Bridging the Access-Trust Gap in Modern Security

The modern workplace operates at a speed that traditional security infrastructure was never designed to handle. Employees toggle between dozens of cloud applications, feed company data into AI tools, and access corporate systems from personal devices—often before security teams even know these tools exist. This disconnect has created what researchers now call the “access-trust gap”: the growing distance between what organizations believe they control and how work gets done.

Two recent studies paint a sobering picture of this challenge. Research from 1Password reveals that traditional security tools like single sign-on, mobile device management, and identity access management no longer align with how employees and AI agents access data. Meanwhile, an Anaconda survey of over 300 AI practitioners shows that even organizations with formal AI data governance frameworks struggle with security concerns, inconsistent monitoring, and fragmented toolchains. Together, these findings expose a dual crisis: enterprises face both rapid AI adoption that outpaces oversight and fundamental access control problems that make every new tool a potential vulnerability.

Key Takeaways

1. Shadow AI Is Widespread and Largely Unmonitored. 73% of employees now use AI tools at work, but 27% have used unapproved applications their companies don't know about. These browser-based, free tools create visibility gaps when workers feed sensitive data into unvetted systems.
2. Traditional Access Controls Can't Keep Up With SaaS Adoption. Only two-thirds of enterprise applications sit behind single sign-on, leaving a large portion of the software landscape unmanaged. Over half of employees admit to downloading work tools without IT approval because sanctioned options are too slow or lack needed features.
3. Credential Theft Remains a Leading Breach Cause. Two-thirds of employees engage in risky password practices like reusing credentials or sharing them via email, and stolen credentials rank as the second most common cause of material breaches. 89% of security leaders are now encouraging passkey adoption to reduce reliance on traditional passwords.
4. AI Model Governance Suffers From Fragmented Toolchains. Only 26% of organizations have highly unified AI development environments, while 30% lack formal monitoring to detect model drift in production. Security concerns delay AI deployments at nearly two-thirds of organizations, with teams spending substantial time troubleshooting dependency and vulnerability issues.
5. Former Employees Still Access Company Systems. 38% of employees report accessing a former employer's accounts or data after leaving, revealing serious offboarding gaps. Inconsistent access revocation processes and fragmented identity management systems allow these security lapses to persist across hundreds of cloud applications.

Understanding the Access-Trust Gap

The access-trust gap describes a fundamental misalignment in modern enterprise security. Organizations have built their defenses around tools designed for a different era—one where employees worked from company-owned devices, accessed a limited set of approved applications, and connected through managed networks. That world no longer exists.

Today’s work environment is fluid and distributed. Employees switch between corporate laptops and personal phones. They adopt cloud services that never touch IT-managed infrastructure. They collaborate through platforms that security teams may not even know exist. Traditional controls like SSO assume that all important applications will be cataloged and integrated, but this assumption breaks down when employees can spin up new tools with a credit card and an email address.

The 1Password research identifies four critical areas where this gap is widening: AI governance, SaaS and shadow IT, credentials, and endpoint security. Each area shows the same pattern—rapid adoption of new tools and practices followed by limited or lagging oversight. The consequences range from minor inefficiencies to material security breaches, and the problem is accelerating as AI adds another layer of complexity to an already strained security model.

AI Governance Challenge: Two Sides of the Same Coin

AI has become embedded in daily work routines faster than almost any technology in recent memory. According to the 1Password study, 73 percent of employees now use AI for at least part of their job. Yet over a third admit they do not always follow company rules around AI usage—and some are unsure what those rules even are. This disconnect between adoption and governance creates immediate risk.

The problem extends beyond simple rule-breaking. Approximately 27 percent of employees have used AI tools that were never approved by their company. These shadow AI tools are typically browser-based and free, making them trivial to adopt but nearly impossible for IT teams to detect. When workers feed sensitive data into unvetted systems—whether to generate content, analyze information, or automate tasks—they create potential exposure points that bypass every security control the organization has implemented.

The issue is compounded by a communication failure. While few security teams believe their company lacks an AI policy, far more employees report they have never seen one. This suggests that policies exist on paper but fail to reach the people who need to follow them, creating a dangerous gap between intention and practice.

The technical side of AI governance faces equally serious challenges. The Anaconda survey found that security remains the most common AI development risk, cited by 39 percent of respondents. Almost two-thirds of organizations have experienced delays in AI deployments due to security concerns. Many teams report that time spent troubleshooting dependency issues—particularly in open-source Python packages—cuts directly into productivity.

