Shadow SaaS Is Not an IT Problem. It’s an Identity Problem.

Shadow SaaS isn’t just unsanctioned software.

It’s unmanaged identity.

And that’s why traditional IT controls fail to contain it.

We’ve Been Framing Shadow SaaS Wrong

Shadow SaaS is usually described as:

• Employees adopting tools without IT approval

• Departments bypassing procurement

• Unsanctioned cloud usage

That framing makes it sound like a governance issue.

Or worse — a user behavior issue.

It’s neither.

Shadow SaaS is fundamentally an identity control failure.

Apps Don’t Create Risk. Access Does.

An unknown SaaS app sitting unused creates no exposure.

Risk begins the moment:

• An employee signs up with a corporate email

• OAuth access is granted to files or inboxes

• A service account connects to a CRM

• A contractor provisions an admin account

Shadow SaaS becomes dangerous when identity connects to data.

That’s not an IT procurement problem.

That’s a perimeter problem.

The Data Makes This Clear

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

• 97% of SaaS applications are unknown to IT

• 100% of organizations have unauthorized AWS, Azure, or GCP accounts

• Less than 1% of SaaS accounts enforce MFA

That means the vast majority of identity-based access is happening outside centralized enforcement.

The real issue isn’t that IT doesn’t know about every app.

It’s that identities are operating beyond governance.

Read the full findings in the 2025 SaaS & Cloud Discovery https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

Why IT-Centric Controls Don’t Work

Traditional controls focus on:

• Vendor reviews

• Network filtering

• CASB alerts

• Procurement approvals

But modern SaaS adoption bypasses all of them.

Employees don’t deploy infrastructure anymore.

They authenticate.

And authentication is controlled by identity systems — not IT ticket queues.

This is why the CISA Zero Trust Maturity Model places identity at the center of modern security architecture:https://www.cisa.gov/zero-trust-maturity-model

If identity is the control plane, Shadow SaaS is an identity visibility failure.

OAuth Turned Shadow SaaS Into Infrastructure

OAuth made SaaS frictionless.

With one click, users grant:

• File system access

• Inbox access

• Calendar permissions

• CRM data visibility

Often permanently.

CISA’s Secure Cloud Business Applications (SCuBA) guidance explicitly warns that unmanaged OAuth permissions create persistent access paths that survive offboarding and evade traditional monitoring:

https://www.cisa.gov/secure-cloud-business-applications-scuba

That’s not Shadow IT.

That’s Shadow Identity.

Compliance Already Treats This as an Identity Issue

Modern frameworks don’t ask:

They ask:

• Who has access?

• Can you prove it’s appropriate?

• Can you revoke it everywhere?

The NIST Privacy Framework and ISO/IEC 27001 require accountability and traceability across systems — not just sanctioned ones:

https://www.nist.gov/privacy-framework https://www.iso.org/isoiec-27001-information-security.html

If you can’t enumerate identities across SaaS, you can’t demonstrate compliance — regardless of procurement policy.

Why Shadow SaaS Keeps Growing

Because identity is frictionless.

Users:

• Reuse corporate emails

• Grant OAuth access casually

• Sync data across tools

• Adopt AI platforms instantly

SaaS spreads at the speed of authentication.

IT reviews can’t keep up.

Identity visibility must.

Reframing the Solution

If Shadow SaaS were purely an IT problem, the solution would be tighter procurement controls.

But since it’s an identity problem, the solution is different:

• Continuous discovery of SaaS usage

• Visibility into identity and OAuth access

• Enforcement of SSO and MFA coverage

• Lifecycle alignment for humans and integrations

• Governance of non-human identities

The perimeter is no longer the network.

It’s every authenticated access path.

Why Discovery Comes First

You can’t govern identities in apps you don’t know exist.

Waldo Security’s SaaS & Cloud Discovery Engine helps organizations:

• Discover known and unknown SaaS apps

• Identify identities bypassing SSO

• Surface OAuth tokens and delegated access

• Detect Shadow CSP environments

• Map identity exposure to compliance frameworks

This shifts Shadow SaaS from an unknown problem to a measurable perimeter.

Conclusion: Stop Blaming Users. Start Governing Identity.

Shadow SaaS isn’t rebellion.

It isn’t carelessness.

It isn’t an IT failure.

It’s what happens when identity governance doesn’t extend far enough.

If identity is the new perimeter, then Shadow SaaS is simply the part of that perimeter you haven’t mapped yet.

See how organizations are uncovering Shadow SaaS and identity blind spots in the https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By exposing unmanaged identities, OAuth risk, and Shadow IT, Waldo enables security teams to defend the identity perimeter with clarity and continuous evidence.