Shadow CSP: The Cloud Accounts Security Doesn’t Know About

Unauthorized AWS, Azure, and GCP accounts are more common than most organizations realize.

Shadow cloud accounts expand your attack surface beyond governance and visibility.

You’re Probably Securing the Wrong Cloud Accounts

Most organizations believe they know their cloud footprint.

They can list:

• Production AWS accounts

• Azure subscriptions

• GCP projects

• Centralized billing structures

• Approved DevOps environments

Dashboards are monitored. Guardrails are configured. Policies are applied.

But those are the cloud accounts you know about.

The more dangerous ones are the ones you don’t.

Shadow CSP Is Not a Rare Edge Case

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

• 100% of organizations had unauthorized AWS, Azure, or GCP accounts

• 97% of SaaS applications were unknown to IT

Full findings:

https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

Shadow CSP environments are not anomalies.

They are the default condition in SaaS-driven organizations.

If identity can create a cloud tenant, identity can expand your attack surface without a ticket, without approval, and without security awareness.

How Shadow Cloud Accounts Appear

Shadow CSP environments often originate from:

• Developers creating personal AWS accounts tied to corporate email

• Departments provisioning Azure tenants for pilots

• SaaS platforms spinning up cloud instances behind the scenes

• Contractors creating GCP projects for short-term initiatives

• AI experimentation environments launched outside governance

Cloud adoption is frictionless.

Identity is enough to provision.

No infrastructure request required.

Identity Is the Creation Mechanism

Shadow cloud accounts are identity events.

An employee authenticates.

A tenant is created.

An API key is generated.

A service account is provisioned.

The CISA Zero Trust Maturity Model emphasizes identity as the central control plane in modern security architectures:https://www.cisa.gov/zero-trust-maturity-model

If identity creates infrastructure, identity visibility must extend to cloud account creation.

Otherwise, governance begins too late.

AI Accelerates Shadow CSP Growth

Almost every SaaS platform now leverages AI, and many organizations are experimenting with:

• AI model training

• Cloud-based inference pipelines

• AI-powered development environments

• Data science sandboxes

If you are concerned about AI in your organization, understanding which cloud environments exist is critical.

AI experimentation frequently occurs in:

• Separate cloud tenants

• Unmonitored projects

• Short-lived environments

• Personal or departmental subscriptions

Shadow CSP is increasingly AI-driven.

If you cannot enumerate cloud accounts, you cannot govern AI infrastructure.

Why Shadow CSP Is High Risk

Unauthorized cloud accounts typically lack:

• Centralized logging

• MFA enforcement

• Access reviews

• Guardrails and policies

• Compliance alignment

They may contain:

• Production data copies

• Customer datasets

• API keys

• AI training datasets

• Unpatched workloads

CISA’s Secure Cloud Business Applications (SCuBA) guidance emphasizes the risks associated with unmanaged cloud environments and delegated access:

https://www.cisa.gov/secure-cloud-business-applications-scuba

Shadow cloud accounts combine identity exposure with infrastructure exposure.

That makes them compounding risks.

Compliance Scope Extends to All Cloud Accounts

Frameworks such as the NIST Privacy Framework and ISO/IEC 27001 require accountability for data processing systems:

https://www.nist.gov/privacy-framework

https://www.iso.org/isoiec-27001-information-security.html

If regulated data is processed in an unauthorized cloud account:

• It is still in scope

• It is still auditable

• It is still your responsibility

Approval status does not limit compliance scope.

Reality defines scope.

The Governance Blind Spot

Many organizations believe:

“We would know if a new cloud account was created.”

But identity-based provisioning changes that assumption.

Corporate email domains allow:

• Trial account creation

• Subscription-based cloud onboarding

• API-based tenant provisioning

Security teams often discover Shadow CSP only after:

• Incident response

• Billing anomalies

• Third-party disclosure

• Data leakage

Discovery should not be reactive.

How to Identify Shadow CSP

A practical approach includes:

• Enumerating cloud accounts tied to corporate domains

• Reviewing identity provider logs for tenant creation events

• Auditing OAuth grants linked to cloud platforms

• Checking billing domains across providers

• Mapping SaaS platforms that provision cloud infrastructure

Because nearly every SaaS platform now integrates AI features, understanding which SaaS services create or connect to cloud accounts is critical.

SaaS discovery and cloud discovery are inseparable.

From Fragmented Cloud to Governed Cloud

Real cloud governance requires:

• Continuous SaaS discovery

• Visibility into identity-driven tenant creation

• Detection of Shadow CSP environments

• Enforcement of centralized MFA and SSO

• Classification of AI-enabled cloud workloads

Shadow CSP is not a procurement gap.

It is an identity governance gap.

How Waldo Security Surfaces Shadow CSP

Waldo Security’s SaaS & Cloud Discovery Engine enables organizations to:

• Detect unauthorized AWS, Azure, and GCP accounts

• Identify SaaS platforms provisioning cloud resources

• Surface identity and OAuth connections to cloud tenants

• Map cloud usage to compliance and AI governance frameworks

Because almost every SaaS service now leverages AI — and AI experimentation often requires cloud infrastructure — cloud discovery is foundational to AI governance.

You cannot govern AI infrastructure if you cannot see where it exists.

Conclusion: If Identity Can Create It, Governance Must See It

Shadow CSP does not appear because security is careless.

It appears because identity is powerful.

And powerful identity without visibility expands infrastructure silently.

If you are serious about:

• SaaS governance

• AI risk management

• Compliance accountability

• Identity-centric security

You must treat cloud account discovery as continuous — not optional.

Learn how organizations are uncovering Shadow SaaS, Shadow CSP, and AI-related exposure in the 2025 SaaS & Cloud Discovery Report:

https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, Shadow IT, and Shadow CSP exposure, Waldo enables security teams to defend the identity perimeter with continuous visibility and evidence.