The Growth of Shadow IT in 2025: Waldo Security’s Mid-Year Report

Teams keep shipping; governance keeps guessing. Shadow IT isn’t a rebellion—it’s the default state of modern work. Waldo Security gives you the truth map first: we discover every SaaS app, tenant, account, and OAuth grant in minutes, flag SSO/MFA bypasses and risky consents, and export audit-ready evidence your auditors will actually accept. Get reality now with Instant SaaS Discovery, then keep clean proof flowing via the SaaS Compliance Overview.

Mid-Year Scorecard (Q1–Q2 2025)

1) App counts crossed the psychological 100 mark—everywhere Okta’s latest Businesses at Work shows the global average finally broke 101 apps per company. If your catalog lists 30–40, you’re operating from a partial map. (Okta)

2) Credential paths still drive incidents In the 2025 Verizon DBIR, about 88% of Basic Web Application Attacks involved stolen credentials—a stark reminder that “supports SSO” isn’t the same as enforces SSO on every path. (Verizon)

3) GenAI adoption = identity multiplication Netskope’s January 2025 report shows the average org uses 9.6 genAI apps, with the top quartile using 24+. These often run via personal accounts or extensions—outside your IdP. (Netskope)

4) Breach economics reward speed IBM’s 2025 study continues to peg breach costs in the multi-million range, with lower losses tied to faster identification and containment—i.e., live inventory + streaming SaaS logs, not screenshot marathons. (IBM)

Three Blind Spots Driving 80% of the Surprises

A) Traffic without identity (unknown services) Egress shows active SaaS domains; your IdP shows zero sign-ins. This is where trial tenants, personal workspaces, and browser plug-ins live. CISA’s Cloud Security TRA says the sequence is inventory → least privilege → logging; if you skip step one, the rest is theater. (CISA)

B) Persistent OAuth access (offline_access) One consent can mint refresh tokens that outlive a password change. In Microsoft Entra, you can limit end-user consent to verified publishers and selected permissions so high-privilege or tenant-wide scopes require admin approval. Do it. (Microsoft Learn)

C) Ungoverned third-party access in Google Workspace If App access control isn’t set, users can authorize risky scopes to third-party apps that never pass through centralized review. Allowlist by scope; block the rest. (Google Help)

What Changed Since January (and why it matters)

• From sprawl to sprawl-with-AI.  You already had >100 apps; now dozens of genAI tools layer on top, often as extensions. That’s more identities, more tokens, and more places for data to flow. (Netskope)

• Framework expectations hardened.  Agencies continue to emphasize the TRA playbook—visibility first. Auditors are increasingly asking for continuous evidence instead of point-in-time screenshots. (CISA)

• Vendors nudged defaults.  Entra’s “verified publishers + selected permissions” model is now the recommended baseline; ignoring it effectively opts you into durable token risk. (Microsoft Learn)

Field Notes From 10,000+ Discoveries (Patterns we keep seeing)

• Duplicate tenants with local passwords—pilots that quietly became production.

• Password paths into “SSO-only” apps via legacy endpoints or personal emails (DBIR’s favorite failure mode). (Verizon)

• World-readable links in sensitive spaces—public URLs acting like anonymous identities.

• External guests accumulating editor/admin roles with no internal owner.

• Spend without sign-ins—card charges revealing services completely outside your IdP.

The 30-Minute Mid-Year Health Check (copy/paste)

1) Find apps with traffic but no identity

SELECT domain
FROM proxy_logs
WHERE domain IN known_saas
EXCEPT
SELECT domain FROM idp_signins;

Outcome: top 10 unknown services to pull under SSO or retire. (TRA: inventory before posture.) (CISA)

2) Catch password logins to SSO-catalog apps

SELECT user, app
FROM idp_signins
WHERE app IN sso_catalog AND auth_method='password';

Outcome: enforce SSO/MFA; close legacy endpoints. (DBIR shows this closes the most abused door.) (Verizon)

3) List durable & privileged OAuth grants

SELECT app, user, scopes
FROM oauth_grants
WHERE scopes ILIKE '%offline_access%'
  AND scopes ~ '(ReadWrite|mail.send|files.*write)';

Outcome: revoke or down-scope; in Entra, restrict end-user consent to verified publishers + selected permissions and require admin approval for the rest. (Microsoft Learn)

4) Fence Google third-party access Review App access control; block unapproved apps touching Drive/Gmail and allowlist only by needed scopes. (Google Help)

What Good Looks Like by September

• Unknown → Known: +10 points in the % of SaaS usage tied to inventoried apps/tenants.

• SSO reality: Password logins to SSO-catalog apps trending down double digits (DBIR alignment). (Verizon)

• OAuth health: Fewer grants combining offline_access with write/tenant-wide scopes; new requests flow through verified-publisher + selected-permission rules. (Microsoft Learn)

• Evidence freshness: Monthly packet with SSO coverage, admin changes, OAuth diffs, offboarding timestamps, and link/guest exceptions—directly tied to faster detection/containment and lower breach cost. (IBM)

If you want the no-glue version

You can wire the joins and exports yourself—or let Waldo do it. We correlate identity, collaboration, network, and OAuth data; flag SSO bypasses and risky consents; bulk-revoke the worst offenders; and export proof in one click. Start the second half of 2025 with a real map via Instant SaaS Discovery and keep auditors, customers, and your board confident with SaaS Compliance Overview.

Sources: Okta Businesses at Work 2025 (101 apps avg); Verizon DBIR 2025 (88% credential use in Basic Web App Attacks); Netskope Cloud & Threat Report 2025 (9.6 genAI apps); IBM Cost of a Data Breach 2025 (cost + containment); CISA Cloud Security TRA (inventory → least privilege → logging); Microsoft Entra consent settings; Google Workspace App access control. (Okta)