Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cyber Essentials 2026 and SaaS MFA gaps: are your controls ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9063
Topic starter  

TL;DR: Cyber Essentials 2026 will widen compliance scope to any cloud service accessed with a business email or account, and require MFA to be enforced wherever it is available, according to Push Security. The shift exposes shadow apps, ghost logins, and incomplete app visibility as governance failures, not just audit issues.

NHIMG editorial — based on content published by Push Security: Cyber Essentials 2026 changes and what they mean for cloud access governance

Questions worth separating out

Q: How should security teams handle SaaS apps that users access outside SSO?

A: Treat them as in-scope identity assets, not exceptions.

Q: Why do ghost logins create risk even when SSO is protected by MFA?

A: Because the secure SSO route does not eliminate the weaker local route.

Q: What breaks when auditors find an app you did not know existed?

A: Your attestation evidence breaks first, because you can no longer prove the full in-scope population.

Practitioner guidance

  • Map real SaaS usage against the certification boundary Capture browser-observed app usage, then reconcile it with your declared in-scope cloud list.
  • Eliminate duplicate login paths where SSO is mandatory Identify accounts that still allow local passwords alongside federated access, then remove the weaker path or force the stronger one.
  • Validate MFA at the application layer, not just the IdP Check whether each SaaS service enforces MFA for every user, every subscription tier, and every login method.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

  • Browser-based discovery logic for finding self-adopted SaaS apps and hidden login paths
  • How Push identifies MFA status at both the IdP and local application level
  • What its browser agent checks for weak, breached, and reused passwords
  • How contractor deployment works in a dedicated browser profile without managed endpoints

👉 Read Push Security's analysis of Cyber Essentials 2026 identity and MFA changes →

Cyber Essentials 2026 and SaaS MFA gaps: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8499
 

Shadow SaaS is now a governance problem, not an inventory problem: Cyber Essentials 2026 turns undiscovered applications into compliance failures because the test is based on actual access and actual MFA enforcement. The old assumption that the sanctioned app list represents the real identity surface no longer holds. Practitioners should treat shadow app discovery as part of access governance, not just app rationalisation.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a contractor uses a shadow SaaS app without MFA?

A: The owning security and identity teams remain accountable if they cannot see, govern, and review that access path. In practice, the control failure sits at the boundary between access governance and application discovery, so contractor accounts must be covered by the same lifecycle checks as employees.

👉 Read our full editorial: Cyber Essentials 2026 expands the identity gap in SaaS access



   
ReplyQuote
Share: