Executive Brief
Organizations have reached a point where the worst breaches do not even have to break into the organization through its borders. Instead, perpetrators are using methods such as identity deception, stolen credentials, sessions, OAuth permissions, cloud connections, and SaaS flows to run operations within an environment that looks authentic.
IBM’s 2025 X-Force Threat Intelligence Index reinforces this shift, reporting that 30% of total intrusions involved valid account abuse, making identity misuse one of the most important intrusion paths for modern enterprises. 1
This shift changes how organizations must think about risk. A firewall can still block suspicious traffic. An endpoint tool can still detect malware. A secure gateway can still enforce an access policy. But many modern SaaS breaches begin after the user has authenticated, inside applications that the business already trusts.
The result is a growing visibility gap. Security teams may see that a user is connected to Microsoft 365, Salesforce, ServiceNow, Slack, Google Workspace, Workday, GitHub, or another approved platform. What they may not see clearly enough is whether the actions inside that SaaS session are normal, excessive, suspicious, or malicious.
The modern breach is not always loud. It may look like an employee downloading files, approving an integration, searching a mailbox, sharing a document, or triggering a workflow. The problem is not that security tools have become irrelevant. The problem is that many of them were built for a threat model where the attacker was outside the organization, not already operating through a trusted identity.
The same IBM research documented an 84% year-over-year increase in infostealers delivered through phishing emails, demonstrating how aggressively attackers are scaling credential and session theft operations. 2
For CISOs, CIOs, risk leaders, and board-level decision-makers, the message is direct: SaaS security can no longer be treated as an extension of perimeter defense. It must become an identity-led, behavior-aware, application-level discipline.
The Enterprise Attack Surface Has Moved Into SaaS
SaaS has become the operational foundation of the modern enterprise. Communication, customer management, finance, human resources, legal operations, software development, analytics, marketing, procurement, productivity, and AI-enabled automation all depend on cloud-based platforms.
As a result, sensitive business data is no longer concentrated in a small number of internal systems. It is distributed across collaboration platforms, cloud storage repositories, customer databases, help desk applications, productivity suites, and hundreds of interconnected SaaS services. Access is granted through federated identities, single sign-on (SSO), API integrations, service accounts, and OAuth permissions.
This shift has fundamentally changed the enterprise attack surface. Rather than targeting infrastructure, attackers increasingly focus on identities and trusted access relationships. A single compromised account can provide access to multiple business-critical applications, sensitive data stores, and connected workflows.
In many cases, attackers do not need malware, server access, or sophisticated exploits. They simply take advantage of the same application capabilities employees use every day. A compromised account can be used to search email archives, download sensitive files, create forwarding rules, access shared documents, export business records, authorize third-party applications, and move between connected platforms.
Much of this activity appears legitimate from a technical standpoint because it is performed through authorized accounts and approved application functions. From a business risk perspective, however, the same actions may represent reconnaissance, data exfiltration, privilege escalation, persistence, or lateral movement.
This is why SaaS security has become a strategic priority. SaaS is no longer just another category of enterprise software. It is where identities, data, workflows, and business operations come together, making it one of the most consequential security domains in the organization.
The following data points provide the evidence base for the asset and help anchor the narrative in current threat intelligence and cybersecurity resilience research. They show how SaaS risk is shifting from perimeter-based intrusion to identity-led compromise, token abuse, unmanaged cloud access, and AI-driven exposure.
Figure | What it supports |
30% | Identity-based attacks / valid account abuse are now a major intrusion path. |
84% | Infostealers delivered via phishing emails increased year over year, supporting the credential-theft argument. |
90% | Most organizations are not adequately prepared to secure their AI-driven future. |
2,286 executives | Accenture’s cybersecurity resilience findings are based on a global survey sample. |
77% | Organizations lack essential data and AI security practices for business models, data pipelines, and cloud infrastructure. |
63% | Organizations in the “Exposed Zone,” lacking both cohesive strategy and sufficient technical capability. |
Source: CyberTech Intelligence Analysis based on referenced reporting.
Identity Abuse Has Become a Preferred Attack Strategy
Attackers are increasingly choosing access over exploitation.
Existing security controls were developed with infrastructure boundaries in mind. For instance, a firewall, intrusion prevention system, proxy, or secure gateway is great for inspecting traffic, monitoring access, and preventing clearly malicious activity.
A stolen credential, session token, browser cookie, API key, or OAuth authorization can give an attacker a powerful advantage. Instead of triggering obvious security alarms, the attacker can log in, use approved services, and perform actions that resemble routine work.
This is one of the defining characteristics of SaaS-native compromise. The attacker is not always trying to bypass the system. In many cases, they are using the system as designed.
The risk expands when organizations rely too heavily on one-time authentication. A login event may be valid at the beginning of a session, but that does not guarantee the session remains trustworthy. Credentials may have been stolen. Tokens may have been replayed. MFA may have been bypassed through session hijacking. OAuth permissions may provide access even after a password reset.
