If cyberattackers are good at anything, it’s chasing opportunity. And right now, the biggest opportunity is SaaS. SaaS has been the bullseye for years now, largely for two reasons.
First, it defies traditional security boundaries. It’s off-prem, accessible from everywhere, and stitched together with integrations that make lateral movement a breeze. These very traits that make it indispensable for businesses also makes it irresistible for attackers.
Second, despite being mission critical (try running a day without Salesforce or Google Workspace), most organizations are still slow to secure it. That lag has opened the floodgates and attackers have pounced on the opportunity.
You don’t have to scroll too far back to see proof of this. The ShinyHunters threat group (UNC6040) has been on a months-long rampage, breaching Salesforce tenants of industry giants like Google, Air France, Adidas, LVMH, and Allianz Life. Their playbook combined old-school voice phishing with malicious OAuth ‘connected apps’, snagging tokens that granted API access and enabled mass exfiltration of CRM data. The haul? Customer records—names, emails, phone numbers, account notes, even loyalty program details. While core systems weren’t directly compromised, the sheer scale of exposed customer and business data is staggering.
And just last month, the UNC6395 threat group seemed to have discovered an even more impactful kind of attack: they went straight for the SaaS supply chain. Instead of going after one Salesforce account at a time, they focused on Salesloft—a SaaS vendor themselves—hitting a chatbot integration to pivot into its customer base. And the blast radius was massive, with 1.5 billion records stolen (including "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables). That one compromised chatbot integration cascaded into unauthorized access across Salesforce and more downstream into Google Workspace, Slack, Amazon S3, and Azure. In a matter of days, the compromise snowballed into the largest breach of 2025, impacting more than 700 organizations and counting. This is the brutal efficiency of SaaS supply chain attacks: compromise one integration, and you don’t just breach a company—you breach an ecosystem.
[[cta1]]
After ShinyHunters’ initial breach, vendors like Salesforce were quick to clarify that the platforms aren’t inherently vulnerable, pointing instead to the shared responsibility model: they secure the infrastructure, but customers must secure their users, access and data. Yet too many organizations cling to a false sense of security that the vendors “have it covered”. That blind spot is exactly what attackers are exploiting.
Now layer in the rise of AI agents, where autonomous agents act across SaaS apps, chaining workflows and touching sensitive data at scale. We’re not just facing more attacks; we’re facing a new class of risk. And that’s why securing SaaS has never mattered more than it does right now.
From Chatbots to Autonomous Actors – The Rise of AI Agents
We’re all familiar with Generative AI. After the introduction of ChatGPT, Gemini, Copilot, and Claude, among others, it felt like we all got a supercharged brainstorming buddy that was available 24/7. You asked, it answered. The simplicity was jaw-dropping. Need a report, meeting summaries, or even a witty email? Done. Fast. Impressive.
But it stopped there. GenAI can “think”, it can’t act.
Enter AI agents. It’s more than a smarter chatbot—it’s your autonomous copilot with the ability to do. Where GenAI was the brain, Agentic AI adds the arms and legs that turn thought into action.
AI agents can navigate workflows, orchestrate data and execute tasks while you focus on higher-value decisions. Platforms like Microsoft Copilot Studio or n8n are showing us just how far this shift can go. We're no longer talking about tools that respond; we're talking about systems that perceive, reason and act on their own.
Here's the difference in action:
.png)
The pattern is clear—AI agents don’t create any value in a vacuum. They need context. SaaS delivers that. Every meaningful workflow runs through SaaS apps like Salesforce, Workday, M365, GitHub, ServiceNow and more, holding business-critical data like customer records, deals, financials, engineering tickets, code repos, and more. AI Agents don’t just dip into these systems, they depend on them.
That’s where things get more complicated. What makes AI agents a business game-changer are the very traits that also make it a security powder keg. Just like SaaS, the upside and downside come bundled together. And that brings us to the uncomfortable truth…
With Great Power Comes Great Risks
AI agents don't just speed up work, they rewrite the scale of it. Tasks that once required teams, context-switching, and days of effort now happen end-to-end in seconds. That’s the draw for business. But it’s also the danger. Because when agents act at machine speed, with broad default permissions, and without the same safeguards as we apply to human users, the risks don’t just add up, they multiply. One weak link can ripple across an entire SaaS ecosystem in ways no human-driven attack ever could.
Over the last few months, we’ve partnered with many of our customers to deploy AI agent security controls over their SaaS environment. The insights have been eye-opening and in some cases, downright staggering.
.png)
Agents move 16x more data than human users.
