”

What is the unmanaged stack? It refers to all of the SaaS apps and AI-based tools that can’t be managed by traditional IAM tools, whether that’s due to software constraints or the infamous “SSO tax.”

During the webinar, Evan Sandhu, 1Password Product Marketing Specialist, and Ethan Stoler, Senior Demo Engineer, explored how 1Password’s solutions can help IT and security teams secure and govern these unapproved or unmanaged access points.

Read on for an in-depth recap of the webinar’s key themes.

New integration features to manage high-risk SaaS and AI

IT and security teams need solutions to manage those apps that fall outside the purview of SSO. Thankfully, new integrations between 1Password Enterprise Password Manager (EPM) and 1Password SaaS Manager are able to do just that.

“With SaaS Manager integrating with EPM, you can now discover sensitive and shared accounts stored in EPM vaults, surface them for review, and let IT take ownership of them, moving them from end-user management to IT management.”

Evan Sandhu, The unmanaged stack: Governing SaaS apps and AI tools outside SSO

During the webinar, Evan Sandhu explored how these integration features work across three different categories:

  1. Discover: With Vault Insights, teams can discover sensitive or shared logins across an organization’s EPM vaults. And with Browser Insights (beta) teams can surface login activity from the 1Password browser extension to reveal unapproved app usage.

  2. Review: With an Account Risk Report, teams can review the surfaced accounts and credentials according to their risk level, enabling admins to prioritize remediation.

  3. Govern: With Account Governance, IT and security teams can take over management of any of the discovered high-risk logins for sensitive or shared accounts.

In a live demo of these features, Ethan Stoler showed in real time how quickly this integration can surface various credential risks for critical applications like GitHub, and how simple it is for admins to govern those risks.

How 1Password SaaS Manager helps prevent OAuth supply chain attacks

OAuth-based supply chain attacks are a growing concern for today’s companies. These attacks tend to play out like so:

  1. An employee connects a third-party tool using “sign in with Google” or “sign in with Microsoft.”

  2. Permissions are granted, then forgotten.

  3. That third-party tool gets compromised.

  4. The attacker walks into your systems with a valid key.

In this scenario, the attacker is making authenticated requests within the approved permission scopes; there are no failed logins, anomalies, or privilege escalation attempts that can be detected by a team’s SIEM provider, CASB, or anomaly detection tools. 

The key to managing this risk doesn’t lie in preventing every OAuth connection or blocking every third-party tool. Rather, as Sandhu put it during the webinar, “Prevention requires knowing which connections exist right now at this moment, and ensuring access is granted only when needed. This is exactly what 1Password SaaS Manager does.”

1Password SaaS Manager can help companies:

  • Discover risky OAuth connections: Teams can continuously surface Oauth connections and flag connections with elevated permission scopes.

  • Secure Access: Admins can revoke access with a single action, set policies to restrict OAuth, and reduce standing privilege exposure.

  • Audit Actions: Every access change is automatically logged, providing teams with defensible audit records for compliance standards like SOC 2, ISO 27001, and HIPAA.

These abilities mean that 1Password SaaS Manager is uniquely able to help teams manage risks related to OAuth supply chain attacks – and the other risks associated with a company’s unmanaged stack of shadow IT and AI.

New AI integrations to help you govern ChatGPT, Claude, Gemini, and Cursor

Unfortunately, even company-approved AI tools often can’t integrate cleanly or affordably with SSO. 

As Sandhu stated, “Let’s say someone needs access to an AI platform. You create accounts for them, and it’s done one by one for every tool. You as an IT admin are constantly context switching between every different admin console to check who’s using what, how many tokens they’re spending, and how much usage they’re getting.”

This is why the webinar also highlighted five new AI integrations within 1Password SaaS Manager, including:

  1. ChatGPT and openAI

  2. Claude

  3. Cursor

  4. Google Gemini

These integrations are built with full lifecycle governance, including onboarding and offboarding workflows, in mind. As Sandhu put it, “You can assign roles, whether to individuals or groups. You can log specific metrics like usage and token spend. And you have full deprovisioning and provisioning capabilities as well. All of this is done in 1Password SaaS Manager.”

Ethan Stoler’s demo showed how simple it is to discover and manage these unapproved AI tools, including setting up workflows that let teams automate and customize their management processes. 

What should teams do next?

To summarize the main points of the webinar: 

  1. 1Password EPM and 1Password SaaS Manager have new integration capabilities that enable them to discover and govern high-risk logins.

  2. 1Password SaaS Manager is able to help companies surface, secure, and audit the unsanctioned AI tools and agents that can put companies at risk.

  3. 1Password SaaS Manager has new integrations with major AI companies that provide admins with a central tool for full lifecycle governance over their AI applications.

These integrations and capabilities are already available for teams that currently use 1Password EPM and 1Password SaaS Manager. To learn more and to see the demos in action, watch the complete webinar recording.

Want to get started with 1Password SaaS Manager? Reach out to our team.

Continue Reading

Single sign-on isn't enough: closing the SSO security gap

June 11, 2024

Single sign-on isn't enough: closing the SSO security gap

Business
1Password SaaS Manager, choosing the right SaaS management platform for your business

August 7, 2025

Choosing the right SaaS management platform for your business

SaaS Management