AI, SaaS, and personal devices are changing how people get work done, but the tools that protect company systems have not kept up, according to 1Password. Tools like SSO, MDM, and IAM no longer align with how employees and AI agents access data.
The result is what researchers call the “access-trust gap,” a growing distance between what organizations think they can control and how employees and AI systems access company data. The survey tracks four areas where this gap is widening: AI governance, SaaS and shadow IT, credentials, and endpoint security. Each shows the same pattern of rapid adoption and limited oversight.
AI is everywhere, but policy awareness is not
73% of employees use AI for at least part of their job, but over a third admit they do not always follow company rules. Some are unsure what those rules even are. While few security teams believe their company lacks an AI policy, far more employees say they have never seen one.
Shadow AI compounds the issue. About 27% of employees have used AI tools that were not approved by their company. These tools are often browser-based and free, making them easy to adopt yet nearly invisible to IT. This lack of visibility creates risk when workers feed sensitive data into unvetted systems.
The report advises companies to move from blocking AI to monitoring and guiding it. Establishing discovery, communication, and oversight is a more practical approach than banning new tools outright.
SaaS sprawl and shadow IT evade control
Organizations now rely on hundreds of cloud apps, most outside IT’s visibility. Over half of employees admit they have downloaded work tools without permission, often because approved options are slower or lack needed features.
This behavior drives SaaS sprawl. 70% of security professionals say SSO tools are not a complete solution for securing identities. On average, only about two-thirds of enterprise apps sit behind SSO, leaving a large portion unmanaged.
Offboarding gaps make the problem worse. 38% of employees say they have accessed a former employer’s account or data after leaving the company. Inconsistent offboarding and fragmented access systems make these lapses common.
Continuous discovery of approved and unapproved apps and automated governance that tracks access over time. Visibility across all tools, not only those connected to SSO, is key to reducing hidden risks.
Passwords remain the weak link
Password reuse and sharing are still widespread, even among security staff. Two-thirds of employees admit to unsafe practices such as reusing or sharing passwords, relying on defaults, or sending credentials over email or messaging apps.
Weak credentials remain a leading factor in breaches. Nearly half of respondents say employees using weak or compromised passwords is their top challenge. Among those who experienced a material breach in the past three years, stolen credentials were the second most common cause, after software vulnerabilities.
Organizations are turning to passkeys. 89% of security leaders say their companies are encouraging or planning to encourage their use. Passkeys replace passwords with biometric or device-based authentication that resists phishing and supports regulatory standards.
“I’m not surprised by the enthusiasm for passkeys, because the companies pushing passkeys are making it so easy to convert to them—one click and it’s done,” said Brian Morris, CISO, Gray Media.
Passwords will coexist with new systems for years, so the goal is to reduce how often users handle raw credentials rather than remove them entirely overnight.
Devices multiply faster than MDM can manage
Hybrid and remote work have made device management more complex. Nearly three-quarters of employees use personal devices for work at least occasionally, and over half do so weekly.
Mobile Device Management remains the default control for company hardware, but security leaders see its limits. MDM tools do not adequately safeguard managed devices or ensure compliance. They were built for company-owned machines, not for environments where people move between personal and corporate devices that connect to cloud services.
Personal devices are often used for convenience, but they lack the protections found on corporate machines. Even when companies prohibit BYOD practices, enforcement is uneven. Employees still access corporate data from their phones or personal laptops.
