Because SaaS often creates the identities, permissions, and delegation paths that later become the attack route. If a risk model scores the application but ignores the identities attached to it, it misses the main pathway from configuration drift to compromise. In practice, access scope and ownership determine the real risk.
Why This Matters for Security Teams
SaaS and identity belong in the same assessment model because the application is rarely the whole attack surface. In modern environments, SaaS defines who can act, what they can reach, and which delegated pathways persist after onboarding, offboarding, or a vendor change. If the assessment stops at application posture, it misses the identity layer where privilege actually accumulates. NIST’s Cybersecurity Framework 2.0 treats identity as part of governance and protection, not a separate checkbox.
That is why NHIs, OAuth grants, service accounts, and admin delegation need to be scored together with the SaaS platform they power. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which turns routine SaaS misconfiguration into a direct compromise path. The risk is not simply “is the app secure,” but “what identities, permissions, and secrets does the app make durable.” In practice, many security teams discover this only after an OAuth token, service account, or delegated integration has already been abused, rather than through intentional assessment design.
How It Works in Practice
A useful assessment model starts by mapping the SaaS application and the identities it creates or trusts. That means cataloging human admins, service accounts, API keys, OAuth grants, SCIM sync accounts, privileged connectors, and any delegated access into downstream systems. The question is not just whether the app is patched or configured correctly, but whether its identity relationships create a wider blast radius than the business intended.
The most effective models score both sides together:
- Application exposure, such as tenant settings, sharing rules, and external integrations.
- Identity strength, such as MFA, credential age, token scope, and secret storage location.
- Privilege shape, such as standing access versus just-in-time access and whether roles are overly broad.
- Delegation depth, including third-party apps that inherit access through OAuth or API permissions.
This is where NHI governance becomes operational. The Top 10 NHI Issues research shows how excessive privilege and weak rotation turn ordinary integrations into persistent risk. A SaaS app can look low risk on paper, yet still be high risk if it stores long-lived secrets, exposes broad scopes, or allows inherited access into sensitive data. That is why assessment teams increasingly pair SaaS reviews with identity lifecycle checks: creation, rotation, revocation, and offboarding.
Current guidance suggests treating identity evidence as a first-class control input, not a postscript. NIST CSF and identity-focused practices work best when scoring reflects both technical exposure and who can actually exercise the access. These controls tend to break down when SaaS sprawl creates undocumented service accounts and shadow OAuth grants because ownership is unclear and revocation is not tied to application review cycles.
Common Variations and Edge Cases
Tighter identity control often increases operational overhead, requiring organisations to balance reduced blast radius against integration complexity. That tradeoff matters because not every SaaS platform supports the same depth of identity telemetry, token controls, or revocation hooks. Where the ecosystem is mature, teams can enforce short-lived tokens, scoped permissions, and automated offboarding. Where it is not, best practice is evolving rather than settled.
Some environments still separate app risk and identity risk for convenience, especially during vendor procurement or annual review cycles. That can work for low-impact tools, but it breaks down quickly for platforms that hold customer data, connect to production systems, or expose administrative APIs. The same is true for outsourced admin models, where a SaaS vendor or implementation partner has delegated access that sits outside the internal IAM boundary. In those cases, the assessment must follow the access path, not just the application owner.
For deeper context on how access paths become breach paths, see 52 NHI Breaches Analysis and the Snowflake breach. The practical lesson is simple: if a SaaS platform can mint, inherit, or preserve identity privilege, it belongs in the same assessment model as the identity itself.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | SaaS risk is often identity-driven through exposed secrets and privileges. |
| NIST CSF 2.0 | PR.AC-4 | Identity access management is central to SaaS risk scoring. |
| NIST AI RMF | Governance should account for identity-linked operational and security impact. |
Use AI RMF governance principles to assign ownership, review access, and track identity risk.
Related resources from NHI Mgmt Group
- Why do access reviews belong in identity governance rather than SaaS management?
- Why do security audits often miss the most important identity risks?
- How should organisations govern SaaS licenses alongside identity access reviews?
- Why do identity platforms often look stronger than they are in practice?
