TL;DR: SaaS attackers increasingly rely on valid credentials, stolen tokens, and weak identity monitoring to move undetected across apps, according to Valence Security. ITDR matters because traditional IAM controls authenticate users but often miss suspicious behavior after login, where the real abuse now happens.
At a glance
What this is: This analysis argues that SaaS security gaps increasingly sit between authentication and user action, where identity misuse can look legitimate.
Why it matters: For IAM and NHI practitioners, the lesson is that login controls alone cannot detect token abuse, privilege escalation, or persistent SaaS misuse.
👉 Read Valence Security's analysis of why ITDR matters for SaaS security
Context
SaaS security fails when trust in the login event is treated as proof of trust in the session. Once a valid credential, token, or OAuth grant is stolen, the attacker can often blend into normal activity and move across cloud apps without triggering traditional perimeter controls. That creates a direct NHI governance problem because service tokens, API keys, and integrations can behave like durable identities with broad access.
Identity threat detection and response is the missing control layer for environments where authentication is not the same as authorization in practice. The article’s core claim is that SaaS adoption, remote work, and application sprawl have widened the gap between who authenticated and what they later did, which is now typical rather than exceptional for cloud-first enterprises.
Key questions
Q: How should security teams detect SaaS identity abuse after login?
A: Security teams should monitor identity behaviour continuously across sessions, apps, and integrations, not just authentication events. The goal is to detect unusual data access, privilege changes, token misuse, and persistence patterns that indicate a trusted identity has been hijacked. Post-login monitoring is essential because valid credentials can look normal at the entry point.
Q: What is the difference between ITDR and SaaS posture management?
A: ITDR detects suspicious identity behaviour after access has been granted, while SaaS posture management reduces the configuration and privilege weaknesses that make abuse easier in the first place. One is a runtime detection layer, the other is a preventive hygiene layer. Mature programmes need both because each covers a different stage of the attack path.
Q: Why do non-human identities create extra risk in SaaS environments?
A: Non-human identities often carry durable access, broad permissions, and weaker behavioural oversight than human users. In SaaS, that makes service accounts, API keys, and integration tokens attractive targets because attackers can abuse them without obvious login anomalies. The risk grows when these identities are poorly inventoried or rarely reviewed.
Q: Should organisations prioritise token rotation or behavioural detection first?
A: Organisations should do both, but token rotation comes first when long-lived credentials are present because it immediately shrinks exposure. Behavioural detection then covers the remaining gap by spotting misuse of still-valid access. If tokens stay active for too long, detection alone will not remove the attacker’s authority.
Technical breakdown
Why SaaS identity attacks evade traditional IAM controls
Traditional IAM tools are built to answer whether a user or token should be allowed in, not whether the resulting session is behaving safely. In SaaS environments, that distinction matters because attackers can reuse valid credentials, abuse OAuth tokens, or continue using stale sessions long after initial compromise. The result is a control gap between authentication, authorization, and runtime behaviour. ITDR closes that gap by correlating activity across logs, sessions, and app actions to identify misuse that looks legitimate at the login layer.
Practical implication: Teams should treat post-login monitoring as a separate control plane, not a logging afterthought.
How OAuth tokens and session persistence expand the attack surface
OAuth tokens, API keys, and active sessions can behave like standing authority if they are long-lived, over-scoped, or poorly governed. The attacker does not need to defeat the identity provider again once a token is issued. Instead, they inherit the trust baked into the session and can create new access paths, maintain persistence, or access data without reauthentication. This is especially dangerous in SaaS because integrations often outlive the human owner’s intent and visibility.
Practical implication: Inventory and age out long-lived tokens before adding more detection logic around them.
Identity behaviour analytics as a detection model for SaaS
ITDR works by building behavioural baselines for identities across applications, then flagging deviations such as unusual data pulls, risky session timing, privilege jumps, or abnormal API use. In practice, that means it is closer to runtime identity monitoring than classic identity governance. The technical value is not simply alerting on bad logins, but identifying actions that break established identity patterns. For NHI governance, that distinction is critical because many machine identities never 'log in' in the human sense yet still expose operational risk.
Practical implication: Use behavioural detection to complement governance controls for service accounts, integrations, and SaaS automation.
Threat narrative
Attacker objective: The attacker’s objective is to operate as a trusted identity inside SaaS long enough to steal data, extend persistence, and avoid detection.
- Entry occurs when an attacker obtains valid SaaS credentials, steals an OAuth token, or reuses a session that still carries trust.
- Escalation follows when the attacker uses privileged access, legacy tokens, or weak MFA coverage to expand control without triggering obvious authentication failures.
- Impact is achieved when the attacker quietly exfiltrates data, maintains persistence, or abuses trusted integrations across multiple SaaS applications.
Breaches seen in the wild
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
ITDR is becoming the runtime control layer that IAM never was. Conventional IAM establishes access, but it does not reliably explain what an identity does after authentication. SaaS environments create a trust problem where action matters more than login success, and that makes behavioural detection a governance requirement rather than a luxury. Practitioners should treat ITDR as the layer that watches trust in motion.
