Evaluating the Limitations of Your IdP or CASB: Five Critical Risks Associated with Shadow IT

Organizations often overlook the risks of shadow IT, which do not require internal sabotage to lead to data breaches. Situations such as forgotten free trials, AI-powered tools syncing data with Google Drive, or the utilization of personal email accounts for business applications exemplify shadow IT. This issue extends beyond mere unsanctioned applications to encompass dormant accounts, unmanaged identities, over-permissioned SaaS tools, and orphaned access—all of which often evade traditional security measures.

Common security solutions like CASB and IdPs are insufficient in addressing shadow IT.

These tools were not designed to manage the complexities within SaaS environments, such as OAuth sprawl, shadow admin accounts, or generative AI permissions. As a result, shadow IT has transformed from a visibility concern into a significant attack surface.

Here, we present five illustrative examples of shadow IT that may be compromising your data without detection.

1. Dormant Access Prone to Exploitation

• Risk: Employees often register for tools using mere usernames and passwords, bypassing single sign-on (SSO) and centralized oversight. When usage ceases, access remains unmonitored.
• Impact: These inactive accounts become stealthy entry points into the organization’s infrastructure, hindering the enforcement of multi-factor authentication (MFA), monitoring of usage, or revocation of access during offboarding processes.
• Example: In 2024, a joint advisory issued by CISA and international cybersecurity agencies indicated that the Russian state-sponsored group APT29 is actively exploiting dormant accounts to infiltrate enterprise and government systems. These accounts frequently serve as unnoticed access points due to a lack of MFA and oversight.

2. Generative AI Accessing Sensitive Information

• Risk: SaaS applications utilizing Generative AI typically request expansive OAuth permissions that allow access to sensitive information, including emails, files, calendars, and chat histories.
• Impact: Such applications often acquire more access than necessary and may transfer sensitive data to third parties with vague data retention and training policies. Once permissions are granted, monitoring the security of your data, internal access, or the ramifications of a vendor breach becomes virtually impossible.
• Example: In 2024, DeepSeek inadvertently exposed internal LLM training files containing sensitive data due to a poorly configured storage solution, illustrating the dangers of granting broad access to third-party Generative AI tools without adequate data security management.

3. Ex-Employees Retaining Admin Access

• Risk: Former employees frequently remain sole administrators of SaaS tools even after their departure, with their access often left unrevoked.
• Impact: Such dormant accounts can maintain privileged access to critical company tools and data, representing a prolonged insider threat.
• Example: An independent contractor integrated a time-tracking application with the company’s HR system and continued to retain admin access to sensitive employee logs long after the contract ended.

4. Business-Critical Apps Linked to Personal Accounts

• Risk: Employees may use personal accounts like Gmail or Apple IDs to register for professional applications like Figma or Google Drive.
• Impact: These accounts exist outside IT’s visibility and oversight. If compromised, the organization cannot revoke access or enforce security protocols.
• Example: The 2023 Okta customer support breach involved hackers exploiting a service account without MFA, which provided access to sensitive support systems. This account was unmonitored and decoupled from a specific user, exposing a gap even in mature identity frameworks.

5. Shadow SaaS Creating Uncontrolled Connectivity

• Risk: Employees may connect unauthorized SaaS applications directly to essential platforms like Google Workspace or Salesforce without oversight from IT.
• Impact: These unchecked integrations can form covert channels leading to critical systems. If attacked, they facilitate lateral movement, allowing intruders to access additional applications, exfiltrate sensitive data, or maintain ongoing access without triggering security alerts.
• Example: A product manager integrated a project management tool with Jira and Google Drive. After the project concluded, the connection, which required broad access permissions, was forgotten. When the vendor experienced a breach, attackers utilized the lingering connection to extract files from Drive and infiltrate Jira, enabling access to internal credentials, as evidenced in the 2024 Midnight Blizzard incident involving Microsoft.

Addressing Shadow IT Risks

Shadow IT represents not just a governance issue, but a significant security risk. The longer these vulnerabilities persist without detection, the greater the potential for exploitation of the organization’s SaaS environment.

Tools such as Wing Security provide automated discovery of SaaS applications, users, and integrations, allowing for mapping of both human and non-human identities, along with associated permissions and MFA status. By converting the unknown into known entities, Wing delivers comprehensive SaaS security through a unified platform, addressing misconfigurations, identity threats, and overall SaaS vulnerability. This approach prioritizes critical security events and enables proactive, continuous defense measures.