Your employees aren’t trying to outsmart your security team—they’re just trying to get work done. And in many cases, they’re winning.
Someone is pasting proprietary data into ChatGPT. Another employee just downloaded a new project management app because Jira takes forever to load. A former colleague from three months ago still has access to Slack. And your security team? They’re celebrating because the latest SaaS app finally integrates with SSO—a system no one even uses anymore.
This is the access-trust gap, and no patch can fix it.
The Illusion of Control
Security teams love to believe they have visibility. We have SSO, MDM, IAM, policies, training, quarterly reviews—we must be covered, right?
Wrong.
According to 1Password’s 2025 Access-Trust Gap report, only about two-thirds of enterprise applications are actually behind SSO. That leaves a third of your app ecosystem completely invisible. Over half of employees admit to downloading work tools without approval. And more than a third of former employees still access their old accounts. The digital office still has keys hanging on the wall, long after someone has left.
The systems we rely on were built for a different world: one where employees used company laptops, accessed a managed network, and asked IT before installing anything. That world vanished around 2020. Security architecture hasn’t caught up.
The AI Wildcard
AI adoption has exploded: 73% of employees now use AI tools at work, and 27% have used tools their company never approved. These aren’t sophisticated attacks—they’re just browser tabs solving everyday problems: summarizing documents, drafting emails, debugging code.
The problem is that these free AI tools often prioritize growth over privacy. Employees don’t care—they need results fast. Meanwhile, security policies exist somewhere in SharePoint while work happens in Slack and Zoom.
Anaconda surveyed 300 AI practitioners and found 39% cited security concerns as the top risk in AI development. Two-thirds face deployment delays because of these concerns, and nearly a third have no way to detect when models drift or degrade. Most organizations are working with fragmented AI toolchains, where inconsistent security controls and visibility gaps are the norm. Teams bypass controls because the tools get in the way—and they will keep doing it.
Passwords: The Never-Ending Problem
Passwords still fail us. Two-thirds of employees reuse passwords, share them, email them to themselves, or scribble them on Post-its. Security professionals aren’t immune.
The reason is simple: managing dozens or hundreds of complex passwords is a cognitive impossibility. Stolen credentials are the second leading cause of breaches after software vulnerabilities. Despite training, complexity rules, and rotation policies, nothing has stopped the problem.
Passkeys offer hope: device- or biometric-based authentication resists phishing and reduces friction. But passwords aren’t going away overnight. Legacy systems, third-party integrations, and gradual migrations mean we must coexist with them—and reduce harm while we do.
Devices Everywhere, Control Nowhere
Three-quarters of employees use personal devices for work, often daily. They check email on phones, edit documents on laptops, and join video calls from tablets.
MDM was supposed to help but fails when devices are personal. These gadgets lack enterprise protection, centralized encryption, or guaranteed patching. Some companies try to ban BYOD. Employees ignore the ban. Blocking access kills productivity; allowing it invites risk. Most companies quietly accept the risk.
What Actually Works
More rules won’t solve this. The problem isn’t employees—it’s controls that don’t match modern work. Organizations closing the access-trust gap do three things differently:
- Prioritize visibility over control. You can’t secure what you can’t see. Continuous discovery of approved and unapproved tools must be automatic, not a quarterly audit.
- Embed security into workflows. Compliance happens naturally when tools are integrated, not bolted on. Fingerprint authentication beats complex passwords because it makes secure behavior easier than insecure behavior.
- Accept reality. Hybrid work, AI adoption, and SaaS sprawl are permanent. Security architectures must assume distributed access, unmanaged devices, and rapid tool adoption as baseline conditions. This means zero-trust architectures, automated governance across all apps, and phased credential modernization.
The Real Fight
The access-trust gap exists because work evolved faster than security could adapt. Employees aren’t enemies—they’re solving problems with effective tools. Security teams aren’t failing—they’re using outdated weapons.
Organizations that succeed will stop trying to control everything and start trying to see everything. They will guide instead of block, automate instead of audit, and make secure behavior the path of least resistance.
Your employees will continue finding ways around controls that don’t work. You can fight reality, or you can design for it. Only one approach actually works.
Tim Freestone is Chief Strategy Officer at Kiteworks. With over 18 years of experience in marketing, brand strategy, and process optimization, he helps organizations modernize content governance, compliance, and protection frameworks. Contact him at [email protected].
Join our LinkedIn group Information Security Community!