This means security teams must look beyond the question, “Was the user authenticated?” They must ask, “Is the behavior consistent with that user, that role, that device, that location, that application, and that business context?”
Identity is no longer just an access-control function. It is now a primary detection surface.
Why Traditional Controls Struggle With SaaS-Native Breaches
Traditional security controls were designed to protect infrastructure boundaries. Firewalls, intrusion prevention systems, proxy servers, and secure web gateways remain effective for monitoring traffic and blocking known threats.
SaaS environments, however, introduce a different visibility challenge. These controls can identify connections to trusted cloud applications, but they typically cannot determine what users are doing inside those applications.
A firewall may observe an encrypted session with a trusted SaaS provider while remaining unaware that a user has exported sensitive customer data, approved a high-risk third-party application, created an email forwarding rule, or accessed information beyond their normal responsibilities.
The risk is rarely visible in the network flow itself. It is embedded in application activity, user behavior, permissions, and access decisions. The events that matter most often occur within the SaaS platform, outside the visibility of traditional network-centric controls.
This distinction is significant. Traditional controls focus on source, destination, protocol, and policy enforcement. SaaS security requires visibility into identities, permissions, behavioral patterns, data sensitivity, integration risk, and business context.
Context determines whether an action is routine or suspicious. A large file download, for example, may be entirely legitimate. A sales operations manager exporting CRM records for reporting, a finance executive preparing for an audit, or a developer accessing repository data are all expected activities. The risk profile changes when the same actions occur from an unfamiliar location, outside normal working hours, following a high-risk authentication event, through a dormant account, or via an unrecognized integration.
For this reason, SaaS threat detection cannot rely solely on static rules and signatures. Effective detection requires behavioral baselines, anomaly detection, identity intelligence, and correlation across users, applications, and integrations.
Visibility into individual events is no longer sufficient. Security teams must understand the context surrounding those events, including who performed the action, what level of access was used, which systems were involved, whether the behavior aligns with established patterns, and the potential business impact.
Meaningful SaaS risk detection depends on distinguishing legitimate activity from activity that merely appears legitimate.
The SaaS Visibility Gap Is Becoming a Board-Level Risk
Many organizations have mature visibility across endpoints and networks but far less clarity inside SaaS applications. This imbalance creates a blind spot at exactly the layer where business activity now happens.
Security teams often struggle to answer basic but important questions:
Which SaaS applications are actively used across the enterprise?
Which applications were approved by IT, and which were adopted independently by business teams?
Which users hold excessive privileges?
Which OAuth applications have access to email, files, calendars, or customer data?
Which service accounts are active but unmanaged?
Which third-party integrations can move data between platforms?
Without these answers, SaaS risk becomes difficult to govern. The organization may believe it has strong security coverage because perimeter and endpoint controls are deployed. Yet attackers may still operate through SaaS identities and integrations that receive limited monitoring.
Accenture found that 63% of organizations fall into its “Exposed Zone,” meaning they lack both a cohesive cybersecurity strategy and sufficient technical capability to address emerging risks effectively. 3
This visibility gap is especially dangerous because SaaS environments change constantly. Employees join and leave. Roles change. Permissions accumulate. Applications are added. Integrations are approved. Contractors receive access. Automation accounts are created. AI tools are connected to data sources. Unless the organization continuously reviews this activity, its SaaS attack surface grows quietly over time.
OAuth, Tokens, and Sessions Are Now High-Value Targets
Password security remains important, but the modern SaaS threat model extends far beyond passwords.
OAuth tokens, session cookies, refresh tokens, API keys, and machine credentials can provide attackers with persistent access to applications and data. These artifacts are valuable because they may allow access without requiring a fresh password entry or MFA challenge.
This creates a difficult incident response problem. Even when the security personnel have changed the password of the user and think that the account is now secured, the attacker can still gain entry to the system through other means since they may still have a live session, a refresh token, an OAuth token, or an API access key. OAuth hijacking can be a serious concern because users give permissions to third parties without fully understanding their rights and privileges.
OAuth abuse is especially worrying due to the fact that end users grant permission to third-party apps without fully comprehending what privileges they are granting. What initially appears to be a harmless productivity app could ask for permissions to mailboxes, files, contacts, calendar, and even access to the cloud storage space.
The same problem applies to service accounts and automation credentials. These identities often have broad permissions, limited oversight, and weak lifecycle management. In many organizations, non-human identities are created for operational convenience and then forgotten.
SaaS security programs must therefore treat tokens and machine credentials as sensitive assets. They require inventory, ownership, expiration, rotation, monitoring, and rapid revocation processes.
Lateral Movement Now Follows Business Workflows
Lateral movements are not necessarily an attacker moving from one system to another within the SaaS environment. They can involve a user switching from one application to another using single sign-on or common permissions.
A compromised identity may start in email and then move into cloud storage. From there, the attacker may discover links to CRM records, internal dashboards, collaboration channels, or project management tools. If the same identity has access across those platforms, the attacker can continue moving without exploiting each application separately.
