[arghwhat]

Even without SSO, a bitwarden team subscription let's you administratively revoke organization access at negligible business cost.

Note that revocation is insufficient to protect current passwords: The user may have made a copy. For that you need password rotation and second factors like a hardware token.

Regardless, shared credentials should be reserved for when there no other solution is technically possible. At the very least when shared credentials cannot be avoided, try to split it into multiple domains - read-only vs "production open heart surgery", devs vs prod admins, automation vs humans, etc. For automation, always make new tokens for each use - and never store them, as you can always make more. Consider only issuing credentials to people upon request, and revoking them after the fact. There are many mechanisms to reduce risk.