Last updated on
July 23, 2025

Solving Insider Risk in the Age of SaaS and AI

Farah Iyer

At Obsidian, we often talk about how the SaaS model has introduced new security risks and flipped the security playbook on its head. Attackers aren’t “hacking in” anymore — they’re logging in with credentials. 

But what about insiders? The people who already have authorized access like employees, contractors, vendors, or even employees who have left but still retain access?

Insider threats aren’t some edge-case scenario. They’re real, evolving, and increasingly difficult to detect in a world where SaaS and AI tools are everywhere.

The root of this problem lies in the architectural shift: these platforms no longer live in data centers controlled by the business. Instead, they’re running in distributed environments owned by third parties, which strips away the traditional security boundaries that once helped determine whether activity was normal or suspicious. 

Without full control of the infrastructure, it’s incredibly difficult to determine what’s normal, risky, or outright malicious. It’s even harder to do so when insiders are using valid credentials and sanctioned tools to carry out their activity. 

As companies double down on SaaS and adopt AI at scale, the surface area for insider risk is expanding fast. And this risk isn’t limited to highly regulated industries like financial services and healthcare. Any business that relies on SaaS or AI tools is exposed. Data is now distributed across sprawling networks of employees, contractors, vendors, and service accounts — all with varying levels of access, often unmanaged or over-privileged.

Unlike traditional breaches that originate from outside, insider incidents come from within, often using valid credentials and going undetected for far too long.

Rippling vs Deel: 2025’s Most Talked About Case of SaaS Insider Threat

One of the most talked-about insider risk incidents of 2025 involved Rippling accusing a Dublin-based employee of spying for Deel. The insider allegedly accessed and exfiltrated more than 6,000 internal files, including customer conversations and competitive intelligence. According to Rippling, the activity was uncovered through Slack monitoring and unusual search behavior.

Some reports suggest a honeypot Slack channel may have played a role, but that detail hasn’t been confirmed. What is clear: the insider operated undetected for months inside a highly digitized, cloud-native company. This case highlights how insider risk plays out in modern SaaS environments, where real-time collaboration can mask malicious activity.

Want to see how you can detect and prevent threats like this in your environment?

Try Obsidian free — no credit card or complex deployment required.

👉 Start Your Free Trial Today

(It’s worth noting: Deel has denied the allegations and filed a countersuit, accusing Rippling of similar tactics. The case remains unresolved. Regardless of the outcome, the incident highlights a broader issue: insider threats are real, active, and uniquely challenging in SaaS environments.)

How SaaS’s Open Access Model Fuels Insider Risk

SaaS is built for speed and open collaboration, but that openness comes at a cost. Over-permissioned users, sprawling integrations, and rarely revoked access leave organizations dangerously exposed. This risk is especially high in SaaS-native businesses and industries like financial services and healthcare, where broad, cross-functional access is often necessary but poorly governed.

Insiders, whether acting unintentionally or with malicious intent, can access your most sensitive data:

Access in SaaS environments tends to accumulate over time as employees shift roles and integrations multiply. Without identity-centric security, it’s difficult to monitor access and enforce least privilege effectively. And it’s not just users. Service accounts and automated tools often hold excessive permissions with little oversight.

As JPMorgan Chase CISO, Patrick Opet, outlined in his public letter, this shift isn’t just operational. It’s architectural. “SaaS models are fundamentally reshaping how companies integrate services and data, a subtle yet profound shift eroding decades of carefully architected security boundaries.” In the past, security frameworks enforced strict segmentation between internal systems and the external world using layered access controls, protocol termination, and logical isolation. But in today’s SaaS model, that segmentation breaks down. Modern identity protocols like OAuth enable direct, often unmonitored connections between third-party tools and core internal resources.

This breakdown of traditional boundaries, combined with broad, persistent access, creates the perfect storm for insider risk. And it’s a challenge traditional security tools weren’t designed to address.

How AI Supercharges Insider Risk: Lower Barriers, Bigger Blasts

AI and autonomous workflows are rapidly increasing insider risks, even if large-scale AI-driven breaches are not yet in the headlines. Today, anyone, regardless of technical skill, can cause serious damage by simply prompting AI to do the heavy lifting:

At the same time, organizations face the challenge of defining and enforcing policies around what data is appropriate to include in AI prompts. No CISO wants to get in the way of productivity or be seen as a blocker for the business, yet without clear guidance, employees risk feeding sensitive data into AI models inappropriately, opening new avenues for data leakage.

How to Manage Insider Risk in SaaS

In a SaaS-first world where identity is the new perimeter, insider risk spans employees, contractors, service accounts, AI agents, and automated workflows. To ensure continuous identity governance, security teams need to ask:

If the answer to any of these questions is no—or uncertain—it may be time to rethink your insider risk strategy. Legacy tools fall short in SaaS-first environments. What’s needed is continuous identity and access governance, purpose-built for the complexity of modern collaboration.

How Obsidian Can Help

With Obsidian, you gain SaaS-native, identity-centric security built to help you quickly and effectively manage insider risk. Our platform:

Want to learn more? Get in touch with us today.

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo