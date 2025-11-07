The Urgency of Now: AI & Evolving Threats to SaaS

Recent high-profile software-as-a-service (SaaS) data breaches have caught many Chief Information Security Officers (CISOs) and Information Security (InfoSec) professionals by surprise, exposing a false sense of security.

While organizations know that SaaS providers invest significant resources in security, they often overlook their own responsibility for protecting data on those platforms. This is reflected in the “confidence paradox” from the 2025 CSA State of SaaS Security Report : 79% of organizations are confident in their SaaS security programs, yet have significant capability gaps. Furthermore, the CSA SaaS Security Capability Framework (SCCF) highlights that misalignment between vendors, application owners, InfoSec, and risk teams leads to delays, wasted resources, and unnecessary risk exposure.

This gap is widened by the different experience and terminology of InfoSec and SaaS teams, contributing to the “InfoSec↔SaaS Divide.” Bridging this divide is essential for securing SaaS data and unlocking the future benefits of agentic AI. The authors have combined their general InfoSec and specific SaaS knowledge and experience to help organizations secure these environments.

InfoSec↔SaaS Divide

InfoSec teams are responsible for establishing standards and maintaining visibility across all IT systems, but don't delve into the intricacies of every SaaS platform. They rely on security alerts and audit reports to detect problems, expecting SaaS administrators to implement enterprise IT governance within each environment. However, SaaS administrators often lack the security expertise to understand how these rules apply in the systems they manage. This lack of shared understanding can result in serious SaaS security gaps, including:

Failure to follow identity and access management best practices.

Insecure integrations (e.g., lack of IP restrictions, mTLS, least privilege).

Inadequate classification or protection of sensitive data.

Improper management of privileged accounts.

Presence of sensitive data in development and test environments.

Insufficient monitoring of event logs for anomalies.

Although teams believe they have closed these gaps, the fixes may not be verified or complete, meaning they have only scratched the surface of SaaS security. Limitations in InfoSec tools and experience can hide widespread standing access to sensitive data within SaaS environments. When the Principle of Least Privilege (PoLP) isn't followed, malicious attackers can potentially exfiltrate sensitive information, external portals can expose internal data, and AI agents can produce unintended outcomes.

This article outlines three strategies to bridge the InfoSec↔SaaS divide and strengthen SaaS security. Success requires assigning responsibility and accountability, and determining who to consult and inform.

Strategy 1: Configure your SaaS Securely

An effective way to bridge the divide is for InfoSec and SaaS teams to collaborate on establishing a secure baseline configuration.

PoLP dictates limiting access and permissions to only what is essential for a task. Maintaining this in SaaS environments requires understanding evolving threats and the intricacies of role-based permissions and security configurations. InfoSec knows of threats that SaaS administrators may not, so they must work together to avoid misunderstandings.

To demonstrate how this divide can lead to misconfigurations in SaaS environments, consider connected apps. InfoSec teams may not be familiar with securing connected apps and SaaS API integrations. SaaS administrators may not be trained to secure connected apps against emerging threats or consider the risks of giving integration accounts broad permissions, such as the ability to access and modify all data.

Securing these apps involves a complex interplay between third-party software vendors, custom internal applications, and the SaaS platform itself. The resolution is for InfoSec and SaaS teams to combine their knowledge to review app configurations, remove apps that are not risk-appropriate for the business, change self-authorization defaults, manage access and permission settings, and monitor OAuth settings - just as Enterprise Application Architects do when enabling connectivity with third-party services. This is an ongoing activity; like renewing certificates, connected apps should be regularly reviewed for relevance, usage, commerciality, and security.

Manually maintaining a secure baseline configuration as a SaaS environment evolves is time-consuming and error-prone, particularly at scale. Automation and agentic AI can help fix problems more comprehensively and consistently, reducing risks from insecure configurations and excessive permissions.

Strategy 2: Perform a Security Self-Assessment

Security threats continually evolve; it’s not a “set it and forget it” task. With a secure baseline established, the next step is for the InfoSec and SaaS teams to perform an in-depth security self-assessment. This process uncovers additional risks to mitigate and fills knowledge gaps for both teams, serving as a prime opportunity to clearly define security responsibilities and exchange knowledge. The following table highlights some of the common differences between InfoSec and SaaS perspectives when assessing SaaS security risks.