At Obsidian, we often talk about how the SaaS model has introduced new security risks and flipped the security playbook on its head. Attackers aren’t “hacking in” anymore — they’re logging in with credentials.
But what about insiders? The people who already have authorized access like employees, contractors, vendors, or even employees who have left but still retain access?
Insider threats aren’t some edge-case scenario. They’re real, evolving, and increasingly difficult to detect in a world where SaaS and AI tools are everywhere.
The root of this problem lies in the architectural shift: these platforms no longer live in data centers controlled by the business. Instead, they’re running in distributed environments owned by third parties, which strips away the traditional security boundaries that once helped determine whether activity was normal or suspicious.
Without full control of the infrastructure, it’s incredibly difficult to determine what’s normal, risky, or outright malicious. It’s even harder to do so when insiders are using valid credentials and sanctioned tools to carry out their activity.
As companies double down on SaaS and adopt AI at scale, the surface area for insider risk is expanding fast. And this risk isn’t limited to highly regulated industries like financial services and healthcare. Any business that relies on SaaS or AI tools is exposed. Data is now distributed across sprawling networks of employees, contractors, vendors, and service accounts — all with varying levels of access, often unmanaged or over-privileged.
Unlike traditional breaches that originate from outside, insider incidents come from within, often using valid credentials and going undetected for far too long.
Rippling vs Deel: 2025’s Most Talked About Case of SaaS Insider Threat
One of the most talked-about insider risk incidents of 2025 involved Rippling accusing a Dublin-based employee of spying for Deel. The insider allegedly accessed and exfiltrated more than 6,000 internal files, including customer conversations and competitive intelligence. According to Rippling, the activity was uncovered through Slack monitoring and unusual search behavior.
Some reports suggest a honeypot Slack channel may have played a role, but that detail hasn’t been confirmed. What is clear: the insider operated undetected for months inside a highly digitized, cloud-native company. This case highlights how insider risk plays out in modern SaaS environments, where real-time collaboration can mask malicious activity.
Want to see how you can detect and prevent threats like this in your environment?
Try Obsidian free — no credit card or complex deployment required.
👉 Start Your Free Trial Today
(It’s worth noting: Deel has denied the allegations and filed a countersuit, accusing Rippling of similar tactics. The case remains unresolved. Regardless of the outcome, the incident highlights a broader issue: insider threats are real, active, and uniquely challenging in SaaS environments.)
How SaaS’s Open Access Model Fuels Insider Risk
SaaS is built for speed and open collaboration, but that openness comes at a cost. Over-permissioned users, sprawling integrations, and rarely revoked access leave organizations dangerously exposed. This risk is especially high in SaaS-native businesses and industries like financial services and healthcare, where broad, cross-functional access is often necessary but poorly governed.
Insiders, whether acting unintentionally or with malicious intent, can access your most sensitive data:
- Customer and employee records like PII, payment info, and HR files
- Corporate strategy and financials including M&A plans, sales pipelines, and pricing models
- Proprietary systems and data such as source code, AI training sets, and product roadmaps
Access in SaaS environments tends to accumulate over time as employees shift roles and integrations multiply. Without identity-centric security, it’s difficult to monitor access and enforce least privilege effectively. And it’s not just users. Service accounts and automated tools often hold excessive permissions with little oversight.
As JPMorgan Chase CISO, Patrick Opet, outlined in his public letter, this shift isn’t just operational. It’s architectural. “SaaS models are fundamentally reshaping how companies integrate services and data, a subtle yet profound shift eroding decades of carefully architected security boundaries.” In the past, security frameworks enforced strict segmentation between internal systems and the external world using layered access controls, protocol termination, and logical isolation. But in today’s SaaS model, that segmentation breaks down. Modern identity protocols like OAuth enable direct, often unmonitored connections between third-party tools and core internal resources.
This breakdown of traditional boundaries, combined with broad, persistent access, creates the perfect storm for insider risk. And it’s a challenge traditional security tools weren’t designed to address.
How AI Supercharges Insider Risk: Lower Barriers, Bigger Blasts
AI and autonomous workflows are rapidly increasing insider risks, even if large-scale AI-driven breaches are not yet in the headlines. Today, anyone, regardless of technical skill, can cause serious damage by simply prompting AI to do the heavy lifting:
- Lower barrier to harm: AI allows attackers to bypass expertise by pulling sensitive reports, summarizing contracts, or sharing confidential information with a simple prompt. This risk also extends to accidental data loss, as users unknowingly expose sensitive information to shadow apps and integrations through AI-driven workflows.
- Faster exfiltration: Tasks that once took hours now happen in seconds with AI embedded in so many core applications, making data theft lightning fast.
- Wider blast radius: Broad SaaS permissions combined with autonomous AI agents mean one compromised account can leak data instantly across multiple applications and teams.
At the same time, organizations face the challenge of defining and enforcing policies around what data is appropriate to include in AI prompts. No CISO wants to get in the way of productivity or be seen as a blocker for the business, yet without clear guidance, employees risk feeding sensitive data into AI models inappropriately, opening new avenues for data leakage.
How to Manage Insider Risk in SaaS
In a SaaS-first world where identity is the new perimeter, insider risk spans employees, contractors, service accounts, AI agents, and automated workflows. To ensure continuous identity governance, security teams need to ask:
- Are we continuously monitoring all identities—human and non-human—for excessive, risky, or stale access?
A robust identity-centric approach should enforce least privilege and detect permission creep across your environment. - Can we automatically detect employee departures and revoke access in real time?
Integrations with HR systems like Workday ensure access is revoked the moment someone leaves the company—closing the gap between offboarding and deprovisioning that an aggrieved leaver could exploit to steal data or cause damage. - Do we have visibility into local and unmanaged accounts outside of our identity provider’s control?
These accounts often go undetected and can be used by disgruntled insiders to access critical systems from personal devices. - Are we monitoring how AI agents and automated workflows access data and systems across SaaS apps?
These non-human identities can be exploited or misconfigured, introducing serious gaps in control if left ungoverned. - Are we correlating behavioral context with real-world threat intelligence to detect malicious intent—not just anomalies?
True insider threats often mimic normal behavior. Detection requires context, not just rule-based alerts or static thresholds. - How automated is our approach to privilege reviews, remediation, and posture management?
Manual reviews lead to delays and fatigue. Automating these processes helps shrink the attack surface proactively. - Are our investigations and responses tailored for SaaS environments and identity-based threats?
AI-driven detections, timeline reconstruction, and insider-specific workflows can dramatically accelerate response times.
If the answer to any of these questions is no—or uncertain—it may be time to rethink your insider risk strategy. Legacy tools fall short in SaaS-first environments. What’s needed is continuous identity and access governance, purpose-built for the complexity of modern collaboration.
How Obsidian Can Help
With Obsidian, you gain SaaS-native, identity-centric security built to help you quickly and effectively manage insider risk. Our platform:
- Continuously monitors and governs access across employees, contractors, service accounts, and AI agents—enforcing least privilege and flagging risky or outdated permissions before they can be exploited.
- Monitors user activity and app usage across your SaaS environment to detect risky behavior and potential insider threats without disrupting productivity.
- Integrates directly with HR systems like Workday to detect departing employees in real time, automatically revoking their access and closing critical gaps during offboarding transitions.
- Identifies and controls hidden local and unmanaged accounts that insiders might use from personal devices to access and disrupt business-critical systems, eliminating ungoverned backdoors.
- Combines behavioral context with real-world breach intelligence to detect true malicious insider intent in real time, while automating privilege reviews and accelerating investigations through AI-driven detection and response.
Want to learn more? Get in touch with us today.