In recent months, we've seen a significant shift in how major organizations approach SaaS security. This isn't just another cybersecurity trend—it's a fundamental recognition that the traditional security paradigm is failing to address modern threats.
The recent open letter to suppliers from JP Morgan’s CISO marks a watershed moment in enterprise security. The financial giant's CISO, Patrick Opet, didn't mince words, leveling these calls for change:
This concern isn't theoretical. Mandiant’s 2025 M-Trends report confirms what many defenders feel: SaaS is where business happens, and where attackers follow. In the report, Mandiant analysts note that almost every frontline engagement in 2024 contained a cloud or SaaS component, and that attackers increasingly pull sensitive files straight from SaaS storage and collaboration tools, bypassing outdated network exfiltration controls.
And, data from the 2025 Data Breach Investigations Report (DBIR) from Verizon underscores these trends, finding:
The messages conveyed by these perspectives couldn't be clearer: understanding and securing your SaaS attack surface isn't just another checkbox on your security to-do list—it's becoming as fundamental as having a disaster recovery plan.
The complexity of modern SaaS environments is staggering. Organizations typically maintain twice as many SaaS applications as they have employees, with 90% of these apps adopted by teams and individuals outside of IT oversight. Each employee averages 35 SaaS accounts and creates 70 OAuth grants—11 of which are considered high risk (providing access to critical data such as email or files).
This expansion isn't slowing down. The surge in AI tools alone has brought exponential growth, expanding from 75 to over 1,000 distinct apps in use in just two years. GenAI is now the most diverse category of apps that we track—even outstripping marketing tools. And, each new application represents another potential source of identity risks, data security risks, and third party risks.
Network-based technology governance and security approaches become less effective as organizations' technology stacks and workforces become more decentralized and dynamic, creating ideal conditions for shadow SaaS to flourish. Often, the goal is to separate the “good” internet from the “bad” internet leading to a never-ending game of whack-a-mole. Organizations who practice this approach often look back at their policy and find just as many exceptions as rules—creating a mess as they try to define their technology policy in url-filtering rules.
The common practice of making simple allow/block decisions fails to address the complex needs of modern business operations, and can often push use of unmanaged apps further into the shadows. In fact, a research study we conducted in collaboration with behavioral psychologists at Duke University showed that 67% of employees would look for workarounds when blocked from using a desired app. Research from Gartner substantiates this outcome, showing that 69% of employees will bypass blocking controls.
Ultimately, legacy approaches have failed to adapt to the new reality that employees are increasingly making daily, independent decisions about the technology they use—creating what we call the "Workforce Edge."
What if—rather than clinging to outdated approaches bent on centrally controlling all tech decisions—organizations could instead meet their employees where they’re at? What if organizations could tap into the Workforce Edge to regain visibility, automatically guide employees toward better technology decisions, and address risk and sprawl continuously?
The solution isn't more restrictive controls—it's smarter governance. Organizations need to:
The future of SaaS security lies not in building higher walls, but in creating smarter pathways that provide users secure choices while maintaining the agility that modern business demands.
As we move forward, organizations must recognize that SaaS security isn't just an IT problem—it's a business imperative. The goal isn't to prevent innovation but to enable it securely. By delivering the right guidance at the right time, organizations can maintain security while empowering employees to leverage the tools they need to drive business forward.
