The Most Dangerous Apps in Your Environment Aren’t Sanctioned

Sanctioned SaaS apps get reviewed. Shadow apps don’t. That’s why the most dangerous applications in your environment are often the ones IT never approved.

You’re Securing the Wrong Applications

Security teams spend enormous effort reviewing sanctioned SaaS platforms.

Vendor questionnaires.

Compliance reviews.

SSO enforcement.

MFA requirements.

Access policies.

Those applications are documented, assessed, and monitored.

The problem is not the apps you reviewed.

It’s the ones you didn’t.

Unknown Does Not Mean Low Risk

There is a dangerous assumption in many organizations:

“If it’s not approved, it must not matter.”

But in modern SaaS environments, apps do not need approval to gain access.

They need identity.

An employee signs up with a corporate email.

An OAuth grant connects the app to Google Drive.

An AI assistant syncs with Microsoft 365.A contractor provisions a separate cloud tenant.

No procurement process is required.

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

• 97% of SaaS applications are unknown to IT

• 100% of organizations have unauthorized cloud accounts

• Less than 1% of SaaS accounts enforce MFA

Full findings:https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

If nearly all SaaS applications are unknown, then most of your attack surface is unsanctioned.

Sanctioned Apps Get Guardrails. Shadow Apps Don’t.

Approved SaaS platforms typically have:

• SSO enforced

• MFA required

• Defined owners

• Audit logging enabled

• Periodic access reviews

Shadow apps often have:

• Local credentials

• Personal email logins

• Broad OAuth scopes

• No owner

• No lifecycle governance

CISA’s Secure Cloud Business Applications (SCuBA) guidance highlights how delegated OAuth permissions create persistent access paths that bypass centralized controls:https://www.cisa.gov/secure-cloud-business-applications-scuba

Unreviewed apps frequently have the broadest access and the weakest enforcement.

That combination defines high risk.

AI Makes Shadow Apps Even More Dangerous

Almost every modern SaaS platform now leverages AI:

• Content summarization

• Predictive analytics

• Automated decision support

• AI copilots

• Model-assisted workflows

If you are concerned about AI in your organization, understanding which SaaS platforms are operating inside your environment is critical.

Shadow apps may:

• Analyze sensitive internal documents

• Process customer information

• Retain data for model improvement

• Use AI features enabled by default

Without visibility into SaaS usage, you cannot evaluate AI exposure.

AI governance begins with SaaS discovery.

Attackers Prefer the Apps You Ignore

Attackers do not target the systems you hardened.

They look for:

• Accounts without MFA

• OAuth tokens with persistent access

• SaaS platforms outside monitoring

• Shadow cloud tenants

• Admin accounts with no oversight

The CISA Zero Trust Maturity Model emphasizes continuous evaluation of identity and access — not just perimeter security:https://www.cisa.gov/zero-trust-maturity-model

Shadow apps are attractive because:

• They are less monitored

• Logging is inconsistent

• Access reviews are absent

• Ownership is unclear

They are soft targets inside a hardened environment.

Compliance Doesn’t Care If It Was Approved

Frameworks such as the NIST Privacy Framework and ISO/IEC 27001 emphasize accountability across all systems processing data:

https://www.nist.gov/privacy-frameworkhttps://www.iso.org/isoiec-27001-information-security.html

If a Shadow SaaS platform processes regulated or sensitive data, the compliance obligation still applies.

Approval status does not reduce exposure.

Visibility determines control.

Why This Gap Keeps Growing

SaaS adoption is frictionless.

Employees:

• Experiment with AI tools

• Connect automation platforms

• Sign up for niche productivity apps

• Integrate services with OAuth

Because nearly every SaaS service now leverages AI, the speed of adoption is accelerating.

Shadow SaaS is not rebellion.

It is convenience.

And convenience outpaces governance.

The Real Question Isn’t “Is It Approved?”

The real questions are:

• What data can it access?

• How does it authenticate?

• Does it enforce MFA?

• Does it leverage AI to process content?

• Can access be revoked centrally?

These are identity questions.

Not procurement questions.

How Waldo Security Helps Surface the Real Risk

Waldo Security’s SaaS & Cloud Discovery Engine enables organizations to:

• Discover known and unknown SaaS applications

• Surface OAuth and delegated access

• Identify non-SSO identities

• Detect Shadow CSP environments

• Classify AI-enabled SaaS exposure

• Map findings to compliance frameworks

Because almost every SaaS platform now integrates AI, understanding your SaaS landscape is inseparable from understanding your AI risk.

The most dangerous apps are rarely the ones you reviewed.

They are the ones you never saw.

Conclusion: Visibility Is the Real Control

Sanctioned apps are not the problem.

Unknown apps are.

If identity touches it, it exists.

If it processes data, it matters.

If it leverages AI, it amplifies exposure.

The most dangerous apps in your environment are not the ones in your vendor list.

They are the ones outside it.

Learn how organizations are uncovering Shadow SaaS and AI-related exposure in the 2025 SaaS & Cloud Discovery Report:https://www.waldosecurity.com/2025-saas-and-cloud-discovery-report

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, Shadow IT, and AI-enabled SaaS exposure, Waldo enables security teams to defend the identity perimeter with continuous visibility and evidence.