You can’t govern what you don’t see. In most companies, each department quietly multiplies identities and services far beyond what IT or GRC expects. Waldo Security gives you the ground truth—we discover every SaaS app, tenant, account, and OAuth grant in minutes, flag SSO/MFA gaps and risky tokens, and export audit-ready evidence your auditors actually accept. Start with Instant SaaS Discovery, then turn findings into clean proof with the SaaS Compliance Overview.

Why identity sprawl is worse than you think (fast context)

• The average company now runs ~101 apps—the first time the global average crossed 100. Your spreadsheet inventory is already behind. (Okta)

• Credentials remain the easiest way in: about 88% of Basic Web App Attacks involved stolen creds in the latest DBIR. Enforced SSO/MFA coverage matters more than ever. (Verizon)

• GenAI use is mainstream: the average org uses ~9.6 genAI apps, with top quartile using 24+. Many ride on personal identities and browser add-ons. (Netskope)

The Departmental Scorecards (what goes unmanaged, how to spot it, what to fix)

1) Engineering / Product

What goes unmanaged

• Personal GitHub/GitLab identities, long-lived PATs/SSH keys, side tenants for CI/CD, API dashboards.

• OAuth apps with broad write scopes (files.readwrite*) and offline_access that persist after a password reset.

How to spot it

• Compare repo/CI users to IdP; flag PAT/SSH not tied to SSO. GitHub requires explicit SSO authorization for PATs/SSH—use it and report exceptions. (GitHub Docs)

What to fix

• Enforce SSO/MFA on code and pipeline systems; rotate tokens; require verified publisher + selected permissions for dev OAuth apps (Microsoft Entra). (Microsoft Learn)

2) Sales / Marketing (GTM)

What goes unmanaged

• Trial CRM instances, webinar tools, adtech connectors, AI writing assistants using personal emails.

How to spot it

• Proxy/DNS vs. IdP diff: domains with traffic but no IdP sign-ins. Your “catalog” won’t list half of these tools.

What to fix

• Enforce SSO on systems touching customer data; restrict end-user consent to verified publishers and only the permissions you select (Entra policy). (Microsoft Learn)

3) Finance

What goes unmanaged

• Expense and billing portals with local passwords, one-off vendor dashboards from POCs that became production.

How to spot it

• Spend without sign-ins: join card/expense data to IdP events; any charge with zero enterprise logins is shadow SaaS.

What to fix

• Put finance apps behind enforced SSO/MFA; inventory and revoke old OAuth grants with persistent tokens (offline_access). (Microsoft Learn)

4) HR / People Ops

What goes unmanaged

• Recruiting/job-board accounts on personal emails, onboarding tools outside SSO, doc-automation add-ons with org-wide Drive access.

How to spot it

• Pull OAuth grants from your suites; search for high-privilege scopes (e.g., Drive read/write + offline_access). Google Admin’s App access control lets you limit or block by scope. (Google Help)

What to fix

• Scope-limit or block unverified apps; ensure automated offboarding removes app grants and refresh tokens, not just passwords.

5) Legal / Compliance

What goes unmanaged

• E-signature and contract plug-ins authorized via user consent, cross-tenant guest access left with editor roles, public links in “legal-hold” areas.

How to spot it

• Monthly “public link” and “guest with admin/export” reports; flag any legal workspace with world-readable links.

What to fix

• Default-deny public links in sensitive spaces; time-box guest elevations; route high-privilege consents for admin approval (Entra consent workflow). (Microsoft Learn)

6) Data / Analytics

What goes unmanaged

• BI connectors installed by analysts, personal cloud DB accounts, schedule-based data movers with durable OAuth tokens.

How to spot it

• Inventory scheduled jobs and their app identities; compare to IdP; anything issuing tokens without enterprise sign-ins is unmanaged.

What to fix

• Replace local service credentials with IdP-bound service principals; re-authorize connectors with least-privilege scopes.

7) Everyone (thanks, AI)

What goes unmanaged

• GenAI/chat apps and browser extensions that scrape tickets, chats, code, or documents—often under personal accounts.

How to spot it

• Track genAI domains in egress and bind usage to enterprise identities; Netskope shows orgs already average ~9.6 genAI apps. (Netskope)

What to fix

• Allowlist trusted genAI vendors; educate with in-line coaching; require SSO where possible and disable copy-out in sensitive spaces.

Copy-paste detections (adapt to your SIEM/warehouse)

• Apps with traffic but no enterprise identity SELECT domain FROM proxy_logs WHERE domain IN known_saas EXCEPT SELECT domain FROM idp_signins;

• Password paths to SSO-catalog apps (DBIR’s favorite failure) SELECT user, app FROM idp_signins WHERE app IN sso_catalog AND auth_method='password'; (Verizon)

• Persistent & privileged OAuth SELECT app, user, scopes FROM oauth_grants WHERE scopes ILIKE '%offline_access%' AND scopes ~ '(ReadWrite|mail.send|files.*write)';Next step: require verified publishers and selected permissions; admin-approve write/tenant-wide scopes. (Microsoft Learn)

• PAT/SSH not SSO-authorized (engineering) Use GitHub’s SSO-authorization status for PATs/SSH; alert where missing. (GitHub Docs)

What “under control” looks like (cross-department)

• Living inventory: apps, tenants, accounts, OAuth clients; owners, data class, SSO/MFA status, admin count, risky scopes. (Okta’s >100-app reality makes this non-negotiable.) (Okta)

• Identity guardrails: SSO/MFA enforced on high-impact apps; password paths alerted; PAT/SSH tied to SSO. (GitHub Docs)

• Consent policy: users can consent only to verified publishers and selected permissions; admin approval for write/tenant-wide scopes. (Microsoft Learn)

• Suite controls: Google App access control set to limit/block risky apps by scope. (Google Help)

• Continuous evidence: monthly export of SSO coverage, admin changes, OAuth diffs, offboarding timestamps, public-link/guest exceptions.

Bottom line

Identity sprawl isn’t one problem—it’s seven departmental problems that look different but rhyme. Solve them by governing usage: multi-signal discovery, enforced SSO/MFA, consent guardrails, token hygiene, and continuous evidence. Kick it off by seeing your real estate with Instant SaaS Discovery—and keep every department honest with exports from SaaS Compliance Overview.