Notifications
Clear all
Topic starter
07/06/2026 9:02 pm
TL;DR: Dropbox’s path from viral consumer adoption to 18M paying customers shows how products become enterprise infrastructure before IT approval, with shared billing, SSO, audit logs, and authentication emerging only after shadow use took hold, according to WorkOS. The governance lesson is that identity controls must catch up to user-led deployment before access, visibility, and accountability become fragmented.
NHIMG editorial — based on content published by WorkOS: When PLG Meets Enterprise, Drew Houston on Building Dropbox from Viral Growth to $2.5B in Revenue
Questions worth separating out
Q: How should security teams govern self-serve applications that spread before approval?
A: Security teams should treat widely adopted self-serve applications as governed systems once business use is visible.
Q: Why do PLG products create identity governance problems for enterprises?
A: PLG products create governance problems because users establish access and collaboration patterns before IT defines policy.
Q: What breaks when audit logs and SSO arrive after users have already adopted a tool?
A: When auditability and SSO arrive late, the enterprise loses the ability to reconstruct ownership, distinguish sanctioned from informal use, and enforce clean offboarding.
Practitioner guidance
- Identify self-serve tools that have become business dependencies Inventory applications adopted without central approval, then rank them by internal usage, data sensitivity, and the number of distinct corporate identities involved.
- Bind enterprise controls to real adoption signals Trigger SSO, audit logging, ownership assignment, and access review when usage crosses an internal threshold, not when procurement finalises the contract.
- Treat billing consolidation as a governance checkpoint When teams ask for shared billing, use that moment to verify account ownership, admin privileges, and offboarding responsibilities.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- The ERC 2025 conversation between Drew Houston and Michael Grinich, including the founder perspective behind Dropbox's enterprise transition.
- The specific growth mechanics behind referral loops, onboarding optimisation, and why the team measured friction across the sign-up funnel.
- The CEO-level lessons on company scaling, founder development, and how Dropbox approached the shift from consumer adoption to business controls.
- The AI-era context that connects Dropbox Dash, search, and context management to the next phase of work software.
👉 Read WorkOS's recap of Dropbox's PLG-to-enterprise transition →
PLG to enterprise transitions: what IAM teams should rethink?
Explore further
08/06/2026 8:48 am
PLG-to-enterprise adoption creates an identity governance lag, not just a buying motion. The article shows that users can establish operational dependence before IT ever formalises control, which means governance arrives after behaviour hardens. That is a structural problem for IAM because the organisation is no longer deciding whether to adopt the system, only how to govern what is already in use. Practitioners should treat this as a lifecycle timing failure, not a change-management inconvenience.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How do enterprise teams decide when a popular self-serve app needs formal governance?
A: Teams should formalise governance when adoption is no longer isolated to a few users and the application begins to support business workflows. Signals include shared billing requests, repeated cross-team use, data movement into the app, and requests for admin visibility or centralised authentication.
👉 Read our full editorial: Dropbox’s PLG-to-enterprise shift shows where IAM breaks
