Identity is the next perimeter!? We have a problem!

If identity alone is the perimeter, today’s enterprises are defending a border they can’t even see. Password fallbacks, durable OAuth tokens, duplicate tenants, public links, and AI plug-ins create access that never touches your IdP. Waldo Security gives you the truth map: we discover every SaaS app, tenant, account, and OAuth grant in minutes, flag SSO/MFA bypasses and risky scopes, and export audit-ready evidence. Start with Instant SaaS Discovery, then keep proof current with the SaaS Compliance Overview.

Position: Identity controls are necessary—and wildly insufficient

• Credential abuse still dominates. The 2025 Verizon DBIR shows ~88% of Basic Web App Attacks used stolen credentials. “Supports SSO” is not “enforces SSO on every path.” (Verizon)

• Zero Trust expects controls at the resource (SaaS) plane. NIST SP 800-207 moves defenses from networks to users, assets, and resources—which means governing the app layer, not just the login page. (NIST Publications)

• Public guidance puts inventory first. CISA’s Cloud Security Technical Reference Architecture starts with inventory → least privilege → logging; identity logs alone are a partial map. (CISA)

Five ways organizations miscount “the perimeter” (and get burned)

1. Password side doors Many “SSO-only” apps still accept local passwords through legacy endpoints or personal accounts. That’s the very path attackers choose. (See DBIR’s credential pattern.) (Verizon)
   

2. Durable OAuth tokens A single click can grant write scopes plus offline_access—minting refresh tokens that outlive password changes. Microsoft Entra explicitly recommends restricting end-user consent to verified publishers and selected permissions to stop this at the source. (Microsoft Learn)
   

3. Duplicate tenants & shadow suites Trials become production in separate tenants you don’t govern. CISA’s TRA underscores why discovery must precede posture. (CISA)
   

4. Public links = anonymous identities “Anyone with the link” behaves like a user with no audit trail; identity telemetry won’t catch it. (Zero Trust requires monitoring the resource.) (NIST Publications)
   

5. AI plug-ins and extensions Usage often runs under personal identities. IBM links lower breach costs to faster identification/containment—impossible if this access isn’t inventoried. (IBM)
   

The governance gap: IdP-centric ≠ SaaS-secure

Identity teams assume everyone walks through the IdP. SaaS says otherwise. To meet Zero Trust expectations and reduce incident costs, you need SaaS-layer controls that assert least privilege inside the apps and integrations themselves—and evidence that they’re operating. (IBM puts the global average breach at ~$4.44M, with cost reductions tied to speed of identification and containment.) (IBM)

What to add on top of SSO/MFA (SaaS-layer controls)

1) Consent guardrails

• Entra: allow user consent only for verified publishers and selected, low-impact permissions; require admin approval for tenant-wide/write scopes; review offline_access grants quarterly. (Microsoft Learn)

2) Token hygiene

• Enumerate and revoke stale refresh tokens and app grants; rotate PATs/keys; invalidate grants during offboarding (not just passwords). Microsoft documents revocation mechanics for delegated permissions. (Verizon)

3) Sharing & guests

• Default-deny public links in sensitive spaces; time-box guest elevations; require an internal owner for every external identity. (Aligns with Zero Trust’s resource-focused verification.) (NIST Publications)

4) Continuous evidence

• Stream SaaS audit logs to SIEM; ship a monthly packet: SSO coverage, admin changes, OAuth diffs, offboarding timestamps, public-link exceptions. (CISA TRA’s logging pillar + IBM’s cost driver.) (CISA)

Copy-paste detections (to prove you’re shrinking the gray area)

• Apps with traffic but no IdP trail Proxy/DNS ⟂ IdP → WHERE domain IN known_saas AND NOT EXISTS(idp_signin[domain])Why it matters: reveals shadow tenants and personal apps—pure scope risk (TRA “inventory first”). (CISA)

• Password logins to SSO-catalog apps IdP → WHERE app IN sso_catalog AND auth_method='password'Why it matters: turns up unmanaged identities in “managed” apps (DBIR credential pattern). (Verizon)

• Persistent & privileged OAuth OAuth exports → WHERE scopes ILIKE '%offline_access%' AND scopes ~ '(ReadWrite|mail.send|files.*write)'Why it matters: durable write access that bypasses your IdP after day one; Entra consent policy stops new ones. (Microsoft Learn)

30–60–90: From identity-only to SaaS-secure

Days 1–30 — See Correlate IdP sign-ins + suite/audit logs + DNS/proxy + spend into a deduped inventory of apps, tenants, accounts, and OAuth grants. Tag owner, SSO/MFA status, admin count, scopes, data sensitivity. (CISA TRA sequencing.) (CISA)

Days 31–60 — Enforce Close password paths on high-risk apps; set Entra user-consent to verified publishers + selected permissions; require admin approval for high-privilege scopes; begin revoking idle offline_access. (Microsoft Learn)

Days 61–90 — Prove Stream SaaS logs; export a monthly evidence pack (SSO coverage, admin changes, OAuth diffs, offboarding timestamps, link/guest exceptions). Tie metrics to breach-cost reduction (IBM). (IBM)

KPIs for leaders (identity + SaaS reality)

• Unknown → Known: % of SaaS usage tied to inventoried apps/tenants (target +10 pts/quarter).

• SSO reality: % of high-risk apps enforcing SSO/MFA; # of password logins to SSO-catalog apps (trend ↓). (Verizon)

• OAuth health: # of grants with offline_access + write/tenant-wide scopes (trend ↓). (Microsoft Learn)

• Evidence freshness: % of artifacts updated in last 30 days (TRA logging pillar). (CISA)

Bottom line

If identity is the perimeter, that perimeter is leaking—because access now lives inside SaaS. The fix is not another “identity feature,” it’s SaaS-layer governance: see every service and account, enforce least privilege on scopes/links/guests, and keep live evidence. Want the quick path? Map reality with Instant SaaS Discovery and ship continuous proof via SaaS Compliance Overview.