Getting Visibility and Control over SaaS Sprawl with 1Password Extended Access Management

SaaS sprawl creates a number of serious issues for companies: wasted budget, the exposure of sensitive data via unsanctioned apps, and disjointed access management for apps outside SSO. Jason Meller walks through how 1Password helps our customers discover, manage, and secure their entire SaaS ecosystem – even non-SSO apps – via 1Password Device Trust and Trelica by 1Password. This problem has exploded as employees have gained more autonomy to choose their own tools, creating a significant visibility challenge for IT and security teams. 1Password addresses this by using its Device Trust agent to discover the full scope of application usage across an organization. The agent provides deep visibility by identifying browser visits, desktop apps, browser extensions, and even IDE plugins across Windows, macOS, and Linux, all while providing users with a privacy center to understand what data is being collected. This is particularly effective for discovering modern AI tools, which often have multiple components; for example, the agent can detect not only the ChatGPT website but also its native desktop app and VS Code extension.

Once these applications are discovered, 1Password provides nuanced control that goes beyond simple blocking. For a tool like ChatGPT, an administrator can create a policy that doesn’t just ban it but instead ensures employees are using the sanctioned corporate workspace. If a user is detected using a personal account, Device Trust can block them from accessing sensitive company resources until they switch to the approved account, educating the user on the policy in real time. This discovery and control capability is further enhanced by Trelica by 1Password, a SaaS management platform that acts as a single pane of glass for app governance. Trelica integrates with IDPs, financial systems, and its own browser extension to discover shadow IT, manage licenses, and automate complex onboarding and offboarding workflows across hundreds of integrated applications.

Ultimately, these components come together in the 1Password App Launcher, which provides a unified and seamless sign-in experience for end users. The launcher presents all of a user’s applications, whether they are federated through an IDP or require a username and password. When a user clicks an icon, 1Password handles the authentication details in the background—either navigating the SSO flow or autofilling credentials and TOTP codes—while transparently enforcing device trust checks. This creates “experiential uniformity” for the user, allowing IT and security teams to improve security behind the scenes, such as upgrading an app from password-based login to federated SSO, without disrupting the user’s workflow. This holistic approach is central to 1Password’s mission to secure every sign-in to every app from every device.