The 2025 SaaS Security Playbook: Find Shadow IT, Govern Access, Stay Audit-Ready
- Martin Snyder
- Aug 15
- 6 min read
If you’re tired of spreadsheet audits, surprise app discoveries, and hair-on-fire offboarding, you’re in the right place. Waldo Security helps you see every SaaS app and account in minutes, automate the messy parts of governance (like offboarding and report prep), and stay continuously audit-ready—without turning your IT team into hall monitors. Start with Instant SaaS Discovery to map what’s out there, then use our guided checks and reports to make compliance straightforward with our SaaS Compliance Overview.
Why SaaS risk looks different in 2025
SaaS made work fast. It also made risk…sneaky. A few realities to ground the conversation:
Credentials are still king for attackers. Verizon’s 2025 DBIR again spotlights stolen credentials among the most common footholds for breaches—particularly in web apps. (Verizon)
Breaches are costly—even when you respond faster. IBM’s 2025 report pegs the global average breach at $4.4M and flags an “AI oversight gap,” where ungoverned AI systems increase both breach likelihood and cost. (IBM)
Your SaaS estate is both consolidating and shifting. BetterCloud’s 2025 State of SaaS shows organizations still run ~106 different SaaS tools on average—fewer than last year, but still a sprawling estate. (BetterCloud)
GenAI is now part of your app mix—whether you planned for it or not. Netskope tracks hundreds of AI apps in enterprise traffic and finds the average organization now uses nearly six genAI apps, with top quartile orgs using 13+. (Netskope)
Put simply: attackers love your users’ logins, your estate is complex (even when you’re “consolidating”), and AI apps are multiplying at the edges. None of that is inherently bad—if you can see it, govern it, and offboard it.
The three blind spots driving SaaS risk
1) Unknown apps (aka Shadow IT, Shadow AI)
Teams adopt tools to move faster. Finance trials a forecasting tool. Design adds a plug-in. Support experiments with a no-code automation. Individually reasonable; collectively risky. Without discovery, you can’t apply controls, detect abnormal behavior, or prove compliance coverage. CISA’s cloud reference architecture underscores the need to inventory services, apply least-privilege, and integrate logging as you move deeper into cloud—and SaaS. (CISA)
What it looks like on Tuesday: a surprise bill, a new OAuth consent screen, or a data export you didn’t know existed.
2) Unmanaged identities & permissive OAuth
SaaS loves federation and API tokens. Your identity provider (IdP) covers many doors, but app-granted permissions—especially “offline” tokens—can persist outside normal session controls. Over time, organizations accumulate stale service accounts, unused vendor connections, and “temporary” admin grants that never got revoked. That’s a recipe for silent lateral movement if credentials are stolen. Verizon’s findings on credential-based web-app attacks make this one worth fixing first. (Verizon)
3) Zombie access after role change or exit
Everyone knows offboarding matters. In practice, it’s where checklists go to die. Spreadsheets miss niche tools, app owners forget to remove guests, and centralized tickets don’t always hit every SaaS tenant. IBM’s data shows multi-environment breaches are among the most expensive—exactly the pattern you get when access lingers in one of many tools. (Bluefin)
A practical, human playbook (you can start this week)
You don’t need a six-month project plan to reduce risk. Here’s a sequence we’ve seen work—especially for lean teams.
Step 1: Inventory what’s real (not what’s on a slide)
Run discovery against identity, email, logs, and expense data. You want a unified, deduped list of apps and accounts.
Tag each item: owner (or best guess), department, data sensitivity, authentication method (SSO vs password), and whether it’s subject to frameworks like SOC 2 or HIPAA.
Flag anomalies: apps with high data sensitivity but no SSO; apps with many admins; apps with stale users.
Waldo’s SaaS Discovery does this in minutes—pulling from authoritative systems so you get a living inventory instead of a one-time snapshot.
Step 2: Classify risk by how data moves
A simple rubric beats a complex one you never use. Try this:
Low: No customer or employee PII, read-only integrations, SSO enforced, MFA enforced.
Medium: Internal data, light write privileges, bounded exports, SSO optional.
High: Customer/employee data, write/create privileges, API tokens with broad scopes, external sharing features.
Cross-reference with what the industry tells us: credential misuse and web-app abuse remain common breach routes—so SSO enforcement, MFA, and scope reviews punch above their weight. (Verizon)
Step 3: Govern OAuth grants like they’re production changes
List all app-to-app connections: who authorized them, when, and with what scopes.
Right-size permissions: prefer least-privilege scopes; swap “all mailboxes” for “this shared mailbox,” “read” for “read.basic,” etc.
Rotate and revoke: treat aged tokens and unused connections like expired contractors.
Automate reviews: quarterly for high-risk scopes, semiannual for the rest.
