You don’t need another endpoint agent to uncover Shadow SaaS.

Here’s how to use identity, OAuth, and access data to discover unknown apps fast.

The Myth: You Need More Software to Find Shadow SaaS

When Shadow SaaS comes up, the instinctive response is:

Another agent.

Another scanner.

Another dashboard.

But most organizations already have the data they need.

The real issue isn’t tooling — it’s where you’re looking.

Shadow SaaS doesn’t hide in endpoints.

It hides in identity and authentication flows.

Shadow SaaS Leaves Identity Footprints

Every SaaS app that touches your organization does one of three things:

1. Uses a corporate email address

2. Requests OAuth permissions

3. Authenticates through SSO (or bypasses it)

All three leave evidence in systems you already control.

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report,97% of SaaS apps are unknown to IT — yet they still rely on identity to function.

Full findings:https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

The apps are invisible.

The identities are not.

A 45-Minute Shadow SaaS Discovery Playbook

No agents. No disruption.

Step 1: Pull OAuth App Grants (15 Minutes)

Start with your identity provider:

• Google Workspace → Security → API controls → App access

• Microsoft 365 → Enterprise Applications → Permissions

Export:

• All OAuth applications

• Granted scopes

• Associated users

You will immediately uncover:

• File-sync tools

• AI assistants

• Automation platforms

• CRM plug-ins

• Browser extensions

CISA’s Secure Cloud Business Applications (SCuBA) guidance warns that unmanaged OAuth access creates persistent attack paths that bypass traditional controls:https://www.cisa.gov/secure-cloud-business-applications-scuba

Every OAuth grant is a SaaS footprint.

Step 2: Compare IdP App Integrations to Real Usage (10 Minutes)

Export your IdP-integrated apps list (Okta, Entra ID, etc.).

Now compare it against:

• OAuth grants

• Email-based signups

• Expense system vendors

Anything in usage data that isn’t in your IdP catalog is Shadow SaaS by definition.

The CISA Zero Trust Maturity Model emphasizes visibility as a prerequisite to trust decisions:https://www.cisa.gov/zero-trust-maturity-model

You can’t trust what you haven’t discovered.

Step 3: Search for Non-SSO Logins (10 Minutes)

Ask each major SaaS admin console:

• Are local credentials allowed?

• Are there users not tied to SSO?

• Are personal email domains registered?

You will almost always find:

• Contractor accounts

• Department-created admins

• Legacy accounts predating SSO rollout

These are identity gaps — not IT gaps.

Step 4: Look for Shadow Cloud Accounts (10 Minutes)

Shadow SaaS often expands into Shadow CSP.

Check for:

• AWS accounts outside central billing

• Azure tenants not registered with security

• GCP projects created via OAuth login

The Discovery Report found 100% of organizations had unauthorized cloud accounts.

These environments rarely show up in procurement records — but they always show up in identity logs.

Why This Works

Shadow SaaS spreads at the speed of authentication.

Users:

• Sign up with corporate email

• Click “Allow” on OAuth

• Connect integrations across platforms

Identity becomes the infrastructure.

This is why compliance frameworks like the NIST Privacy Framework and ISO/IEC 27001 focus on accountability and traceability — not vendor lists:https://www.nist.gov/privacy-frameworkhttps://www.iso.org/isoiec-27001-information-security.html

Discovery through identity aligns directly with compliance expectations.

What Most Teams Discover

After running this process, teams typically find:

• Dozens of AI tools

• Shadow CRM or marketing platforms

• File-sharing apps bypassing SSO

• Automation tools with broad OAuth scopes

• Untracked cloud environments

And none required deploying a single endpoint agent.

Why Agents Miss the Bigger Problem

Agents see devices.

Identity sees access.

Shadow SaaS risk isn’t about installation.

It’s about authentication.

If identity is the new perimeter, discovery must start there.

From One-Time Discovery to Continuous Visibility

Manual discovery works once.

Modern SaaS environments change daily.

Waldo Security’s SaaS & Cloud Discovery Engine automates this process by:

• Discovering all SaaS apps — known and unknown

• Surfacing OAuth and delegated access

• Identifying non-SSO identities

• Detecting Shadow CSP environments

• Mapping findings to compliance frameworks

No endpoint deployment required — because identity already tells the story.

Conclusion: Stop Looking at Devices. Start Looking at Identity.

Shadow SaaS doesn’t hide in laptops.

It hides in authentication.

You don’t need another agent.

You need to follow the identity trail.

👉 See how organizations are uncovering Shadow SaaS through identity visibility in the 2025 SaaS & Cloud Discovery Report:

https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, and Shadow IT, Waldo enables security teams to defend the identity perimeter with continuous visibility.