Despite having processes to validate packages for security and compliance, current approaches struggle to keep pace with the scale and complexity of AI projects. Organizations use a mix of automated vulnerability scans, internal package registries, and manual reviews, but the frequency of security incidents suggests these methods are not sufficient. The problem is not a lack of awareness or effort; it is that the attack surface has grown faster than the tools designed to protect it.

The monitoring picture is similarly uneven. While 83 percent of organizations document the origins of foundation models and 81 percent keep records of model dependencies, not all documentation is comprehensive. Nearly one in five respondents have no formal documentation at all. Performance monitoring shows a parallel gap—70 percent have mechanisms to detect model drift or unexpected behaviors, but 30 percent have no formal monitoring in production environments.

These blind spots matter. Without consistent monitoring, organizations cannot detect when models degrade, behave unexpectedly, or expose sensitive information. As AI moves deeper into production systems—making decisions about customer service, financial transactions, or operational processes—the inability to track model behavior becomes a critical governance failure.

The fragmentation problem extends to toolchains as well. Only 26 percent of organizations report having a highly unified AI development toolchain. The majority work with partially unified or fragmented setups, with some describing their environments as highly fragmented. This fragmentation creates visibility gaps, duplicates effort, and introduces inconsistent security controls across different teams and projects.

Cultural factors add another layer of difficulty. A quarter of respondents identified resistance from data science teams to security measures as a key challenge. When governance processes are layered onto disparate systems, they become slow and cumbersome, which encourages teams to work around them. The result is more shadow IT, more unapproved tools, and a wider gap between policy and practice.

SaaS Sprawl and the Shadow IT Reality

The explosion of cloud applications has fundamentally changed how companies operate. Organizations now rely on hundreds of cloud apps, but most sit outside IT’s visibility and control. The 1Password research found that over half of employees admit they have downloaded work tools without permission, typically because approved options are slower or lack needed features.

This behavior drives what security professionals call SaaS sprawl—the uncontrolled proliferation of software-as-a-service applications across an organization. The numbers tell a concerning story. Seventy percent of security professionals say SSO tools are not a complete solution for securing identities. On average, only about two-thirds of enterprise apps sit behind SSO, leaving a substantial portion of the application landscape unmanaged and often unknown.

The reasons for this bypass behavior are straightforward. Employees face real workflow problems and need tools to solve them. When the approved procurement process takes weeks and the unapproved alternative takes minutes, many choose convenience over compliance. When the company-sanctioned tool is slower, less intuitive, or missing key features, workers find alternatives. This is not malicious behavior—it is people trying to do their jobs efficiently.

The offboarding gap reveals how deeply this problem runs. Thirty-eight percent of employees say they have accessed a former employer’s account or data after leaving the company. This statistic should alarm any security leader. It indicates that access revocation processes are inconsistent, that many accounts and tools fall outside the offboarding workflow, and that the organization lacks a complete inventory of where former employees might retain access.

Fragmented access systems make these lapses common rather than exceptional. When companies use dozens or hundreds of cloud services, each with its own access management, ensuring complete offboarding becomes extremely difficult. A single missed application can leave a door open for months or years after an employee departs.

Credentials: The Persistent Weak Link

Despite years of security awareness training and increasingly sophisticated authentication technologies, password security remains a fundamental problem. The 1Password study found that two-thirds of employees admit to unsafe practices such as reusing passwords across multiple sites, sharing credentials with colleagues, relying on default passwords, or sending credentials over email or messaging apps.

These behaviors are not limited to less technical staff. Security professionals themselves engage in these same risky practices, suggesting the problem is less about awareness and more about the friction inherent in secure credential management. When people face dozens or hundreds of accounts, each requiring a unique, complex password, many resort to shortcuts that undermine security.

The consequences are measurable and severe. Nearly half of survey respondents identify employees using weak or compromised passwords as their top security challenge. Among organizations that experienced a material breach in the past three years, stolen credentials were the second most common cause, trailing only software vulnerabilities.

The pattern is clear: credentials remain an attractive and effective attack vector because they are both valuable and relatively easy to compromise. Phishing attacks, credential stuffing, and social engineering all target the weakest link in most security chains—the username and password.

