If IT Doesn’t Know About It, Attackers (and AI) Probably Do
- Martin Snyder
- 2 days ago
- 4 min read
Unknown SaaS isn’t harmless.
If IT can’t see it, attackers — and AI systems — can still access it.
Visibility is the first control.
The Most Dangerous SaaS Apps Aren’t the Ones You Reviewed
Security teams often assume risk begins where policy fails.
In reality, risk begins where visibility fails.
If IT doesn’t know a SaaS application exists, that doesn’t mean:
No one is using it
No data is flowing into it
No credentials are attached
No integrations are connected
It simply means your governance model hasn’t caught up.
And when you can’t see something, you’re not the only one looking.
Attackers Don’t Need Your Inventory
Attackers do not rely on your SaaS inventory.
They rely on:
Phished credentials
OAuth token abuse
Over-privileged service accounts
Public integrations
Misconfigured cloud tenants
If an employee signs up for a SaaS platform using corporate email, that platform becomes part of your attack surface — whether IT approved it or not.
According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:
97% of SaaS applications are unknown to IT
100% of organizations have unauthorized cloud accounts
Less than 1% of SaaS accounts enforce MFA
Unknown SaaS isn’t edge-case risk.
It is the default state.
AI Changes the Equation
If you are concerned about AI usage in your organization, the stakes are even higher.
Almost every modern SaaS platform now leverages AI:
Embedded copilots
Automated analytics
AI-driven summarization
Predictive workflows
Data enrichment engines
Some services explicitly train on user-submitted data. Others analyze metadata or content patterns to improve models.
If you do not know which SaaS platforms are in use, you cannot:
Evaluate AI data processing exposure
Assess model training risk
Control where sensitive information is analyzed
Govern AI access to internal files
AI governance begins with SaaS visibility.
If IT doesn’t know the application exists, it cannot evaluate how AI within that application handles your data.
Unknown SaaS Is Still Connected to Identity
Shadow SaaS does not operate in isolation.
It connects through identity:
Corporate email signups
OAuth file access
Calendar integrations
CRM sync permissions
Cloud API keys
CISA’s Secure Cloud Business Applications (SCuBA) guidance warns that unmanaged OAuth permissions create durable access paths that can survive offboarding and bypass traditional controls:
Attackers don’t need to break into systems if they can inherit identity-based access.
And AI systems don’t need to breach controls if they’re already authorized through delegated permissions.
The Visibility Gap Is the Real Risk
Security programs often focus on:
Firewall controls
Endpoint detection
CASB alerts
Vendor approval workflows
But none of these stop identity-based adoption.
The CISA Zero Trust Maturity Model emphasizes that visibility must precede trust decisions:
You cannot secure what you do not enumerate.
And you cannot govern AI risk without understanding where data flows.
Compliance Doesn’t Accept “We Didn’t Know”
Modern frameworks require accountability across all systems — sanctioned or not.
The NIST Privacy Framework and ISO/IEC 27001 both emphasize traceability and continuous control:
If sensitive data is processed by an unknown SaaS platform — especially one leveraging AI — lack of awareness does not eliminate responsibility.
Unknown access is still access.
Unknown processing is still processing.
Why This Problem Persists
SaaS spreads at the speed of authentication.
Employees adopt tools instantly.
They connect integrations casually.
They enable AI features by default.
No infrastructure deployment required.
Security review cycles cannot match that velocity unless identity visibility is continuous.
What Needs to Change
If IT doesn’t know about an application, that is not a user behavior issue.
It is a discovery gap.
Closing it requires:
Continuous SaaS discovery
Visibility into OAuth and delegated access
Identification of non-SSO accounts
Detection of Shadow CSP environments
Mapping of SaaS usage to AI exposure risk
Discovery is not optional in an AI-enabled SaaS world.
It is foundational.
How Waldo Security Helps Close the Gap
Waldo Security’s SaaS & Cloud Discovery Engine enables organizations to:
Discover known and unknown SaaS platforms
Surface OAuth grants and delegated access
Detect identities that bypass SSO
Identify Shadow cloud environments
Map SaaS usage to compliance and AI governance risk
Because almost every SaaS platform now leverages AI in some form, understanding your SaaS landscape is inseparable from understanding your AI exposure.
Security cannot govern what it cannot see.
Conclusion: Visibility Is the First Control
If IT doesn’t know about a SaaS application, it is not neutral.
It is:
Part of your attack surface
Part of your identity perimeter
Potentially part of your AI processing chain
Attackers look for access.
AI systems analyze data wherever access allows.
The only sustainable defense is visibility.
Learn how organizations are uncovering unknown SaaS and AI-related exposure in the 2025 SaaS & Cloud Discovery Report:
About Waldo Security
Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, Shadow IT, and AI-related exposure, Waldo enables security teams to defend the identity perimeter with continuous evidence.
Comments