This isn’t just hygiene. It’s how you close the door on silent persistence that often turns a small incident into a breach. IBM’s research shows faster identification and containment reduces cost; governance reduces the time to clarity. (IBM)
Step 4: Make offboarding automatic (so it actually happens)
Trigger on HRIS events (role change, termination) to revoke SaaS access everywhere—including long-tail tools outside SSO.
Deactivate API tokens and service accounts linked to the user.
Transfer data ownership (docs, repos, tickets) to teams—not to a single admin inbox that becomes a bottleneck.
Automation matters because your app list is long. Even in a consolidation year, the average org runs ~106 SaaS tools, and that’s before counting the AI plug-ins proliferating inside those apps. (BetterCloud, Netskope)
Step 5: Prove compliance continuously, not just at audit time
Map controls (access reviews, SSO enforcement, offboarding SLAs) to frameworks you care about: SOC 2, ISO 27001, HIPAA, GDPR.
Collect evidence automatically (policy states, user lists, timestamps) and keep it fresh.
Report on posture drift: what changed since last month? where did coverage improve? what failed and got remediated?
This is exactly where a living inventory plus automation turns into time savings at audit time—and fewer “we’ll get back to you” emails.
The people side: how to roll this out without the eye rolls
Security gets better when people stay on your side.
Lead with enablement. Tell teams, “We’re making it easier to adopt good tools safely,” not “We’re locking things down.”
Make requests easy. Create a one-pager and a short form that says, “Want a new tool? Here’s how to get it approved in ~24 hours.”
Use guardrails, not gates. Block obviously risky AI apps and high-risk categories (e.g., data exfiltration tools), but allow safe defaults. Netskope’s 2025 data shows orgs commonly block a small set of genAI apps by policy; start there and adapt. (Netskope)
Share wins. “We offboarded 9 users across 31 apps in 4 minutes and reclaimed $X in licenses.” Nothing builds support like saved money.
Metrics that matter to GRC, IT, and Security
Pick numbers that reliably move when you do the right work:
Unknown → known apps: percentage of traffic tied to inventoried apps.
SSO coverage: % of high-risk apps with enforced SSO + MFA.
OAuth sprawl: number of high-privilege tokens; % reduced quarter-over-quarter.
Offboarding SLA: median time from HR event to all SaaS access revoked.
Evidence freshness: % of control evidence updated within 30 days.
Incident clarity time: time from alert to “who/what/which app” is fully identified.
Correlate these with external risk indicators—the DBIR’s emphasis on credential misuse and web-app abuse can justify SSO/MFA mandates and tighter OAuth scopes. (Verizon)
A one-page checklist you can copy
Run a discovery sweep (IdP, email, logs, finance) → build a single, deduped inventory.
Tag owners, data sensitivity, auth method, framework scope (SOC 2/ISO/HIPAA/GDPR).
Enforce SSO+MFA on high-risk apps; document exceptions with deadlines.
Inventory OAuth grants; right-size scopes; revoke idle tokens >90 days.
Automate offboarding from HR events; include API/service accounts.
Capture continuous evidence for access reviews and offboarding SLAs.
Publish a “New App” quick-start for employees; promise fast approvals.
Review metrics monthly; share wins and lessons learned.
Where Waldo fits (and why teams pick us)
You can build all of this yourself—or you can use Waldo and get there faster with fewer moving parts.
Instant visibility: Map sanctioned and unsanctioned SaaS (including genAI tools) in minutes with SaaS Discovery.
Govern identities & scopes: See every user, service account, and OAuth grant in one place, with opinionated guidance to right-size permissions.
Automated offboarding & drift control: Trigger full-stack removals from HR changes and keep long-tail tools in check—not just the big suites.
Compliance made boring (in a good way): Exportable, framework-aligned evidence and reports from our SaaS Compliance Overview.
Time back to teams: Less chasing, more building.
Bottom line: the threats are real, but so are the wins. When you can see every app, right-size access, and remove it just as easily, you shrink both the attack surface and the audit stress. Start by turning unknowns into knowns—everything else gets easier.
Sources & further reading
Verizon 2025 Data Breach Investigations Report — web app attacks and stolen credentials remain leading patterns. (Verizon)
IBM Cost of a Data Breach 2025 — global average cost $4.4M; insights on the “AI oversight gap.” (IBM)
BetterCloud 2025 State of SaaS — average org uses ~106 SaaS apps; consolidation trend. (BetterCloud)
Netskope Cloud & Threat Report (GenAI 2025) — average org uses nearly six genAI apps; top quartile uses 13+. (Netskope)
CISA Cloud Security Technical Reference Architecture — practical guidance for cloud and SaaS governance and zero-trust alignment. (CISA)
Comments