Introduction
Grip Security’s report, “2025 SaaS Security Risks,” highlights the growing vulnerabilities associated with unmanaged SaaS applications and user accounts, a phenomenon termed “SaaS risk creep.” The report underscores the significant security risks and governance gaps arising from the widespread use of unmanaged SaaS and AI tools within organizations.
Description
Grip Security has released a report titled “2025 SaaS Security Risks,” which highlights significant vulnerabilities associated with unmanaged SaaS applications and user accounts, a phenomenon known as “SaaS risk creep.” The report reveals that 90% of SaaS applications and 91% of AI tools within organizations remain unmanaged, creating substantial security risks and governance gaps. Key findings indicate a 40% surge in the number of SaaS applications utilized by enterprises over the past two years [2] [4] [6] [7], with medium-sized companies experiencing a 47% increase [3], while small and large companies saw increases of 35% and 37% [3], respectively [3] [4]. Additionally, the average number of SaaS accounts per employee has risen by 85% [3], with employees using an average of 13 tools by early 2024 [3], compared to just 7 in 2022. Alarmingly, 73% of provisioned users do not utilize their SaaS application licenses [2] [4] [5] [6] [7] [8], leading to overspending and highlighting ineffective license management [3].
The prevalence of AI tools [2], particularly ChatGPT, is notable, as it was identified in 96% of organizations analyzed, with its usage increasing 24-fold since its launch [5] [7] [8]. However, the rapid adoption of AI is outpacing security governance, with 80% of AI applications not managed through Security Assertion Markup Language (SAML) protocols [3]. While 42% of popular AI applications possess SAML capabilities [5] [6], the lack of oversight creates security blind spots, making organizations vulnerable to cyberattacks and compliance risks. Unsanctioned app accounts expand the attack surface [3], and misconfigurations [3], such as insufficient access controls [3], increase the likelihood of breaches. Many companies struggle to identify and assess risks associated with numerous SaaS applications due to limited human resources [3].
The report raises alarms about the emergence of Shadow SaaS and Shadow AI, which are applications used without IT oversight [1] [7] [8], leading to risks such as data breaches [1] [2] [4] [7] [8], non-compliance [1] [2] [3] [4] [5] [7] [8], operational inefficiencies [5], and information leaks [2]. Gartner projects that by 2027, 75% of employees will engage with technologies outside of IT’s control [1] [4] [7] [8], underscoring the urgent need for a reevaluation of SaaS security strategies. Despite substantial investments in SaaS-related security [1] [2] [4] [7], traditional solutions like Cloud Access Security Brokers (CASBs) are deemed inadequate due to their tendency to generate excessive data noise and false positives, distracting security teams from real threats [2].
To effectively manage SaaS security and risk, a shift towards a holistic [1] [2] [7], identity-driven approach is essential [1] [2] [4] [5] [7] [8]. This strategy necessitates collaboration across various departments, including business app owners and end users [1] [2] [7] [8], to comprehensively address SaaS risks. Organizations must recognize that the responsibility for managing these risks extends beyond IT and security teams [2]. A flexible [2], identity-centric approach that empowers employees while managing risk is crucial in this evolving landscape [2]. Without this transition [7] [8], organizations remain vulnerable to security breaches [2] [7] [8], as evidenced by high-profile incidents at companies like Snowflake and Microsoft [1] [4]. Proactively adapting to evolving SaaS trends will better position organizations to protect sensitive data [7] [8], ensure compliance [1] [2] [3] [4] [7] [8], optimize resources [2], and foster innovation while minimizing risks [1] [2] [7].
The findings are based on anonymized data from Grip’s SaaS Security Control Plane (SSCP) solution [1] [4] [6] [7] [8], which includes insights from over 29 million SaaS user accounts, 1.7 million identities [1] [6] [7] [8], and nearly 24,000 potentially risky SaaS applications. Grip Security specializes in SaaS identity risk management [8], offering solutions to help enterprises mitigate the security risks associated with widespread SaaS adoption [8].
Conclusion
The report by Grip Security emphasizes the urgent need for organizations to address the security challenges posed by unmanaged SaaS and AI tools. By adopting a holistic, identity-driven approach [1] [2] [4] [5] [7] [8], organizations can mitigate risks, enhance compliance [1] [2] [3] [4] [7] [8], and optimize resource utilization. As the landscape of SaaS and AI continues to evolve, proactive adaptation and collaboration across departments will be crucial in safeguarding sensitive data and fostering innovation.
References
[1] https://www.darkreading.com/vulnerabilities-threats/grip-security-releases-2025-saas-security-risks-report
[2] https://vmblog.com/archive/2024/10/23/grip-security-releases-2025-saas-security-risks-report-reveals-90-of-saas-applications-and-91-of-ai-tools-are-unmanaged.aspx
[3] https://securityboulevard.com/2024/10/majority-of-saas-applications-ai-tools-unmanaged/
[4] https://cioinfluence.com/security/grip-security-releases-2025-saas-security-risks-report-reveals-90-percent-of-saas-applications-and-91-percent-of-ai-tools-are-unmanaged/
[5] https://betanews.com/2024/10/23/majority-of-saas-applications-and-ai-tools-are-unmanaged/
[6] https://www.grip.security/press-release/grip-publishes-2025-saas-security-risks-report
[7] https://www.globenewswire.com/news-release/2024/10/23/2967715/0/en/Grip-Security-Releases-2025-SaaS-Security-Risks-Report-Reveals-90-of-SaaS-Applications-and-91-of-AI-Tools-are-Unmanaged.html
[8] https://www.tradingview.com/news/reuters.com,2024-10-23:newsml_GNX3Tf091:0-grip-security-releases-2025-saas-security-risks-report-reveals-90-of-saas-applications-and-91-of-ai-tools-are-unmanaged/
