Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS sprawl and shadow AI: what identity teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Enterprises now average more than 1,000 SaaS apps, up 26% in two years, while 80% of employees admit to using unauthorized SaaS or AI apps that contribute to about 35% of data breaches, according to SentinelOne. The governance gap is not just app sprawl, but loss of visibility into identities, data flows, and third-party access boundaries.

NHIMG editorial — based on content published by SentinelOne

By the numbers:

  • On average, organizations now deploy over 1,000 SaaS apps, a number that has surged 26% in just two years.
  • 80% of employees admit to using unauthorized SaaS or AI apps, which contribute to roughly 35% of data breaches.

Questions worth separating out

Q: What breaks when SaaS sprawl is not governed as an identity problem?

A: When SaaS sprawl is not governed as an identity problem, organisations lose track of who can access what, through which apps, and by which delegated permissions.

Q: Why do shadow AI tools create access risk for IAM and PAM teams?

A: Shadow AI tools create access risk because they often authenticate with tokens, service accounts, or OAuth grants that sit outside normal review cycles.

Q: How can security teams tell if SaaS access governance is keeping up?

A: Security teams can tell governance is keeping up when every material SaaS app has an owner, a documented data scope, and a reviewable access path.

Practitioner guidance

  • Build a continuous SaaS discovery process Correlate application discovery with identity ownership, OAuth grants, and third-party integrations so new tools cannot remain invisible after procurement or self-service adoption.
  • Classify shadow AI as governed access Require inventory and review of AI tools that hold tokens, API keys, or delegated permissions, and treat them as identities with scope, owner, and expiry.
  • Review delegated app-to-app trust paths Identify SaaS-to-SaaS connections that can move data or permissions without a human checkpoint, then remove or narrow the grants that create lateral access.

What's in the full article

SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:

  • How its graph-based SaaS mapping models users, data, apps, and third-party connections at runtime
  • What its AppFactory approach means for onboarding new SaaS services in 3 to 5 days
  • How the platform flags toxic SaaS-to-SaaS integrations, misconfigurations, and compromised accounts
  • Why agentless API coverage changes the deployment burden for security teams

👉 Read SentinelOne's analysis of SaaS sprawl, shadow AI, and identity risk →

SaaS sprawl and shadow AI: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

SaaS sprawl has become an identity governance problem, not just an application inventory problem. Once business teams can onboard apps and AI tools outside IT oversight, the control question shifts from software approval to access lifecycle ownership. IAM and IGA models that depend on stable application registries no longer match the pace of adoption. Practitioners should treat discovery coverage as a prerequisite for governance, not a reporting feature.

A question worth separating out:

Q: Who is accountable when an unauthorized SaaS or AI app exposes data?

A: Accountability usually sits across security, identity, and the business function that approved or introduced the app. The practical test is whether the organisation can identify the owner, the data scope, and the revocation path before exposure occurs. Frameworks such as NIST CSF and NIST SP 800-53 both expect clear access governance and monitoring.

👉 Read our full editorial: SaaS sprawl and shadow AI are exposing enterprise identity gaps



   
ReplyQuote
Share: