While participating in the SaaS Sprawl and Shared Responsibility: Regaining Control and Assuring Cloud Posture panel at IT Expo in February 2026, one idea kept coming back: SaaS sprawl is inevitable, but insecurity does not have to be.
Modern enterprises no longer run on just a handful of cloud applications. They run on hundreds, many adopted outside of IT oversight. The challenge is not growth itself, but assuming that growth automatically means control. Having more apps does not equal security. Counting tools or checking boxes does not tell you who has access to sensitive data, what permissions are granted, or which integrations could be abused. True control comes from continuous visibility, real governance, and ongoing validation, not from the number of apps deployed.
Many organizations assume that SSO provides security, but SSO is not secure by default. From my perspective in real-world security testing, SSO often creates a false sense of maturity. The real exposure is usually in over-permissioned OAuth apps, forgotten integrations, automation platforms connected to sensitive systems, and long-lived tokens from employees who have already left the company. OAuth apps are silent Shadow IT: they do not appear suspicious and are legitimate integrations but with excessive access. And to be honest, attackers love that.
From an attacker’s point of view, SaaS is incredible: I do not need a zero-day exploit. I only need a valid token. Former employees with active tokens are a ticking time bomb. Third-party apps with write access to shared drives or source code are perfect pivot points. Chained SaaS-to-SaaS integrations provide ready-made lateral movement. Today, the SaaS perimeter is identity plus API but remember that generic risk scores do not reflect real risk.
A low-risk app with access to sensitive data is far more dangerous than an unknown app with no meaningful permissions. What matters is context: what data is accessed, which users have access, what scope is granted, and how persistent the access is. Attackers do not care whether an app is official or Shadow IT. If it has a valid token and access to valuable data, it is in scope for them. Remember, your company does not set the rules from an attacker’s perspective, but you still can reduce their room to operate.
Visibility comes first. You cannot secure what you cannot see. SaaS security is identity, APIs, and configuration. It is not about counting apps, it is about understanding access paths.
Compliance is not a checklist. Compliance without visibility is theater. Without continuous discovery, real-time awareness of permissions, and the ability to revoke trust quickly, no framework will save you. Blocking is not governance. Shadow IT exists because the business moves fast. If the secure path is too slow or painful, users will create a faster one. Modern SaaS security is less about saying no and more about creating secure paths to yes.
The key takeaway from the panel is simple: SaaS sprawl is not the enemy. Lack of visibility and unmanaged trust are. Control is not about restriction, it is about continuous validation.