Agents don’t just act faster, they operate at an entirely different order of magnitude. Running nonstop and chaining tasks across multiple SaaS apps, they push unprecedented amounts of data through enterprise systems.
In one case, a single Glean agent downloaded over 16 million files while every other user and app combined accounted for just one million.
The very integrations that make agents powerful are also what make them risky: they connect across multiple SaaS platforms, moving massive volumes of sensitive data at warp speed.
Agents are routinely over-permissioned by 10x
Most SaaS platforms default to “read all files” when only a single folder is needed. It’s faster for users – no tedious least-privilege setup and manual configuration required. But it’s a disaster for security.
AI agents often inherit those same excessive privileges, which means they end up with way more access than they require. The result? They can see and touch far more data and systems than their function actually demands.
For attackers, it’s a jackpot. Compromise just one agent, and sensitive records, files, and applications – troves of data – can all be exposed in one fell swoop!
And on top of that, AI agents are spreading by the thousands, with zero oversight. Every organization is now on its AI journey. Some are just experimenting, others are automating workflows within specific business units, and many are sharing these agents for use at scale across the enterprise. We’ve seen super-powered agents that are created with no password requirements. Agents are spinning up unchecked, moving massive volumes of data, and operating with excessive permissions. The result is a gaping security hole – an attack surface that’s expanding at speed and capable of creating a blast radius unlike anything we’ve seen before.
Those risks might not be as severe if access to agents were airtight—MFA, passwords, biometrics if you’re really serious. But in reality, that’s rarely the case. That means that if anyone stumbles on the URL, whether it's a well-meaning intern, a negligent insider or, worst of all, an attacker, then they’ve got access to things like your Salesforce tables and a list of all your customers. No brute force required.
The Salesloft incident offered a glimpse of what a SaaS supply chain compromise looks like. AI agents, wired into countless downstream applications and datasets, can trigger the same kind of domino effect, only faster and at far greater scale. It's a chilling preview of what's possible if these risks aren't addressed head-on.
So, the question becomes what can you do about it? At Obsidian, we've been building the answer, delivering SaaS AI agent security that makes it possible for you to embrace AI agent adoption at scale without sacrificing control or confidence.
[[cta2]]
Closing the SaaS AI Agent Security Blind Spot
While AI agents are new, SaaS isn’t. And that’s where Obsidian has always led. From day one, we’ve focused on the security of SaaS applications. Everything that touches SaaS. The integrations that connect them, the workflows they drive, the data inside these apps. Because if you don’t understand SaaS deeply, you can’t hope to secure the AI agents that run inside them.
That’s why we’re excited to launch our AI agent security solution, the first of its kind and purpose-built to give enterprises the visibility and control over how agents operate across SaaS.
And here’s what makes our solution different compared to anyone else in the market:
.png)
Here’s what this looks like in practice:
Unmatched Visibility and Access Cleanup
Security starts with visibility, and by shining a light on every agent and connection, you build the foundation for effective control. With Obsidian, you can instantly inventory every AI agent, including its privileges, SaaS connections, and actions, so you can spot shadow agents, eliminate excessive or risky access and enable full lifecycle oversight.
.png)
Continuous Observability and Compliance
Trace every agent’s access across SaaS and link it to the data touched, with correlated audit trails that tie entitlements directly to actions. This continuous monitoring ensures nothing operates in the dark, giving security teams the clarity they need to track every agent’s paths down to specific executions.
.png)
Prevent Misuse and Privilege Escalation
Detect and block agents attempting to exploit trust chains, misuse access, or escalate privileges. Since AI agents sit high in the supply chain, one compromised agent can impact many downstream applications. Stop these issues at the source, before they ripple through ecosystems.
.png)
In short, Obsidian is the ONLY solution built to secure your SaaS applications from rogue AI agents. While other tools can still try to bolt on coverage, we started with SaaS and that’s why we can protect what others can’t.
Let Us Prove it to You
We know – we’re making a bold claim. And in a market where every vendor is slapping “AI” on their pitch, it’s easy to dismiss this as more AI-washing. But here’s the difference. Securing SaaS has been our mission from the start and AI agents run through SaaS. We’ve done the hard work, we have the playbook and we’re ready to prove it.
[[cta3]]
Here are some additional resources to get you started.
- Check out this paper for practical guidance on detecting and managing shadow AI agents, setting guardrails for compliance and risk and enforcing AI agent security in your SaaS environments.
- Get your hands on a demo that shows how to get visibility into your SaaS environments and the risks from AI agents
