Dec 4, 2024
Dec 4, 2024
As SaaS adoption accelerates, so does the urgency for organizations to adapt their security strategies. Shadow SaaS and shadow AI are not problems to be eliminated but realities to be managed.
.png)
The SaaS security landscape is shifting faster than ever, and with it comes a cascade of challenges. Shadow SaaS, shadow AI, and the sheer pace of SaaS adoption are reshaping how organizations manage risk. While the benefits of SaaS applications are undeniable, their ungoverned appropriation introduces vulnerabilities that many companies are only beginning to understand.
As highlighted in Grip Security’s 2025 SaaS Security Risks Report, up to 90% of applications in use within organizations may be flying under the radar—posing a critical risk not only to data security but also to operational resilience. We sat down with Grip Security’s founders, Lior Yaari and Idan Fast to explore how organizations can regain control over their SaaS ecosystems in the year ahead. Listen in to the conversation now:
Shadow IT is no longer about rogue servers or unauthorized hardware. Instead, it has evolved into shadow SaaS and, more recently, shadow AI. These terms describe unmonitored applications and AI tools being adopted by employees and business units without IT or security oversight.
“Acquiring SaaS is now as simple as filling out a signup form,” explained Lior Yaari. “From niche apps to hyper-specialized AI tools, it’s easier than ever for business units to onboard new technology—often without the involvement of IT or security.”
The implications are far-reaching. Shadow SaaS applications often bypass key security measures like single sign-on (SSO) and multi-factor authentication (MFA), leaving sensitive data exposed. Shadow AI further compounds the issue by introducing risks related to data training, privacy breaches, and intellectual property leaks.
“AI tools are like the next-generation PDF converter problem, when you’d upload a document to a website and you never really knew where your data was going,” added Yaari. “With AI, employees upload sensitive data for processing, often unaware that their actions might enable vendors to train on that data or store it insecurely.”
SaaS portfolios grew by an average of 40% in 2024, driven by the need for hyper-specialized tools that cater to specific business needs. This expansion of applications—often adopted at the team or departmental level—has made it harder than ever for organizations to maintain visibility and control.
“SaaS applications have a way of spreading like wildfire,” noted Yaari. “What starts as a low-cost niche tool for one team can quickly grow into an integral part of the business. By the time security is aware of it, it’s often too late to implement proper controls as the business may already be deeply dependent on those workflows. SaaS identity risk management isn’t about saying 'no'; it’s about knowing early so you can build security in from the start.”
SaaS identity risk management isn’t about saying 'no'; it’s about knowing early so you can build security in from the start.
The result of the SaaS explosion introduces what Grip termed “SaaS risk creep.” Each new application might seem harmless in isolation, but collectively, they amplify vulnerabilities, from weak credential practices to identity risks to incomplete offboarding when the app is retired or the employee leaves. Because of the tremendous amount of SaaS tools, IT and security teams can’t keep up, and the risks grow and accumulate over time.
Many organizations rely on tools like CASBs (Cloud Access Security Brokers) or SSPMs (SaaS Security Posture Management), but these solutions often fail to address the complexities of shadow SaaS and AI. As Yaari explained, these tools were built for a different era, when SaaS portfolios were smaller, consumption could be controlled through the network using a proxy, and SaaS was less integrated into business processes.
“CASBs were designed over a decade ago for a much simpler SaaS environment,” said Yaari. “Today’s SaaS applications don’t follow the rules of the network—they’re accessible anywhere, anytime, with just a username and password.”
Blocking access to applications is no longer a viable strategy either. Instead, companies must balance accessibility with security. “Companies are realizing that users are trying to help the business by using SaaS applications. Blocking shadow SaaS usage isn’t acceptable or productive,” added Fast. “SaaS is driving businesses forward, and decentralized IT is the new rule of business operations—organizations need to adapt to stay competitive.”
Achieving balance between security and usability requires more than just awareness—it demands a strategic approach. As IT and security teams aim to provide the strongest tools and services for their users, they must also reduce barriers to adoption. "Companies that can remove friction for employees adopting effective tools will not only stay competitive but also maintain an edge in innovation," noted Fast. However, enabling adoption doesn’t mean compromising security.
Companies that can remove friction for employees adopting SaaS tools will not only stay competitive but also maintain an edge in innovation.
To de-risk SaaS usage, organizations must establish programs with well-designed guardrails—controls that are robust enough to mitigate risk but flexible enough to avoid stifling productivity. This "magic spot," as Fast describes it, ensures employees can easily access the tools they need while maintaining critical security oversight. “It’s not about stopping SaaS adoption; it’s about knowing when it’s happening and putting guardrails in place early,” said Yaari. “The earlier you interject in the SaaS lifecycle—whether during application intake or identity creation—the lower the cost and effort to secure it,” added Fast.
So, where do organizations go from here?
As SaaS adoption accelerates, so does the urgency for organizations to adapt their security strategies. Shadow SaaS and shadow AI are not problems to be eliminated but realities to be managed.
Successful SaaS security programs will embrace proactive management and strategic foresight. A robust SaaS identity risk management program is essential, one that begins with application intake to identity and account creation and continues throughout the SaaS (and user) lifecycle, to ensure secure (and comprehensive) offboarding. As Fast explained, “It’s about knowing the landscape and implementing scalable, low-friction controls that address identity and third-party risks without hindering adoption.” Early intervention not only minimizes risk but also ensures security aligns seamlessly with business objectives.
“The business is moving to SaaS whether IT allows it or not,” concluded Yaari. “The key is to build a strategy that supports innovation without compromising security.” With SaaS driving innovation and competitiveness, organizations must accept this shift and focus on creating a strategy to manage it effectively. By building programs that balance accessibility with oversight, companies can support innovation while staying secure in an increasingly SaaS-driven world.
Get started today: book time with the Grip team to discuss your SaaS security program, the challenges you’re facing, and how Grip can help reduce your SaaS risks, and save time and cut costs in the process. Book a demo now.
Download the 2025 SaaS Security Risks Report
Read how Believer contained Shadow AI without stifling innovation
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Fill out the form and watch webinar's video.
