Grip Security has released its 2025 SaaS Security Risks Report, detailing a significant gap in the management and security of SaaS applications within organisations.
The report indicates that 90% of SaaS applications and 91% of AI tools are unmanaged in current organisational structures, highlighting a substantial vulnerability. Traditional security methods are reportedly insufficient in mitigating these risks, which encompass unmanaged SaaS usage, often termed as 'Shadow SaaS'.
According to the findings, enterprises have seen a 40% increase in the number of SaaS applications they utilise over the last two years. This is accompanied by an 85% rise in the number of accounts per user.
Significantly, 73% of provisioned users never actually utilise their SaaS application licenses. Additionally, ChatGPT has been observed in 96% of the organisations analysed, with a 24-fold increase in usage since its introduction.
The report highlights that while 42% of popular AI applications possess Security Assertion Markup Language (SAML) capabilities, 80% of these tools are not properly managed or federated.
Lior Yaari, Co-founder and CEO of Grip Security, stated, "The sheer volume of unmanaged SaaS apps and AI tools we found in organisations shows the large gap between perceived and actual security. Businesses need real-time visibility into these applications and a risk governance program to manage their risks to stay ahead of the curve."
The issue of Shadow SaaS, where applications are used without IT departments' oversight, presents a risk of data breaches, compliance violations, and inefficiencies. Gartner has projected that by 2027, 75% of employees will use technologies outside of IT's oversight, necessitating a re-evaluation of current SaaS security approaches.
Despite substantial investment into SaaS risk management, existing security tools such as Cloud Access Security Brokers (CASBs) have shown limitations, generating more data noise and false positives than actionable insights.
Yaari further commented, "As SaaS continues to grow, businesses can't afford to rely on outdated tools. A holistic, identity-driven approach is now critical to ensure SaaS security and risk management. The consequences of inaction are too severe—it's time for enterprises to address this risk proactively and rethink their security strategies to match the speed of SaaS adoption."
Industry experts indicate that business-led IT dynamics are driving the expansion of SaaS use, which calls for shared responsibility across an organisation for managing associated risks. This responsibility stretches beyond IT and security teams to include business application owners and end users.
The report underscores the necessity of a shift towards a flexible, identity-centric security approach. Without this transition, firms remain exposed to prominent threats, illustrated by incidents at companies such as Snowflake and Microsoft.
Grip Security's report draws upon anonymised data from their SaaS Security Control Plane, covering over 29 million user accounts, 1.7 million identities, and nearly 24,000 SaaS applications posing potential risks.