Short version: Posture tools can’t secure what they can’t see. The riskiest gaps live in apps and identities you don’t even know exist—duplicate tenants, “Sign in with …” OAuth clients, public links, AI plug-ins, and guest accounts that never touch your IdP. Waldo Security finds them first: we discover every SaaS app, tenant, account, and OAuth grant in minutes, flag SSO/MFA bypasses and risky tokens, and export audit-ready evidence your auditors will actually accept. Start with Instant SaaS Discovery and make proof painless with the SaaS Compliance Overview.

A 3-minute reality check (self-assessment)

1) Can you list all SaaS services your people use—tenants, plug-ins, and OAuth apps included?

If not, your SSPM is grading only the apps it knows about. CISA’s Cloud Security Technical Reference Architecture says the order is inventory → least privilege → logging; miss step one and the rest is theater. (CISA)

2) Do “SSO-only” apps still accept passwords or personal logins?

The Verizon DBIR 2025 again shows stolen credentials drive basic web-app breaches; anything outside enforced SSO/MFA is low-hanging fruit. (Verizon)

3) Who’s governing consent?

End-user OAuth clicks can grant broad scopes and offline_access refresh tokens (access persists after password resets). Microsoft’s Entra guidance: limit user consent to verified publishers and selected permissions; route the rest to admins. (Microsoft Learn)

4) Shadow AI usage?

Netskope’s 2025 data shows orgs use ~9.6 genAI apps on average—and track 317+ distinct genAI apps across customers. Those identities often sit outside your IdP. (Netskope)

If any answer is “not sure,” you’ve got “unknown unknowns.”

Case File: The Grant That Lived Too Long

A team tests a doc-automation app via “Sign in with …”. It asks for files.readwrite and offline_access. Weeks later the engineer leaves, HR disables the user, and… the sync continues. Why? The refresh token keeps minting new access tokens. Identity didn’t fail—the SaaS layer did, because consent wasn’t governed and tokens weren’t revoked. (Microsoft documents exactly how to restrict user consent and manage approvals.) (Microsoft Learn)

The Unknown-Unknowns Pattern (and why classic SSPM misses it)

1) Catalog bias

Traditional SSPM integrates with a short list of “known” suites. Shadow tenants, personal accounts, and OAuth apps never make the catalog, so posture checks never run. TRA’s sequencing explains the blind spot: without a living inventory, “posture” is partial. (CISA)

2) Identity ≠ enforcement

“Supports SSO” is not “enforces SSO.” Password fallbacks and guest/personal routes remain—exactly the routes attackers pick. DBIR’s credential stats keep proving it. (Verizon)

3) Persistence by design

OAuth + offline_access creates durable access; password changes don’t help. Only consent policy + grant revocation fix it. (See Microsoft’s Configure user consent and Manage consent requests.) (Microsoft Learn)

4) AI multiplies identities

Browser assistants, model plug-ins, and AI SaaS show up first in egress logs, not IdP logs. Your SSPM won’t flag what it can’t see. Netskope’s adoption curves make this trend clear. (Netskope)

Cost kicker: Faster identification/containment lowers breach cost; IBM’s 2025 study pegs the global average at about $4.44M and ties reductions to quicker discovery—impossible if

half your estate is invisible. (IBM)

Detection Recipes (paste into your SIEM/warehouse)

• Apps with traffic but no SSOProxy/DNS ⟂ IdP sign-ins → WHERE domain IN known_saas AND NOT EXISTS(idp_signin[domain])Why: services used entirely outside enterprise identity.

• Password logins to SSO-catalog appsIdP sign-ins → WHERE app IN sso_catalog AND auth_method='password'Why: turns up unmanaged identities in “managed” apps. (DBIR reality.) (Verizon)

• Persistent & privileged OAuthOAuth exports → WHERE scopes ILIKE '%offline_access%' AND scopes ~ '(ReadWrite|mail.send|files.*write)'Why: durable write access; require verified publisher + admin approval. (Microsoft Learn)

• GenAI not tied to enterprise identityProxy ⟂ IdP → WHERE domain IN genai_list AND NOT EXISTS(idp_signin[user])Why: maps shadow AI identities. (Netskope adoption.) (Netskope)

The Playbook Waldo Automates (Find → Fix → Prove)

FIND (inventory that lives):

Correlate IdP sign-ins, email/collab logs, DNS/proxy, browser extensions, and spend into a deduped list of apps, tenants, accounts, and OAuth grants. Tag auth method (SSO vs local), admin count, scopes, last use, and data

sensitivity. (Directly aligned to the CISA TRA foundation.) (CISA)

FIX (least privilege in the SaaS layer):

• Enforce SSO/MFA on high-impact apps; alert on password paths. (DBIR.) (Verizon)

• Consent guardrails: Entra user-consent set to verified publishers + selected permissions; admin approval for write/tenant-wide scopes; bulk-revoke idle offline_access grants. (Microsoft Learn)

• Egress controls: Default-deny public links in sensitive areas; expire guest elevations; watch AI/extension domains. (Netskope.) (Netskope)

PROVE (continuous evidence):

Monthly packet with SSO coverage, admin changes, OAuth diffs, offboarding timestamps, public-link exceptions—not screenshots. (Faster identification/containment tracks to lower cost—IBM.) (IBM)

KPIs that tell you the unseen is shrinking

• Unknown → Known: % of traffic/spend tied to inventoried apps

• SSO coverage: % of high-risk apps enforcing SSO/MFA

• OAuth health: # of high-privilege grants with offline_access (trend ↓)

• Guest hygiene: externals with admin/export roles (trend ↓)

• Evidence freshness: % of artifacts updated in the last 30 days

Bottom line

Most SSPM fails at “unknown unknowns” because it starts at step two—posture without a map. Build the living inventory first, apply SaaS-layer least privilege, and prove it continuously. If you want the fast lane, get the truth map with Instant SaaS Discovery and ship proof on demand via the SaaS Compliance Overview.