Nov 30, 2024
Nov 30, 2024
The pandemic reshaped the modern workforce in countless ways, but one of the most enduring shifts has been the mass adoption of SaaS applications and the SaaS sprawl explosion.
The pandemic reshaped the modern workforce in countless ways, but one of the most enduring shifts has been the mass adoption of SaaS applications. What began as a necessity during the rapid transition to remote work has since evolved into a common practice—employees across industries have taken it upon themselves to procure cloud-based SaaS tools outside the awareness of IT. This surge of SaaS adoption didn’t slow down as offices reopened; it accelerated, and organizations are now grappling with the consequences of unmanaged SaaS sprawl.
New research by Grip reveals that SaaS sprawl is more extensive than most organizations realize. The numbers paint a stark picture: SaaS adoption grew 62% in the first year of COVID lockdowns and another 28% the following year. Grip’s 2025 SaaS Security Risks Report cites that today, the average large enterprise uses over 1,400 apps, and this growth is far from under control. In fact, most organizations are unaware of how deep their SaaS sprawl runs. And while expanding SaaS portfolios should symbolize progress, they are simultaneously becoming one of the most insidious security risks organizations face today.
The term "Shadow IT" is nothing new, but it is evolving in today’s SaaS-fueled landscape. Shadow IT refers to the hardware or software employees install without formal approval. With cloud subscriptions just a click away, SaaS tools are being acquired rapidly and often unknowingly by entire functional teams, let alone IT and security teams. These apps, also known as “shadow SaaS,” may never pass through IT's hands, creating a sprawling web of unauthorized access points that expose organizations to invisible vulnerabilities. According to Grip’s research, 85-90% of SaaS applications are outside of IT oversight and control—and IT has no visibility into what apps these are or who is using them.
Grip’s research also found that only 10-15% of SaaS is centrally managed. Typically, the larger, “major” applications, like Microsoft and Salesforce, are managed more often than the smaller, niche applications. Alarmingly, applications containing financial data were found to be managed at a much lower rate (7%) than the average SaaS management rate (13%), which poses questions about compliance with regulatory standards like PCI-DSS, Sarbanes-Oxley Act (SOX), HIPAA, and the NYDFS Cybersecurity Regulation, all which require MFA for systems and applications accessing sensitive data.
The real risk isn’t just in the number of SaaS apps an organization uses—it’s in the identities attached to those apps. Applications with large user bases (like Microsoft, Adobe, and Salesforce) can have hundreds or thousands of identities. Niche applications and shadow SaaS have smaller user bases and identities but still present risks nonetheless.
Consider that each employee using these shadow tools creates an account—usually with just a username and password—and every account becomes an entry point for potential breaches from weak or reused passwords or abandoned accounts that are left active after the employee leaves the company. The result is a risk the security team isn’t even aware of and continues to grow silently.
While SaaS makes collaboration easier and improves employee productivity, it also means the number of identities tied to these tools has exploded, each with varying access and security oversight levels. The risk isn’t just that more people are using SaaS; it’s that IT teams often lack visibility into who is using what, when, and how securely—are employees bypassing SSO? Did someone start a new shadow SaaS app subscription because they didn’t like the sanctioned option? Should the tools employees are using be centrally managed?
For CISOs, this introduces a multidimensional problem. The complexity of managing identities in a decentralized SaaS environment is nuanced, and traditional means of securing digital environments haven’t kept pace with the changes in SaaS adoption and usage. For example,
Each identity can serve as a weak point if not carefully managed and governed—often before the security team realizes there’s an issue.
In this SaaS-driven era, CIOs and CISOs are being forced to rethink their roles. Traditionally seen as the gatekeepers of enterprise security, IT and security leaders no longer have full visibility or control over the apps their employees use. But that doesn’t mean they should throw in the towel—instead, they must adapt, transforming from gatekeepers into enablers of secure innovation.
The reality is that employees will continue to adopt SaaS tools, whether IT approves of them or not. Rather than attempting to block or stifle this behavior, CIOs and CISOs must focus on embedding security into the decentralized SaaS procurement process. This means fostering collaboration between IT, security, and business units to ensure that apps are being used securely without slowing down innovation.
This shift also requires a programmatic approach to SaaS risk management—one that extends beyond traditional security controls and focuses on ongoing visibility and risk mitigation. It’s not enough to simply identify what apps are in use; organizations must continuously audit accounts, track usage, and monitor for changes. Only by treating SaaS as a dynamic, ever-evolving ecosystem can CISOs regain control of their environments.
As organizations expand their reliance on SaaS, the complexity of managing identities, accounts, and licenses will continue to grow exponentially. This trend will not reverse—it’s the future of work. But the risks can be managed if companies take a proactive stance.
Many cybersecurity leaders have realized that SaaS growth is outpacing traditional security frameworks. The question is no longer whether to embrace SaaS but how to secure it. By prioritizing SaaS visibility and governance, organizations can mitigate the security and compliance risks associated with sprawling SaaS portfolios and identities while empowering employees to drive innovation.
In the end, SaaS may be a silent explosion, but its impact is anything but quiet. The organizations that succeed will be those that treat SaaS security as a critical, continuous priority—one that demands both agility and vigilance. After all, in a world of invisible risks, it's what you don’t see that can hurt you the most.
For deeper insights into the risks that shadow SaaS and sprawling identities pose, download the 2025 SaaS Security Risks Report.
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Fill out the form and watch webinar's video.