Organizations are responding by moving toward passkeys and other passwordless authentication methods. Eighty-nine percent of security leaders say their companies are encouraging or planning to encourage passkey use. Passkeys replace traditional passwords with biometric or device-based authentication that resists phishing, reduces user friction, and supports regulatory compliance standards.

“I’m not surprised by the enthusiasm for passkeys, because the companies pushing passkeys are making it so easy to convert to them—one click and it’s done,” said Brian Morris, CISO at Gray Media, highlighting the practical appeal of newer authentication approaches.

However, the transition will not happen overnight. Passwords will coexist with new authentication systems for years as organizations manage legacy systems, third-party integrations, and gradual user migration. The realistic goal is not to eliminate passwords entirely in the near term, but to reduce how often users need to handle raw credentials and to layer additional protections around those that remain.

Device Management in the Hybrid Work Era

The shift to hybrid and remote work has made device management substantially more complex. Nearly three-quarters of employees use personal devices for work at least occasionally, and over half do so weekly. This represents a fundamental change in how people connect to corporate resources, but the security tools designed to manage that access have not kept pace.

Mobile device management remains the default control mechanism for company hardware, but security leaders increasingly recognize its limitations. MDM tools were built for an environment where companies owned the devices, controlled the operating system, and could enforce comprehensive policies. They were not designed for situations where employees move fluidly between personal and corporate devices, accessing cloud services that exist outside the traditional network perimeter.

The limitations show up in practice. Security leaders report that MDM does not adequately safeguard managed devices or ensure compliance, particularly in hybrid environments. Personal devices lack the protections found on corporate machines—no enterprise endpoint protection, no centrally managed encryption, no guaranteed patch management. Yet employees use these devices to access email, edit documents, join video calls, and interact with business applications.

Even when companies prohibit bring-your-own-device practices, enforcement is uneven at best. Employees still access corporate data from their phones during commutes or from personal laptops when working from home. The choice often comes down to blocking access entirely—which hurts productivity and frustrates workers—or allowing access and accepting the risk.

Practical Solutions and Recommendations

The access-trust gap and AI governance challenges require organizations to rethink their approach to security. Blanket prohibitions and rigid controls no longer work when employees can adopt new tools instantly and work from any device or location. The path forward requires visibility, guidance, and integrated controls rather than barriers and restrictions.

• AI Governance

  • Move from blocking AI to monitoring and guiding its use.
  • Implement continuous discovery mechanisms to identify both approved and unapproved tools in use.
  • Communicate AI policies clearly to all employees.
  • Embed governance directly into development workflows to reduce resistance and align innovation with oversight.
  • Invest in improved visibility into model components, comprehensive training, and automated monitoring for drift and anomalies.

• SaaS Sprawl and Shadow IT

  • Automate governance to track access over time across all tools, not just those connected to SSO.
  • Use network segmentation, endpoint visibility tools, and regular discovery processes to surface shadow IT.
  • Focus on comprehensive offboarding: create checklists, automate access revocation, and conduct periodic access reviews.

• Credential Security

  • Implement passkeys and passwordless authentication for high-risk applications first, then expand gradually.
  • Make password managers mandatory and extend SSO coverage.
  • Reduce the frequency with which users handle raw credentials.

• Device and Endpoint Security

  • Accept the hybrid reality and design controls accordingly.
  • Implement zero trust architecture that verifies every access request.
  • Provide company-owned devices for workers who access sensitive data, or use conditional access policies based on device posture and user behavior.

Throughout all these efforts, balance matters. Security controls that make it substantially harder for employees to do their jobs will be bypassed. The most effective security measures are those that align with how people work, providing protection without creating excessive friction.

Security Must Match the Speed of Work

The access-trust gap and AI governance challenges are not temporary problems that will resolve themselves as technologies mature. They represent a fundamental shift in how work happens—a shift toward distributed, flexible, AI-augmented workflows that traditional security tools were never designed to manage.

Organizations that close these gaps will gain competitive advantage through both better security and faster innovation. Those that ignore them will face escalating risks as the distance between policy and practice continues to widen. The solution requires adaptive, visibility-focused approaches that provide oversight without blocking progress.

Security teams must evolve from gatekeepers to enablers, from control-focused to visibility-focused, and from reactive to proactive. The workplace has changed permanently, and security practices must change with it.