Toronto-based identity security vendor 1Password, which makes a popular password manager, has released its 2025 Annual Report: The Access-Trust Gap. The findings reveal a growing Access-Trust Gap, the divide between the types of access that security and IT teams can control and the reality of how workers access sensitive data in practice, driven by the rapid adoption of SaaS and AI tools that exceed the reach of traditional identity tools.
“People will always avoid friction, creating their own solutions when support isn’t clear,” said Dave Lewis, Global Advisory CISO at 1Password. “Today that shows up in the complexity of SaaS and AI implementations. The issue isn’t the SaaS and AI tools enterprises use in their corporate environments; it’s our assumptions. Organizations are asking yesterday’s identity tools to govern a cloud-native, AI-accelerated workplace. That disconnect has caused the Access-Trust Gap. If organizations want resilience and speed, the industry must treat access as continuous, context-aware, and largely invisible, protecting every app, every tool, and every identity while letting employees get on with the work.”
The report finds that while knowledge workers are using AI tools to boost productivity, few organizations are equipped to manage it safely. Weak policy enforcement and poor oversight have fueled a rise in shadow AI, exposing organizations to compliance and security risks. Here are some of the data points from the annual report – most of them negative.
52% of employees have downloaded apps without IT approval
73% of employees are encouraged to use AI, but 33% don’t always follow AI policies
27% of employees have used unsanctioned IT tools
Risky AI usage is widespread: 22% of employees have shared company data with AI to write a report or presentation, 24% have shared customer call notes, and 19% have shared employee data, such as performance reviews.
Shadow AI increases risk: 43% use AI apps to do work on personal devices, while 25% use unapproved AI apps at work.
Over one-third of employees (38%) have successfully accessed a prior employer’s account.
Passwords remain the weakest link: 66% of employees admit to poor password practices, and compromised credentials are the root cause of 53% of material breaches in the past three years.
“I know we’ve got data going into these LLMs that we don’t have control over – the best we can do is sign enterprise agreements that offer some legal protections,” said Nick Tripp, CISO of Duke University. “But if someone uses a tool we don’t have an agreement for, there’s no protection for us.”
The report also found that SSO wasn’t built for the modern workforce, and is falling short for SaaS access governance.
70% of IT and security professionals say SSO is not a complete solution to secure employee identities. At least one-third (34%) of SaaS apps are not protected by SSO.
Traditional tools like single sign-on (SSO) can no longer keep up with today’s fast-changing SaaS and AI environment. Employees are adopting new tools faster than IT can govern them, leading to unmonitored access, unmanaged apps, and offboarding security risks. SSO is not enough. The report found that 74% of security and IT professionals say SSO is not a complete solution for securing employee identities; 30% of apps are left outside SSO, and 34% of employees have accessed a prior employer’s account, data, or apps.
1Password’s global report finds the Access-Trust Gap extends far beyond North America. The data points to a universal challenge – legacy identity systems can’t scale to meet the demands of decentralized, SaaS- and AI-driven work.
Singapore leads in shadow IT: 55% of employees admit to downloading apps without IT approval, compared to Germany (46%), the U.S. (44%), the UK (43%), and France (33%).
Shadow AI is on the rise: 30% of Singapore employees report using unapproved AI tools, followed by the UK (28%), Germany (27%), France (27%), and the U.S. (25%).
Germany has a password problem: 44% of employees admit to poor practices, the highest globally
“The need to balance security and productivity has never been more visceral for security leaders than it is now with the rapid proliferation of IT tools,” said Jacob dePriest, CISO and CIO at 1Password.
The 1Password 2025 Annual Report: The Access-Trust Gap is based on an online survey that included 5,200 desk-based knowledge workers across the U.S., Canada, the UK, Germany, France, and Singapore. The North American data cited in this press release reflects responses from 1,500 workers, including IT and security professionals.