The SaaS Governance Gap
Oct 28, 2024
Oct 28, 2024
The increased adoption of SaaS has enabled businesses to scale and innovate faster than ever before. However, this rapid rise in SaaS use introduces an underestimated challenge: SaaS governance.
In just a few short years, SaaS adoption shifted from an IT-driven initiative to an explosion of employees-led SaaS; the days when a company could effectively manage a handful of cloud applications are long gone. According to Grip's 2025 SaaS Security Risks Report, in 2023, small companies average 411 SaaS applications, medium-sized companies 582, and large enterprises operate with a whopping 1,437 apps. This rapid growth—an astonishing 40% increase from 2022—has enabled businesses to scale and innovate faster than ever before. However, this rapid rise in SaaS use introduces an underestimated challenge: SaaS governance.
At first glance, adopting more SaaS tools seems like a clear win for productivity. But what’s lurking beneath the surface is a SaaS governance problem growing just as fast. SaaS governance is the processes and practices that organizations establish to identify, control, manage, and mitigate risks associated with subscription-based software and SaaS applications. It plays a crucial role in maintaining a comprehensive SaaS inventory and enforcing security standards across the organization. SaaS governance requires a distinct security mindset that recognizes both the advantages and unique challenges of cloud-based applications. Unlike traditional models, SaaS governance must navigate the specifics of a shared responsibility framework—similar to Infrastructure as a Service (IaaS) but tailored to the specific nuances of SaaS adoption and SaaS user behavior.
Effective governance for SaaS begins with a broad understanding of each application's intended use, its capabilities, the data it will handle, and which employees use it and how they access it. This top-down approach, assessing risk from general to granular, is essential for managing SaaS at scale and keeping security measures aligned with business objectives.
However, the ease with which employees can independently start subscriptions has left IT teams in a constant game of catch-up. Grip’s research reveals that securing SaaS environments has become an overwhelming challenge regardless of an organization's size. On average, 85-90% of SaaS tools are unmanaged, and only 10-15% are centrally governed.
This vast disparity between managed and unmanaged SaaS isn’t a case of negligence; it’s symptomatic of deeper systemic issues. Many organizations struggle to get a handle on which tools are in use, largely due to changes in SaaS adoption behavior, such as the rise in shadow SaaS. Technical debt, or the backlog of software and systems that have not been adequately managed, documented, or integrated over time, has long been thought to be the primary driver behind the high proportion of unmanaged SaaS. However, this is only one piece of the puzzle.
The data tells a consistent story across the board: 82-90% of new SaaS applications onboarded in 2023 were unmanaged at the point of discovery, highlighting that the problem isn’t just historical—it’s ongoing. The reasons for this vary, from understaffed IT departments to technical limitations in the traditional security tools organizations rely on. In many cases, the issue is simply one of awareness; if an IT team doesn’t know an app is in use, they can’t secure it. When SaaS is finally discovered, the gaps often persist due to technical limitations—many applications don’t support standards like SAML, or they impose prohibitively high costs for enabling it.
27% of SAML-supported apps do not have it enabled.
Even when SaaS governance measures are applied, they are often incomplete. Grip's data shows that 27% of unmanaged apps support SAML but don’t have it enabled, an open invitation for incidents like Microsoft’s Midnight Blizzard attack. Digging deeper into managed SaaS, 63% have semi-managed access, meaning a social login is used, while 53% use local app credentials or a user-defined login.
This data paints a striking picture: the sheer number of applications that aren’t federated and rely on employees following password best practices points to a critical gap in SaaS governance. Organizations are not just struggling with oversight—they’re grappling with the technical and structural challenges of managing hundreds or thousands of apps. Without a more comprehensive governance strategy, unmanaged SaaS tools will continue growing, creating a fertile ground for security vulnerabilities.
SaaS governance doesn’t play out uniformly across industries—each sector has its own pace of adoption, and with that comes varying levels of control. For instance, Grip’s research found that the construction industry manages just 4.2% of its SaaS applications. However, construction’s relatively low SaaS adoption rates suggest that the industry might not yet feel the urgency to address its governance shortfalls. In contrast, in sectors like insurance, where SaaS adoption is widespread, 21% of applications are actively managed.
The disparity between these industries points to a larger truth: organizations with regulatory obligations, such as insurance and financial services, are naturally inclined to invest more heavily in securing their SaaS environments. The stakes are higher, with potential fines and reputational damage tied to non-compliance. But even in these sectors, shadow SaaS is still a problem and most apps fly under the radar, making it difficult to implement comprehensive security measures and governance protocols.
The governance picture becomes even more fragmented when SaaS management is broken down by function. Grip’s report shows that IT, production, and security apps are better managed, with rates ranging from 16% to 22%, likely because these teams are more apt to follow formal procurement and security review processes. However, in departments like marketing, where niche applications are commonly adopted and the prevalence of shadow SaaS is high, only 5.8% of apps are managed. The low management rate stems from functional teams often bypassing established review protocols, either unaware of the risks or unwilling to wait for approvals.
It’s not just marketing tools that fall short—financial apps, which handle sensitive data, also show surprisingly low management rates, with only 7% centrally managed. This oversight is alarming, as it exposes critical vulnerabilities within a company’s most sensitive functions and jeopardizes compliance standards.
In short, a functional team’s autonomy in selecting tools, paired with IT’s limited visibility, has resulted in increased SaaS security risks, and the consequences could be severe if left unchecked.
The sheer scale of SaaS usage has fundamentally changed how organizations must approach security. Despite significant investments in traditional security measures, the persistent growth of unmanaged SaaS and shadow SaaS reveals a glaring problem: visibility is a challenge. Without a clear understanding of which apps are in use—and which of those present the most risk—attempts to secure the SaaS landscape fall short.
Organizations are now in a position where SaaS is essential for operations, and employees increasingly expect the freedom to choose their own tools. This shift, also known as “business-led IT,” calls for a more pragmatic approach to SaaS governance; the burden can no longer rest solely on IT and security teams. Instead, effective SaaS governance requires a collaborative effort involving the appropriate stakeholders, including business app owners and end users. As SaaS continues to grow, so must the strategies to protect it, ensuring that flexibility and innovation are balanced with robust security practices.
This article is an excerpt from the 2025 SaaS Security Risks Report. To read the report in its entirety, download your copy now.
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Fill out the form and watch webinar's video.