2. SaaS discovery and shadow IT

Teams naturally pick the tools that best fit their needs and workflows. Designers experiment with new creative apps, financial analysts try new reporting tools, and software developers might tinker with AI-assisted code editors that help them move faster. It’s the way work gets done today, and even if IT wasn’t involved in picking out a new SaaS or AI tool, they’re still responsible for its risk. 

Apps that employees sign up for without IT’s approval, also known as shadow SaaS or shadow IT, are easy to ignore and might seem harmless. But turning a blind eye to unsanctioned software has consequences. These tools limit IT and security teams’ visibility into where data is stored, how it’s protected, and whether the company is paying for overlapping or redundant tools.

Data exposure
Unvetted apps may not meet your company’s internal security standards. A personal cloud storage account or messaging app can leave sensitive data unprotected and outside company oversight.

Compliance gaps
When employees use tools that don’t meet critical frameworks like SOC2, SOX, and ISO 27001, organizational compliance becomes difficult to prove and costly to fix.

SaaS waste
Different teams may buy their own versions of the same app or adopt functionally similar apps, leaving the company to pay for overlapping or unused subscriptions.

Loss of visibility
If you don’t know which apps have access to company data, you can’t assess risk, enforce policies, or respond quickly to incidents.

How 1Password SaaS Manager uncovers SaaS apps

Before you can secure or optimize anything, you need to know what’s being used in the first place. 1Password SaaS Manager gives you a clear view of every app in use, approved or not – so you can spot risks early and determine the next right step for each tool.

Discover every app in use

1Password SaaS Manager provides a complete, user-centric view of SaaS usage by connecting to your organization’s HR systems for employee data and aligning it with app data from five key discovery sources:

• Identity providers and SSO – Integrate with Okta, Google Workspace, Microsoft Entra ID, and more to see who is signing into which managed apps and how often.
• Finance and contract management systems – Connect platforms like NetSuite, Sage Intacct, and Expensify to spot software purchases that never passed through IT.
• Device management tools – Mobile Device Management (MDM), Endpoint Detection and Response (EDR), and Unified Endpoint Management (UEM) tools to see device details and installed software alongside your SaaS activity.
• SaaS Manager browser extension – An optional extension captures apps accessed directly through the browser, even if they’re not tied to SSO (separate from the 1Password browser extension that your team may already be using).

1Password SaaS Manager gives every app a type, category, and security profile based on a library of more than 40,000 pre-populated app profiles. The result: a clean, continuously updated inventory of every app in use, approved or otherwise.

Assess and act on risk

Visibility is only useful if you can act on it. The app dashboard highlights tools that are likely to be high-risk and lets you check details like access levels, permissions, and usage. 

• Identify apps that request excessive permissions or handle sensitive data.

• Surface new or risky OAuth connections, highlight who authorized them, and provide the context you need to block or revoke access in your admin console.
• Revoke risky OAuth tokens – tokens that let an app access a user’s data. Removing them helps limit unnecessary data sharing and potential exposure.
  
  

With all these controls available from a single dashboard, it’s easier to balance secure access with ensuring teams have all the tools they need.

Stay compliant without extra work

• All SaaS activity is logged in one place, making it easy to demonstrate the controls required for frameworks like SOC2, SOX, and ISO 27001. Each discovered app includes security report details, helping you interpret what’s been found and decide where additional review is needed.
• 1Password SaaS Manager gives you a complete, auditable record of users, apps, and access – evidence that supports access control and asset management requirements. 

From discovery to management

Shadow SaaS is easier to handle once you can see it. With a complete inventory of applications and clear insight into usage and risk, your IT teams can start reclaiming unused licenses, guiding tool consolidation, and setting policies that make sense for everyone.

After identifying which apps are in use, the next step is managing who has access to those apps.

In Chapter 3, you’ll learn how 1Password SaaS Manager automates onboarding and offboarding. Streamlined workflows ensure every employee gets the right access to the tools at the right time and no account gets left behind when someone leaves.