SaaS sprawl and shadow IT: what IAM teams are missing

TL;DR: As SaaS adoption expands, visibility gaps make it harder to prove GDPR compliance, track shadow IT, and understand where data and elevated access are flowing, according to Zluri’s interview with Todd Dekkinga. The core issue is that modern identity governance now extends beyond users and devices to app inventory, integrations, and access paths that traditional controls never fully mapped.

NHIMG editorial — based on content published by Zluri: Navigating cybersecurity in the age of SaaS, insights from Todd Dekkinga, CISO

Questions worth separating out

Q: How should security teams govern SaaS sprawl in enterprise environments?

A: Start with discovery, then connect every known application to an owner, an access model, and a data flow record.

Q: Why do SaaS integrations make compliance harder to prove?

A: Because the compliance question is no longer just who logged in, but where data went after the application connected to other services.

Q: What breaks when shadow IT is not tracked in SaaS environments?

A: Untracked SaaS usage breaks entitlement review, offboarding, and privileged access control at the same time.

Practitioner guidance

• Build a live SaaS inventory Use discovery tooling and departmental validation together so the inventory captures sanctioned apps, shadow IT, and duplicated tools.
• Review API and integration permissions Inventory delegated access, service connections, and third-party app permissions for each major SaaS platform.
• Separate privileged SaaS roles from standard access Maintain a distinct review process for administrative users, tenant owners, and integration managers.

What's in the full article

Zluri's full interview covers the operational detail this post intentionally leaves for the source:

• Todd Dekkinga's direct commentary on why proving GDPR compliance becomes difficult once APIs and SaaS integrations multiply
• The full discussion of how a discovery tool surfaced 750 applications, including the practical implications of that inventory jump
• The interviewer's broader questions on CISO responsibility, security awareness, and keeping pace with cloud and SaaS change
• Todd's perspective on career development and how security leaders stay current through roundtables, Slack groups, and peer networks

👉 Read Zluri's interview on SaaS visibility, compliance, and shadow IT →

SaaS sprawl and shadow IT: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →