Notifications
Clear all
Topic starter
12/06/2026 9:16 pm
TL;DR: Visibility gaps in SaaS environments are letting employees adopt applications outside IT control, with JumpCloud citing 38% of admins who cannot discover all apps in use. The real issue is not just app sprawl, but unmanaged access paths, unreviewed OAuth grants, and weak accountability across identity-linked SaaS usage.
NHIMG editorial — based on content published by JumpCloud: SaaS discovery methods for modern IT visibility and governance
By the numbers:
Questions worth separating out
Q: How should security teams govern shadow IT discovered in SaaS environments?
A: Start by turning discovery into a governance workflow.
Q: Why does SaaS visibility matter for identity governance?
A: Because access control depends on knowing which applications, identities, and delegated permissions actually exist.
Q: What do security teams get wrong about SaaS discovery tools?
A: They often treat discovery as a reporting function instead of a control function.
Practitioner guidance
- Establish a governed SaaS baseline Classify SSO-connected applications as approved and compare them against browser-discovered tools every review cycle.
- Review OAuth consents as access entitlements Treat delegated permissions in Google Workspace and similar identity platforms as standing access that must be reviewed, not one-time user convenience.
- Use connector data to find shadow accounts Pull user inventories and activity logs from key SaaS platforms, then reconcile them against your identity source to find accounts that exist without current ownership or offboarding status.
What's in the full article
JumpCloud's full how-to covers the operational detail this post intentionally leaves for the source:
- Step-by-step setup for the JumpCloud Go browser extension and SaaS discovery workflow.
- Connector-specific visibility details for Google Workspace, Microsoft Entra ID, Slack, Zendesk, and Salesforce.
- How JumpCloud distinguishes approved SSO-connected apps from shadow IT in the discovery view.
- Examples of the user, app, and access data surfaced by each discovery method.
👉 Read JumpCloud's how-to on discovering SaaS apps and shadow IT →
Shadow IT discovery gaps: what IAM teams need to fix?
Explore further
12/06/2026 11:12 pm
Shadow IT is now an identity control problem, not an app discovery problem. The article shows that users can adopt SaaS tools faster than central teams can inventory them, which means traditional approval and onboarding workflows are bypassed. Once that happens, the organisation loses sight of who authorised what, where data moved, and whether access was ever assessed. The practical conclusion is that discovery must feed governance, not just reporting.
A few things that frame the scale:
- The 2026 Infrastructure Identity Survey found that 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How do organisations know whether SaaS governance is working?
A: Look for a shrinking gap between discovered apps and approved apps, fewer unowned OAuth consents, and faster closure of shadow-account findings. If discovery reports keep growing without corresponding remediation, the programme is producing visibility but not control.
👉 Read our full editorial: SaaS discovery gaps are turning shadow IT into access risk