Identity blast radius is now the most important SaaS risk variable. Once a token, session, or OAuth grant is over-privileged, the attacker’s reach can expand faster than most remediation workflows can respond. That is why visibility, session scope, and privilege boundaries matter more than isolated authentication events. Security teams should measure how far a single identity can move, then reduce that radius before adding more controls.
Ephemeral trust debt is the hidden NHI problem in SaaS. Short-lived sessions and temporary tokens still accumulate risk when they are issued broadly, monitored weakly, or left active longer than intended. The issue is not only duration, but the gap between issuance and oversight. NHI governance should focus on who can create and persist trust, not just who can request it.
SSPM and ITDR are complementary, not interchangeable. Posture management reduces misconfiguration and excess exposure before abuse begins, while ITDR detects suspicious use after trust has been granted. Treating one as a substitute for the other leaves a blind spot either at setup time or at runtime. Practitioners should build both controls into their SaaS operating model.
Service accounts and integrations need the same scrutiny as human users. The article’s emphasis on suspicious SaaS activity maps directly to non-human identity risk because API-driven access can carry durable privileges and weak behavioural oversight. When integrations outnumber human-admin review cycles, unmanaged machine access becomes an escalation path. Teams should place service identities inside the same detection and review model as high-risk users.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- For a deeper control model, NHI Lifecycle Management Guide maps how to govern provisioning, rotation, and offboarding before credentials become persistent attack paths.
What this signals
Identity monitoring is becoming a board-relevant control because SaaS abuse now hides inside normal logins, trusted tokens, and routine automation. That is especially true for NHI programmes, where a single over-scoped integration can behave like a persistent access path unless it is continuously reviewed and rotated.
Identity blast radius: the real question for SaaS governance is no longer whether an identity can authenticate, but how far it can move once trusted. If teams cannot answer that question for service accounts and OAuth grants, then their IAM model is still describing access at issuance time, not at risk time.
With 90% of IT leaders saying proper NHI management is essential to successful zero trust, the operational signal is clear: organisations should align identity detection, posture, and lifecycle controls around the same asset inventory. The most useful next step is pairing runtime visibility with the Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 so ownership, detection, and response move together.
For practitioners
- Implement continuous SaaS identity monitoring Correlate login events, session behaviour, and app actions across major SaaS platforms so suspicious activity is detected after authentication, not just at entry.
- Reduce long-lived token exposure Audit OAuth grants, API keys, and active sessions for scope, age, and owner visibility, then revoke or rotate anything that exceeds its intended use window.
- Separate posture and runtime controls Use SaaS posture management to remove misconfigurations and ITDR to detect misuse that emerges after access is granted, especially in decentralized app estates.
- Baseline non-human identity behaviour Treat service accounts, integrations, and automation tokens as monitored identities with expected patterns, unusual access thresholds, and reviewable exceptions.
Key takeaways
- SaaS identity abuse often succeeds because valid credentials and trusted tokens make attackers look like normal users after login.
- ITDR closes the post-authentication visibility gap that traditional IAM and posture tools leave behind in cloud-first environments.
- Enterprises should govern non-human identities as runtime actors with measurable blast radius, not as static credentials hidden in integrations.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity abuse through tokens and sessions maps to NHI access and trust failures. |
| NIST CSF 2.0 | PR.AA-2 | Continuous identity monitoring supports authentication and access assurance in SaaS. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least-privilege and continuous verification are central to limiting token-driven abuse. |
Correlate SaaS logs and identity events so anomalous access is detected after login, not just at entry.
Key terms
- Identity Threat Detection And Response: Identity Threat Detection and Response is a monitoring and response approach focused on suspicious identity behaviour after access has been granted. It looks for misuse of credentials, tokens, sessions, and privileges across applications, then triggers investigation or containment when behaviour departs from expected patterns.
- Identity Blast Radius: Identity blast radius is the amount of data, systems, and actions an identity can reach if it is abused. In SaaS and NHI governance, it is shaped by privilege scope, session lifetime, integration reach, and the quality of monitoring around the identity.
- Ephemeral Trust Debt: Ephemeral trust debt is the risk that accumulates when short-lived sessions or temporary tokens are issued more broadly than they are governed. The access may be time-bound, but the oversight gap can persist, especially when renewal, logging, or revocation are weak.
- Post-Authentication Visibility: Post-authentication visibility is the ability to observe what an identity does after it has successfully logged in or received a token. It is the difference between knowing access was granted and knowing whether that access is being used safely, unusually, or maliciously.
Deepen your knowledge
Identity threat detection, SaaS access risk, and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for SaaS environments with heavy token and integration usage, it is worth exploring.
This post draws on content published by Valence Security: Why ITDR is Essential for SaaS Security. Read the original.
Published by the NHIMG editorial team on 2026-01-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
