SaaS Sprawl: More Extensive Than You Think
2025 marks the fifth anniversary of the COVID-19 global pandemic.?It feels almost surreal to remember a time when we were frantically Googling everything from how to protect ourselves against an unknown virus to tracking down toilet paper in stock.? ?
The pandemic also reshaped the modern workforce in countless ways, and one of the most enduring shifts remains—the mass adoption of SaaS applications. What began as a necessity during the rapid transition to remote work has since evolved into a common practice: employees procuring cloud-based SaaS tools independently, bypassing IT. The surge of SaaS adoption didn’t slow down as offices reopened either; it accelerated, and organizations are now grappling with the consequences of unmanaged SaaS sprawl.?
If you think the SaaS sprawl problem is small and insignificant, think again.? Grip research shows that SaaS sprawl is more extensive than most organizations realize: SaaS adoption grew 62% in the first year of COVID lockdowns and another 28% the following year. Grip’s 2025 SaaS Security Risks Report cites that today, the average large enterprise uses over 1,400 apps, and this growth is far from under control. In fact, most organizations are unaware of just how deep their SaaS sprawl runs. And while expanding SaaS portfolios should symbolize progress, they are simultaneously becoming one of the most?perilous security risks organizations face today.?
More Apps, More Accounts, More Risk?
The term "Shadow IT" is nothing new, but it is evolving in today’s SaaS-fueled landscape.? Shadow IT refers to the hardware or software employees install without formal approval. With cloud subscriptions just a click away, SaaS tools are readily accessible and easy to initiate. Free trial, anyone??
These apps, also known as “shadow SaaS,” may never pass through IT's hands, creating a sprawling web of unauthorized access points that expose organizations to invisible vulnerabilities. According to Grip’s research, 85-90% of SaaS applications are outside of IT oversight and control. In other words, IT has no visibility into what apps these are or who is using them. It’s not surprising that SaaS has become a prime attack vector; shadow SaaS significantly heightens security risks, yet IT and SecOps teams have no idea what those risks are and where they lie.?
SaaS Governance Gaps?
Shadow SaaS also brings to light?a critical gap in SaaS governance. Grip’s research found that only 10-15% of SaaS is centrally managed. Typically, the larger, “major” applications, like Microsoft and Salesforce, are managed more often than the smaller, niche applications, which one might expect. However, alarmingly, applications containing financial data were found to be managed at a much lower rate (7%) than the average SaaS management rate (13%), which poses questions about compliance with regulatory standards like PCI-DSS, Sarbanes-Oxley Act (SOX), HIPAA, and the NYDFS Cybersecurity Regulation, all which require MFA for systems and applications accessing sensitive data.?
SaaS Risk Beyond the App?
The real risk isn’t just in the number of SaaS apps an organization uses—it’s in the identities attached to those apps. Applications with large user bases (like Microsoft, Adobe, and Salesforce) can have hundreds or thousands of identities. Niche applications and shadow SaaS have smaller user bases and identities but still present risks, nonetheless.?
Consider that each employee using these shadow tools creates an account—usually with just a username and password—and every account becomes an entry point for potential breaches from weak or reused passwords or abandoned accounts that are left active after the employee leaves the company. The result is a risk the security team isn’t even aware of and continues to grow silently.?
While SaaS makes collaboration easier and improves employee productivity, it also means the number of identities tied to these tools has exploded, each with varying access and security oversight levels. The risk isn’t just that more people are using SaaS; it’s that IT teams often lack visibility into who is using what, when, and how securely—are employees bypassing SSO? Did someone start a new shadow SaaS app subscription because they didn’t like the sanctioned option? Should the tools employees use daily be centrally managed??
For CISOs, this introduces a multidimensional problem. The complexity of managing identities in a decentralized SaaS environment is nuanced, and traditional means of securing digital environments haven’t kept pace with the changes in SaaS adoption and usage. For example,??
Each identity can serve as a weak point if not carefully managed and governed—often before the security team realizes there’s an issue.?
Decentralized SaaS Demands a New CISO Mindset?
In this SaaS-driven era, CIOs and CISOs are being forced to rethink their roles. Traditionally seen as the gatekeepers of enterprise security, IT and security leaders no longer have full visibility or control over the apps their employees use. But that doesn’t mean they should throw in the towel—instead, they must adapt, transforming from gatekeepers into enablers of secure innovation.?
The reality is that employees will continue to adopt SaaS tools, whether IT approves of them or not. Rather than attempting to block or stifle this behavior, CIOs and CISOs must focus on embedding security into the decentralized SaaS procurement process. This means fostering collaboration between IT, security, and business units to ensure that apps are being used securely without slowing down innovation.?
This shift also requires a programmatic approach to SaaS risk management—one that extends beyond traditional security controls and focuses on ongoing visibility and risk mitigation. It’s not enough to simply identify what apps are in use; organizations must continuously audit accounts, track usage, and monitor for changes. Only by treating SaaS as a dynamic, ever-evolving ecosystem can CISOs regain control and effectively secure their environments.?
SaaS Security in a Rapidly Changing Landscape?
As organizations expand their reliance on SaaS, the complexity of managing identities, accounts, and licenses will continue to grow exponentially. This trend will not reverse—it’s the future of work. But the risks can be managed if companies take a proactive stance.?
Many cybersecurity leaders have realized that SaaS growth is outpacing traditional security frameworks and tools purchased years ago.? By prioritizing SaaS visibility and governance, organizations can mitigate the security and compliance risks associated with sprawling SaaS portfolios and identities while empowering employees to drive innovation.?
In the end, SaaS may be a silent explosion, but its impact is anything but quiet. The organizations that succeed will be those that treat SaaS security as a critical, continuous priority—one that demands both agility and vigilance. After all, in a world of invisible risks, it's what you don’t see that can hurt you the most.?
For deeper insights into the risks that shadow SaaS and sprawling identities pose, download the 2025 SaaS Security Risks Report.?
This article was originally published on Grip.Security.