top of page
Search

The Identity Supply Chain Nobody Is Securing

Third-party apps, OAuth integrations, and service accounts form an invisible identity supply chain. Most organizations don’t inventory it — and attackers know it.



We Secured the Software Supply Chain. Then We Stopped.

After years of breaches traced to vulnerable dependencies, organizations learned to scrutinize their software supply chain. Packages are scanned. Builds are signed. Dependencies are tracked.

But while attention shifted left, a new supply chain quietly expanded — one almost no one is securing:

the identity supply chain.

It’s not made of libraries or containers. It’s made of access.

What the Identity Supply Chain Actually Is

The identity supply chain is every external or indirect way access is granted to your systems and data, including:

  • OAuth applications and delegated permissions

  • SaaS-to-SaaS integrations

  • Service accounts and API keys

  • Contractors, agencies, and partners

  • AI assistants and automation tools


None of these look like “users.” All of them can act like insiders.

And most of them are invisible to traditional IAM reviews.


Why This Supply Chain Is So Hard to See

Identity governance tools evolved to manage employees. Modern environments rely on ecosystems.


According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS applications are unknown to IT

  • 1% of SaaS apps use OAuth, with <0.2% requesting high-risk scopes

  • 100% of organizations have unauthorized cloud accounts


Every unknown app and integration represents a supplier in your identity chain — one granting access without centralized oversight.


OAuth Is the New Trusted Vendor

OAuth is often framed as a convenience feature. In reality, it’s a supplier relationship.


When a user clicks “Allow,” they’re granting:

  • Persistent access

  • Often broad scopes

  • With no expiration by default

  • Outside MFA enforcement


CISA’s Secure Cloud Business Applications (SCuBA) guidance explicitly warns that unmanaged OAuth permissions create long-lived access paths that survive offboarding and evade monitoring: https://www.cisa.gov/secure-cloud-business-applications-scuba


Once granted, that access becomes infrastructure — rarely revisited, rarely revoked.


The Partner and Agency Blind Spot

Marketing agencies. Payroll processors. Consultants. Temporary developers.


These identities often:

  • Use local SaaS accounts

  • Authenticate outside your IdP

  • Persist after contracts end

  • Access sensitive systems indirectly


They don’t appear in employee lifecycle workflows — but they’re part of your operational fabric.


If identity is the new perimeter, partners are part of the wall.


Compliance Already Assumes This Is a Risk

Modern frameworks don’t distinguish between “direct” and “delegated” access.

The NIST Privacy Framework and ISO/IEC 27001 require:

  • Accountability for all access paths

  • Traceability across systems

  • Evidence of revocation


If you can’t enumerate OAuth apps, service accounts, and third-party identities, you can’t demonstrate control.


Auditors don’t care how access was granted — only that it exists.


Why Identity Supply Chain Attacks Work

Attackers don’t need to break authentication when they can inherit it.

Compromise a third-party app. Abuse an over-privileged OAuth token. Reuse a forgotten service account.

These paths bypass:

  • Firewalls

  • VPNs

  • Endpoint security


The CISA Zero Trust Maturity Model addresses this directly: trust must be continuously verified — including for applications and integrations, not just users. https://www.cisa.gov/zero-trust-maturity-model


What Securing the Identity Supply Chain Requires

This isn’t solved by tighter password policies.

It requires:

  1. Discovery — enumerate every identity, token, and integration

  2. Classification — understand scope, data reach, and ownership

  3. Governance — enforce least privilege and expiration

  4. Continuous review — identity supply chains change daily


Security teams that skip step one end up governing a fraction of reality.


How Waldo Security Fits

Waldo Security’s SaaS & Cloud Discovery Engine focuses on the identity supply chain most tools miss by:

  • Discovering all SaaS and Shadow CSP accounts

  • Surfacing OAuth apps and delegated access

  • Mapping non-human identities and service connections

  • Providing continuous visibility for audits and Zero Trust programs


It doesn’t replace IAM — it gives IAM the map it’s been missing.


Conclusion: Trust Is Now Transitive

In modern environments, trust flows.

From users to apps. From apps to other apps. From vendors to your data.

If you don’t understand your identity supply chain, you don’t understand who you’re trusting.

And if identity is the new perimeter, the weakest supplier defines its strength.


👉 See how organizations are uncovering and securing their identity supply chain in the 2025 SaaS & Cloud Discovery Report.


About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating OAuth risk, third-party access, and unmanaged identities, Waldo enables security teams to defend the identity perimeter that actually exists.


Comments

bottom of page