TL;DR: SaaS-first operating models are expanding attack surfaces faster than manual audits and point-in-time tools can track, with Valence Security citing a 58% SaaS security incident rate in the past year as organizations struggle to manage decentralized ownership, shadow SaaS, and NHI sprawl. Continuous discovery and identity-centric remediation now matter more than periodic posture checks.
At a glance
What this is: This is a SaaS security analysis arguing that decentralized ownership, shadow SaaS, and NHI sprawl make point-in-time posture tools insufficient.
Why it matters: It matters because IAM and NHI teams need continuous discovery, identity governance, and remediation workflows to keep pace with SaaS-driven access drift.
By the numbers:
- 58% of organizations suffered a SaaS security incident in the past year, citing concerns over decentralized SaaS management and the risk it creates.
- Only 5.7% of organizations have full visibility into their service accounts.
- 96% of organizations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 80% of organizations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorized systems, inappropriately sharing sensitive data, and revealing access credentials.
👉 Read Valence Security's analysis of the five pillars of SaaS security
Context
SaaS-first enterprises have outgrown the control model that assumed a small set of centrally managed applications and a stable perimeter. In practice, ownership is distributed, settings change daily, and non-human identities accumulate across integrations, service accounts, and OAuth tokens, which turns SaaS security into an identity governance problem as much as a configuration problem.
The article treats continuous discovery and posture management as the answer to that drift, but the broader lesson is that NHI governance has to extend into every application layer where access is delegated. That is a typical starting position for modern enterprises, not an edge case, because decentralized SaaS adoption is now the norm rather than the exception.
Key questions
Q: How should security teams govern non-human identities in SaaS environments?
A: They should treat service accounts, integrations, and OAuth tokens as first-class identities with ownership, lifecycle controls, and periodic access review. The goal is to remove standing privilege, reduce orphaned access, and tie each machine identity to a business purpose and expiration date. Without those controls, SaaS sprawl becomes identity sprawl.
Q: Why do point-in-time SaaS security tools leave gaps?
A: Because SaaS changes continuously as users create apps, add integrations, and grant access outside central processes. A snapshot cannot reliably capture drift, shadow SaaS, or the full set of identities that can reach sensitive data. Continuous discovery is the minimum requirement for credible assurance.
Q: What is the difference between SaaS posture management and NHI governance?
A: SaaS posture management focuses on application configuration and exposure settings, while NHI governance focuses on who or what can access data and how that access is granted, retained, and revoked. In practice, the two overlap, but identity governance is the deeper control layer because it addresses the actors behind the configuration.
Q: Should organisations prioritise remediation or discovery first in SaaS security?
A: They need both, but discovery comes first if they do not know where their access paths are. Once the inventory is accurate, remediation should be tightly automated so stale sharing, excessive privilege, and forgotten integrations are removed quickly. Otherwise, the programme becomes a reporting exercise.
Technical breakdown
Why point-in-time SaaS posture checks fail
Point-in-time checks capture a snapshot of configuration, but SaaS environments change as users share files, add integrations, and grant access outside central IT workflows. That means the security state you review in the morning can be materially different by afternoon. This is especially weak for NHI governance because service accounts, API tokens, and app-to-app connections often escape the manual review cycle entirely. Continuous discovery closes part of the gap, but only if it covers sanctioned and unsanctioned applications, not just the inventory the security team already knows about.
Practical implication: replace quarterly reviews with continuous discovery and drift monitoring across every SaaS tenant.
How identity and privilege sprawl expands the SaaS attack surface
Identity sprawl in SaaS includes dormant employee accounts, guest users with excessive privileges, third-party integrations, and machine identities that keep working long after the original business need has changed. Privilege sprawl then magnifies the problem by preserving access that no longer matches role or risk. In NHI terms, the issue is not only how many identities exist, but how many retain standing access and how many can reach sensitive data without strong review or expiration controls. That combination creates persistent exposure even when application settings look healthy.
Practical implication: inventory all human and non-human identities together, then enforce expiration and privilege review on both.
What continuous remediation changes in SaaS security
Discovery without remediation only produces more alerts. The operational value comes when posture findings connect to workflows that can revoke file sharing, remove excessive permissions, and disable stale integrations quickly enough to reduce exposure. This is where SaaS security becomes adjacent to IAM and PAM, because the fastest risk reduction often comes from removing standing access rather than tuning policies alone. For NHI governance, auto-remediation matters because many machine identities are created for convenience and then forgotten, which makes them ideal candidates for long-lived risk.
Practical implication: link SaaS posture findings to automated deprovisioning, permission reduction, and SIEM-triggered response.
Threat narrative
Attacker objective: The attacker wants durable access to business data and connected SaaS workflows without triggering the controls built for centrally managed accounts.
- Entry occurs through decentralized SaaS adoption, where employees create or authorize tools outside central visibility and introduce hidden access paths.
- Escalation follows when dormant accounts, guest users, or over-permissioned integrations retain access to sensitive data and are reused or abused.