This is a major change from traditional network-centric lateral movement. The attacker’s path is shaped less by network topology and more by identity relationships.
The SaaS environment is built for connection. CRM platforms connect with marketing tools. Collaboration apps connect with document repositories. HR platforms connect with identity providers. Automation platforms connect with ticketing systems. AI assistants connect with knowledge bases. These relationships improve productivity, but they also create movement paths for attackers.
Security leaders should therefore rethink segmentation. Network segmentation remains useful, but SaaS environments require identity segmentation, privilege segmentation, application segmentation, and data-level access control. The goal is to prevent one compromised identity from becoming a bridge across the enterprise.
AI Is Expanding the SaaS Identity Problem
AI adoption is introducing a new category of SaaS risk: intelligent, automated, non-human access.
AI copilots, autonomous agents, workflow assistants, and embedded analytics tools increasingly connect to business applications and data repositories. These systems may read emails, summarize files, retrieve customer records, generate reports, trigger workflows, or interact with APIs. In practice, many AI tools function as powerful identities inside the enterprise.
This creates governance challenges that many organizations are still learning to manage.
An AI assistant may inherit user permissions. An autonomous agent may operate through a service account. A workflow tool may have broad access across multiple SaaS platforms. A business team may connect an AI tool to sensitive data without full security review. A shadow AI account may process confidential information outside approved controls.
The risk is not only that AI systems may be attacked. This is because AI solutions might, by default, increase accessibility, speed up data transfer, or leak data via inadequate governance of process flow.
Visibility into what type of AI applications are used, what data they can access, what operations they can undertake, what identities are performing the tasks, and how they are tracked needs to be known by security personnel. There should be an alignment between AI governance and SaaS identity governance.
What Security Leaders Should Prioritize
A stronger SaaS security strategy requires a shift from perimeter-first thinking to identity-first security operations.
Build a Complete SaaS Inventory
Organizations should maintain a continuously updated inventory of sanctioned and unsanctioned SaaS applications. This inventory should include application owners, business purpose, user counts, connected identities, data sensitivity, integrations, and risk level.
Govern OAuth and Third-Party Integrations
OAuth grants should be reviewed regularly, especially those requesting access to email, files, contacts, calendars, or administrative functions. High-risk permissions should require approval, monitoring, and periodic recertification.
Reduce Excessive Privilege
SaaS permissions should reflect current job responsibilities. Admin roles, shared accounts, dormant users, contractors, and service accounts should be reviewed frequently. Privilege accumulation should be treated as a measurable risk.
Monitor Behavior Inside Applications
Security teams need application-level telemetry that can identify unusual downloads, abnormal sharing, suspicious forwarding rules, risky API activity, unexpected privilege changes, and anomalous access patterns.
Treat Sessions and Tokens as Critical Assets
Incident response should include session revocation, token invalidation, OAuth grant removal, API key rotation, and review of active integrations. Password resets alone are not sufficient.
Strengthen Machine Identity Governance
Service accounts, automation bots, API credentials, and AI agents should have owners, scoped permissions, expiration policies, rotation schedules, and behavioral monitoring.
Extend Zero Trust Into SaaS
Zero Trust should not stop at the network layer. Continuous verification must apply to users, devices, applications, sessions, tokens, data access, integrations, and non-human identities.
The New SaaS Security Model
The future of enterprise security will depend on how well organizations can interpret trust.
It is no longer enough to know whether traffic is allowed. Security teams must know whether the identity is appropriate, whether the behavior is expected, whether the application access is justified, whether the integration is safe, and whether the data movement aligns with business intent.
This requires a new operating model built around five principles:
Continuous identity verification
Application-level visibility
Least-privilege access
Behavioral detection
Governance of human and non-human identities
Organizations that adopt this model will be better positioned to detect SaaS-native compromise before it becomes a larger breach. Those that remain dependent on perimeter-centric assumptions will continue to face blind spots inside the very applications where their business now operates.
Conclusion
The enterprise breach has changed shape. It may not begin with malware. It may not trigger a firewall alert. It may not involve a visible exploit. It may begin with a stolen session, a trusted login, an overprivileged account, an unmanaged OAuth grant, or an AI-connected workflow with too much access.
That is why SaaS security must be treated as a central component of enterprise risk management. Firewalls, endpoint tools, and traditional controls remain necessary, but they cannot provide complete visibility into identity-led activity inside cloud applications.
The next security perimeter is not a wall. It is a living system of identities, permissions, sessions, integrations, behaviors, and data flows.
The organizations that understand this shift will move faster toward continuous verification and SaaS-aware defense. The organizations that do not may continue protecting the edge while attackers operate quietly inside the workflow.
References
[1] IBM, X-Force Threat Intelligence Index 2025: Attackers Steal and Sell User Identities at Scale, April 2025
[2] IBM, Cloud Attacks Are Evolving: What 2025 Trends Mean for Defenders in 2026, March 17, 2026
[3] Accenture, Only One in 10 Organizations Globally Are Ready to Protect Against AI-Augmented Cyber Threats, June 26, 2025
