Identity-driven access paths in SaaS and AI: what teams miss

TL;DR: The highest-risk exposures found were driven by inherited, stale, and indirect access paths, not data misplacement, with gaps such as nested groups, residual vendor access, and link-based sharing evading traditional DSPM, according to Cyera Research Labs. The real control problem is identity-data correlation, because location-based posture tools cannot enforce least privilege or prove access governance when SaaS and AI tooling extend entitlements.

NHIMG editorial — based on content published by Cyera: Access Is the New Exposure, Why Knowing Who Can Reach Your Data Matters More Than Where It Lives

Questions worth separating out

Q: How should security teams govern access to sensitive data in SaaS environments?

A: They should govern effective access, not only storage location or classification.

Q: Why do traditional DSPM tools miss the real exposure path?

A: Traditional DSPM is usually object-centric, so it can show where data lives but not how identities inherit access to it.

Q: What do security teams get wrong about AI assistants and data access?

A: They often assume the assistant creates a new risk category when the bigger issue is inherited privilege.

Practitioner guidance

• Map effective access paths, not just data locations Correlate identities, nested groups, OAuth scopes, shared links, and data objects so you can see who can actually reach sensitive files across SaaS and cloud platforms.
• Audit inherited and dormant permissions as active exposure Prioritise nested Azure AD groups, old vendor access, deactivated user accounts, and stale shared-mailbox permissions because they often remain reachable long after the business need has ended.
• Reassess AI-connected access against original user scope Review where AI assistants or copilots inherit human entitlements, then narrow the underlying access before machine-speed search and summarisation can surface buried content.

What's in the full article

Cyera's full research covers the operational detail this post intentionally leaves for the source:

• Detailed examples of how nested Azure AD groups create transitive access paths across SaaS estates.
• The access graph and remediation workflow used to correlate identities, entitlements, and data.
• Specific AI-assistant exposure patterns, including inherited OAuth context and recursive content retrieval.
• Operational guidance for revoking stale vendor access without breaking legitimate collaboration.

👉 Read Cyera's research on identity-driven data exposure in SaaS and AI systems →

Identity-driven access paths in SaaS and AI: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →