Securing Identities in the Age of SaaS Sprawl and AI Threats
As organisations increasingly adopt Software-as-a-Service (SaaS) solutions, the number of applications they manage can multiply rapidly, often exponentially.
In fact, the average modern enterprise utilises over 1,000 SaaS applications (CDP Institute), with each employee holding 35 identities on average across these platforms. This phenomenon is now well-documented and regularly referred to as âaccess sprawlâ.
Hackers have quickly taken advantage of this sprawl and the lack of strong Access Control on this new perimeter. Recent studies show that more than half of attacks in 2024 were identity-based, with valid credentials used for initial access.
As a result, IT and security teams now face greater pressure and a growing attack surface. This challenge has only intensified with the rise of AI tools in the workforce, forcing teams to seek solutions that enhance their capabilities without overloading limited resources.
In this context, traditional access control methods fall short. Theyâre hard to scale and werenât built for todayâs threats. Light IGA, or Modern IGA, is stepping in to close these gaps.
The threat of lateral movement combined with an extended attack surface
âHackers donât hack anymore, they log in," says Thomas Lejars, CEO of Zygon. "The risk doesn't really lie within the 30 to 50 well-secured apps behind the company's SSO. Our clients report breaches and infiltration attempts through less-secured dependencies.
"Recent public cases, such as Oktapus, highlight the effectiveness of hackers employing lateral movement techniques."
Employees testing new tools isn't the only factor increasing the attack surface for companies. Service accounts, API keys and even roles used to access cloud resources are other accesses requiring proper control. These are referred to as machine or Non-Human Identities (NHIs), and carry the same risk of compromise as ârealâ identities.
Technical challenges and legacy IAM are hindering the implementation of robust identity governance
Mapping all identities and uncovering shadow IT is merely a starting point if it doesn't lead to concrete actions. However, numerous challenges hinder effective identity governance.
While authentication standards like SSO OpenID or SSO SAML are generally mature, they are not universally adopted by software vendors. Furthermore, although provisioning standards like SCIM exist, their implementation is often incomplete. Most applications lack these features, and those that do offer provisioning APIs rarely support deprovisioning.
Additionally, vendors frequently charge for SSO/SCIM options, which can deter organisations from enabling these functionalities for more than the approximately 30 applications considered critical in most medium-sized organisations.
For example, a company with 200 employees might incur a US$22,700 cost just to enable SSO via SAML and automatic user provisioning for the Slack application.
From another perspective, the time IT and security practitioners dedicate to managing the identity lifecycle is substantial. Legacy Identity and Access Management (IAM) systems, which rely on ticketing and manual actions, are proving inadequate.
Consider an organisation with 1,000 employees and an average of 30 applications per employee, a turnover and hire rate of 15%, and internal mobility of 10%.
This results in more than 10,000 tasks related to identity provisioning, reassignment or deprovisioning over the year.
Even if each Access Control action only takes a few minutes, this equates to the workload of two full-time employees dedicated solely to this non-technical yet critical and tedious task.
Fascinated by rocket science? Dive into our advanced calculation below.
How can organisations effectively manage the identity lifecycle without overwhelming the helpdesk?
It would be a dream for all IT teams to automate the identity lifecycle and demonstrate compliance with safety standards in minutes. For all the reasons listed above, it's clear there's no magic solution (yet) to replace the two full-time employees with an AI agent or the most advanced IAM platform.
This is where light identity governance comes into play, advocating a mindset shift: âstart now - done is better than perfectâ.
Aiming to secure every access is a never-ending race. To keep pace, a light approach, in parallel with Identity Providers (IdPs) and SSO solutions, works effectively. This newly emerging Gartner category promises implementation times in days, compared to legacy IAM projects that take years to initiate.
The promise of light Identity Governance and Administration (IGA) is to provide the most accurate overview of accesses, including shadow IT, non-human identities (NHIs) and agentic AI. All through a single pane of glass.
From there, it aims to give IT teams the means to automate and delegate the majority of their common tasks related to the identity lifecycle.
A few examples among many other use cases include:
- Continuous listing of all accounts created by employees, officially or otherwise
- Launching automatic deprovisioning on all compatible applications
- Delegating in bulk the manual closure of the employeeâs accounts to application managers
- Having managers and/or application owners regularly review and confirm user roles and permissions
- Regularly reasserting the roles and permissions of users by the manager and/or the application manager
- Monitor the use of application accounts to identify and remove unnecessary access
Thanks to Light IGA, IT and Security practitioners can progressively reduce the pressure on the helpdesk while also saving valuable time on regulatory-related actions.
Meeting (and anticipating) all regulatory expectations with continuous Access Control
Continuously managing access for both human and non-human identities not only alleviates pressure on the helpdesk but also reduces compliance-related stress.
Additionally, common tasks such as access reviews and audit reporting take, on average, 80% less time due to the centralisation of identity management. This approach also covers a wider range of applications than most compliance frameworks would expect.
Regardless of your context - whether on-premises, full cloud, or hybrid hosting environment, your current identity providers, or your regulatory environment - the market is increasingly turning to lightweight Identity Governance and Administration (IGA) as the approach to secure identities in the age of SaaS sprawl and AI threats.
Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.
Discover all our upcoming events and secure your tickets today.
Cyber Magazine is a BizClik brand
