TL;DR: As SaaS adoption expands, visibility gaps make it harder to prove GDPR compliance, track shadow IT, and understand where data and elevated access are flowing, according to Zluri’s interview with Todd Dekkinga. The core issue is that modern identity governance now extends beyond users and devices to app inventory, integrations, and access paths that traditional controls never fully mapped.
NHIMG editorial — based on content published by Zluri: Navigating cybersecurity in the age of SaaS, insights from Todd Dekkinga, CISO
Questions worth separating out
Q: How should security teams govern SaaS sprawl in enterprise environments?
A: Start with discovery, then connect every known application to an owner, an access model, and a data flow record.
Q: Why do SaaS integrations make compliance harder to prove?
A: Because the compliance question is no longer just who logged in, but where data went after the application connected to other services.
Q: What breaks when shadow IT is not tracked in SaaS environments?
A: Untracked SaaS usage breaks entitlement review, offboarding, and privileged access control at the same time.
Practitioner guidance
- Build a live SaaS inventory Use discovery tooling and departmental validation together so the inventory captures sanctioned apps, shadow IT, and duplicated tools.
- Review API and integration permissions Inventory delegated access, service connections, and third-party app permissions for each major SaaS platform.
- Separate privileged SaaS roles from standard access Maintain a distinct review process for administrative users, tenant owners, and integration managers.
What's in the full article
Zluri's full interview covers the operational detail this post intentionally leaves for the source:
- Todd Dekkinga's direct commentary on why proving GDPR compliance becomes difficult once APIs and SaaS integrations multiply
- The full discussion of how a discovery tool surfaced 750 applications, including the practical implications of that inventory jump
- The interviewer's broader questions on CISO responsibility, security awareness, and keeping pace with cloud and SaaS change
- Todd's perspective on career development and how security leaders stay current through roundtables, Slack groups, and peer networks
👉 Read Zluri's interview on SaaS visibility, compliance, and shadow IT →
SaaS sprawl and shadow IT: what IAM teams are missing?
Explore further
SaaS sprawl is now an identity governance problem, not just an application-management problem. Once employees can create services without procurement, the control boundary moves outside the traditional IT intake process. That means identity teams are no longer only governing users and groups, but also the SaaS estates those users create and the permissions those services accumulate. The implication is that discovery, entitlement review, and lifecycle control must extend to application identities as well as human accounts.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do teams decide which SaaS accounts need the tightest review?
A: Prioritise administrative roles, tenant owners, integration managers, and any account that can alter security settings or data routing. Those identities have the highest blast radius because they can change the posture of the platform itself. Standard user access matters, but privileged SaaS access is where governance failure becomes operationally expensive.
👉 Read our full editorial: SaaS sprawl is widening the identity and compliance gap