- Impact is achieved when attackers exploit those identities to exfiltrate data, expand access, or move through connected SaaS applications.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Continuous discovery is now a baseline NHI control, not a maturity feature. SaaS environments change too quickly for snapshot-based assessments to provide reliable security assurance. When non-human identities are embedded in integrations, tokens, and service accounts, discovery must be ongoing and comprehensive. Practitioners should treat blind spots in SaaS inventory as an access-control failure, not a reporting issue.
Identity blast radius is the right lens for SaaS security. The central question is not how many applications exist, but how far an identity can travel across data and workflows once it has access. Excessive privileges, dormant accounts, and delegated integrations enlarge that blast radius faster than most posture tools can reduce it. Teams should measure exposure by reachable data and action scope, not by application count alone.
SaaS security and NHI governance are converging into one operational problem. The article correctly points to the need to secure both human and non-human identities, because the distinction matters less than the privileges they carry. A service account with broad file access can be as consequential as an over-permissioned user, especially when remediation is slow. Security leaders should align SaaS controls with identity lifecycle governance instead of managing them as separate programs.
Auto-remediation will separate noise reduction from actual risk reduction. Visibility without action creates more dashboards, not better security. The organisations that make progress will be the ones that can revoke access, reduce sharing, and disable stale integrations quickly enough to change outcomes. Practitioners should focus on remediation pathways that shorten exposure windows rather than on detection volume alone.
From our research:
- Only 5.7% of organizations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- In the same research, 71% of NHIs are not rotated within recommended time frames, which helps explain why discovery without lifecycle control leaves exposure in place.
- For the lifecycle angle, see the NHI Lifecycle Management Guide for a practical view of provisioning, rotation, and offboarding.
What this signals
Identity blast radius will become the operational metric that matters most in SaaS programmes. As decentralized ownership spreads and shadow SaaS persists, teams need a way to rank which identities can do the most harm if abused. With 96% of organisations storing secrets outside of secrets managers in vulnerable locations, per the Ultimate Guide to NHIs, the control problem is already broader than most SaaS dashboards suggest.
Security programmes that still separate SaaS posture, IAM, and NHI oversight will keep missing the same exposure paths. The useful change is to treat access, sharing, and integration governance as one workflow, then connect it to revocation and lifecycle management. That is the only way to compress the time between discovering risk and actually removing it.
For practitioners, the next planning question is whether the current stack can see unsanctioned tools and respond to them fast enough to matter. If it cannot, the programme is not under-governed because of weak policy language. It is under-governed because the operational path from discovery to action is too slow.
For practitioners
- Implement continuous SaaS discovery Track sanctioned and unsanctioned applications together, and refresh the inventory often enough to catch new tools, integrations, and shadow SaaS before they become blind spots.
- Inventory human and non-human identities together Build one access register for employees, contractors, guests, service accounts, integrations, and OAuth tokens so privilege reviews cover the full SaaS trust chain.
- Tie posture findings to remediation workflows Route excessive privileges, stale accounts, and risky sharing settings into automated revocation or approval workflows instead of leaving them as open findings.
- Measure SaaS risk by identity blast radius Prioritise identities that can reach sensitive data, perform mass downloads, or modify sharing settings, because those paths drive the largest loss scenarios.
Key takeaways
- SaaS sprawl turns NHI governance into a continuous control problem because integrations, tokens, and service accounts expand access outside central oversight.
- Point-in-time posture tools cannot keep pace with daily SaaS drift, so visibility has to be paired with lifecycle controls and automated remediation.
- Security teams should measure SaaS risk by identity blast radius and revocation speed, not by the number of apps they can enumerate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Continuous rotation and lifecycle control are needed for SaaS service accounts and tokens. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and entitlement review fit the article's identity sprawl problem. |
| NIST Zero Trust (SP 800-207) | Continuous verification is needed when SaaS and shadow tools expand the trust boundary. |
Apply zero trust principles to SaaS access paths and re-evaluate trust after every access change.
Key terms
- Shadow SaaS: Shadow SaaS is any cloud application adopted or connected without formal security oversight. It often arrives through business-led purchases or employee self-service, creating untracked access paths, unmanaged data sharing, and hidden integration risk that traditional inventories miss.
- Non-Human Identity: A non-human identity is a credentialed entity used by software rather than a person, such as a service account, API token, certificate, or AI agent. These identities often outnumber humans and require ownership, rotation, and offboarding just like employee accounts.
- Identity Blast Radius: Identity blast radius is the amount of data, systems, and actions an identity can reach if it is misused or compromised. In SaaS environments, it is shaped by privileges, delegated integrations, sharing settings, and the speed at which access can be revoked.
Deepen your knowledge
SaaS discovery, identity sprawl, and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for a SaaS-first environment, it is worth exploring.
This post draws on content published by Valence Security: Taming the Beast: The 5 Essential Pillars of SaaS Security. Read the original.
Published by the NHIMG editorial team on 2026-01-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
