Scott Young
Compromised shadow IT applications connected to core platforms like Google or Microsoft can have devastating consequences.
Shadow SaaS is a subset of Shadow IT and refers to unauthorized software-as-a-service (SaaS) applications used within an organization. Because SaaS apps make teams more productive and are easy to onboard, employees or teams often independently register for these apps without explicit approval, oversight, or security controls from IT and security teams. This creates new security blind spots.
Unlike traditional shadow IT (e.g., rogue servers), shadow SaaS applications operate in the cloud, making them harder to detect and control. And with the implementation of identity provider (IdP) consoles such as Okta only for known or sanctioned apps, shadow SaaS is by definition not federated behind these added layers of security, like single sign-on (SSO) policies. This makes shadow IT apps more vulnerable due to weak authentication practices. Obsidian Security data finds around 73% of apps are unfederated behind the IdP, putting their data at risk.
Despite the risk, shadow SaaS apps usually serve a business purpose, including enhancing workflows, automating tasks, or external collaboration. Because of this, shadow SaaS is often very connected to other systems and data—employees only need an email address and credit card to procure and integrate these tools with company-sanctioned platforms and data.
Meaning a breach to one shadow application can compromise data downstream.
The productivity benefits and ease of adoption for SaaS creates more opportunity for shadow SaaS apps, increasing organizational risk. Other factors that contribute to the growth of shadow SaaS are:
Unapproved applications often fall outside enterprise-grade security policies like federation behind the IdP and multi-factor authentication (MFA) enforcement. Many of these apps also receive broad access permissions to corporate data, increasing the impact of compromise.
When SaaS applications integrate with core platforms like Google Workspace, Microsoft 365, or Salesforce, they expand an organization’s attack surface. An open backdoor to a single connected app can serve as an entry point for attackers to move laterally across the company, exfiltrating data or deploying malware. With today’s advanced threat technology and aid of AI, bad actors can exploit a majority of any organization’s sensitive data, including personal identifying information (PII) and identity credentials, within minutes.
Many industries require strict data protection measures. Shadow SaaS applications often store or process sensitive information without proper security controls, leading to non-compliance and potential regulatory fines.
For financial services organizations that operate in the state of New York, NYDFS requires an inventory of every app with access to nonpublic information, as well as MFA policies in place. But without visibility into every app in use, it is easy to violate requirements and face financial penalties—historically in the millions of dollars.
Shadow SaaS contributes to redundant or unnecessary software spending. Without central visibility, organizations may pay for multiple overlapping tools, leading to wasted budget and under utilized resources.
This also leads to application stagnation—a widespread problem as our data shows a significant number of SaaS licenses are inactive over 90 days. Inactive apps may still contain sensitive data and PII, along with security gaps such as outdated controls and unpatched vulnerabilities, increasing cyber risk while expanding the attack surface with no added business value.
Each integration to a new shadow SaaS application introduces third-party risk. If a vendor lacks strong security controls, attackers may exploit any vulnerabilities to compromise the organization. This is especially true for novel generative AI apps; in 2025, researchers exposed a DeepSeek database leaking sensitive information.
Organizations that rely on external SaaS providers must rigorously assess their security measures and compliance standards to mitigate these risks.
Open authorization, or OAuth, grants applications secure, delegated access to enterprise accounts using access tokens, eliminating constant reliance on passwords. If an attacker steals an OAuth token from an unapproved app, they can impersonate a legitimate user and access corporate data without triggering authentication alerts.
Cybercriminals exploit vulnerabilities in SaaS providers, compromising their platform and gaining access to all customer environments. These attacks pose a serious third-party risk due to the deep integration of SaaS applications within organizational systems. Historic breaches like the 2024 attacks against Snowflake deployments have shown how much sensitive information can be exposed from a single tenant.
Shadow SaaS applications bypass centralized identity management, leaving local accounts unprotected by security measures like SSO and MFA. This allows attackers to exploit weak or unmanaged credentials to gain account access. The Microsoft Midnight Blizzard breach demonstrated the damage a single tenant without MFA protections can have on an organization if an attacker is able to compromise just one identity.
New AI tools are not immune to the dangers of shadow SaaS — they may be even more prone to risk. As employees begin to experiment with prompting new GenAI applications such as DeepSeek, sensitive data may be exposed to unauthorized AI apps without the security team’s oversight.
Effective SaaS security begins with full visibility. SaaS security posture management (SSPM) solutions help organizations uncover shadow SaaS applications and other risks. Obsidian Security connects directly with the IdP, enabling security teams to identify all sanctioned applications.
Beyond IdP integration, Obsidian enhances SaaS discovery by scanning browser usage, surfacing OAuth integrations, and analyzing email headers, giving organizations a comprehensive inventory of both federated and unfederated SaaS applications. Together Obsidian provides security teams with the visibility needed to track app usage and manage security across the entire organization.
Unlike email-based or network-dependent solutions, Obsidian Security integrates directly into the browser—where users actually interact with SaaS. This approach gives security teams real-time visibility and control over application access, without relying on complex network security solutions.
Detections and prohibiting unauthorized SaaS and GenAI usage reduces the risk of data loss and supply chain compromise, and supports compliance—while also cutting costs by eliminating redundant tools.
Today’s digital environment makes it easy to deploy and integrate new SaaS applications in seconds, often without security’s knowledge. Having detections and controls in place to continuously automate discovery and enforce access policies ensures new risks are not introduced to your environment.
Our Integration risk management engine also inventories and alerts to SaaS-to-SaaS integrations, including non-human identities like service accounts, to offer visibility and control to how data is flowing between applications.
Security awareness training should emphasize the risks of unapproved SaaS application use. Employees must understand how to evaluate applications before granting access to their accounts. This starts by building a shared security culture.
Obsidian Security offers alerts, remediation steps, and rule reasonings designed for all levels of security or business personnel to facilitate security awareness.
Shadow SaaS is a growing challenge that organizations cannot afford to ignore. While unauthorized SaaS applications may enhance productivity, they also introduce security vulnerabilities, compliance risks, and financial inefficiencies.
By implementing robust security measures, organizations can gain visibility into Shadow SaaS, mitigate risks, and ensure that SaaS innovation remains secure. Proactively managing shadow SaaS not only enhances security but also empowers teams to embrace innovation with confidence. In today’s cloud-driven world, securing SaaS and GenAI applications is no longer optional. It is essential for maintaining a resilient organization.
To begin discovering the shadow SaaS apps in your enviornment, try our browser solution for free.
Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.