You’re only as strong as your weakest link—or your weakest identity.That proverb carries fresh urgency in today’s enterprise IT landscape, especially when evaluating the cyber risk introduced by third-party vendors, particularly those offering software-as-a-service (SaaS).
When “trusted” turns risky
The core security dilemma is clear: the more relationships you label as “trusted,” the larger your attack surface grows. Imagine if every SaaS connection had a “bouncer” at the door, checking identities in real time—many risks would vanish. But business pressure to move fast, ship features, and support remote work often pushes companies to sidestep rigorous access protocols.
That tension took center stage in April when JPMorgan Chase CISO Patrick Opet issued a blunt open letter warning that SaaS models are quietly enabling attackers and expanding organizational exposure. The letter, published just ahead of RSAC 2025, accused vendors of placing “rapid feature development” ahead of durable security.
Boundaries? What boundaries?
Opet’s central warning: SaaS is eroding the line between trusted internal users and external service providers. Identity protocols like OAuth now allow “direct, often unchecked interactions” between third parties and sensitive data stores.And attackers are exploiting it.In March, American Express disclosed a breach stemming from an unnamed merchant processor. In July, HealthEquity announced a compromise involving a third party-managed repository that exposed data belonging to 4.5 million Americans.The concern is whether the “bouncer” is being careful about checking IDs at the door. And the bad guys are exploiting the potential gap here. The same story repeats: trusted SaaS relationships creating invisible backdoors.“These identities often have extensive, persistent access to sensitive data, and unlike user accounts, they typically lack MFA, expiration dates, or behavioral monitoring,” wrote Amir Khayat, co-founder and CEO of SaaS security provider Vorlon, in a recent SC Media Perspective’s column.
The rise of the non-human identity
A growing piece of the problem is an uptick in non-human identities (NHIs). OAuth tokens, API keys, and automation agents now regularly connect enterprise environments through third parties. Many of them are long-lived, over-permissioned, and invisible to traditional security controls.Khayat said that two in five SaaS platforms fail to distinguish between human users and NHIs. His analysis aligns with a 2021 study by Delinea (then Authomize), which showed that SaaS sprawl often leads to “identity sprawl” where an enterprise might end up managing up to six times more identities than they have employees.This sprawl can creep up on network managers over time with unique identities to include outside contractors, service provider employees, and non-human identities such as bots and devices are granted access.“Non-human identities are the easiest to abuse—and the hardest to inventory. You can’t secure what you haven’t mapped, and most orgs are flying blind when it comes to tokens, API keys, and automation agents,” said Aaron Turner, faculty at IANS Research, during his RSAC 2025 session Identity: The Last Bastion Security Control in a SaaS World.As SaaS use continues to rise, these risks compound.
SaaS growth shows no signs of slowing
According to Precedence Research, the global SaaS market is expected to grow from $358 billion in 2024 to $408 billion by the end of this year—and could surpass $1.25 trillion by 2034.So, rolling back SaaS adoption isn’t a viable option. Its flexibility, speed, and cost-efficiency are essential to most enterprises. The only path forward is tighter coordination between CISOs, IAM vendors, SaaS providers, and emerging standards bodies.
What now? Three questions every CISO should ask
Opet advocates for a shift in control: adopting confidential computing, customer self-hosting, and “bring your own cloud” to move security boundaries back inside the enterprise. Meanwhile, early frameworks like Interoperability Profiling for Secure Identity in the Enterprise (IPSIE), backed by the OpenID Foundation, show potential—but still need enterprise-scale adoption to succeed.Think of IPSIE as trying to ensure every ID badge works across every locked door in a corporate campus, no matter who made the lock or the badge. IPSIE is an effort to create a universal playbook for how identity systems across multiple vendors and cloud services can securely interoperate. IPSIE is trying to do for identity what the payment card industry did for payment security by defining clear, enforceable rules across vendors so enterprises stop relying on vague “trust me” integrations. IPSIE is about turning identity into a shared, hardened foundation, especially as SaaS sprawl makes traditional perimeters meaningless.If your organization is embracing SaaS you need to ask yourself:
Do I know how many non-human identities are active in our environment today?
Can my vendors reliably distinguish between machine and human access?
What’s our containment plan if a third-party token is compromised and misused for weeks?
Identity remains the most dynamic and vulnerable control point in modern security. The more we offload workloads (customer relationship management, enterprise resource planning, marketing automation, compliance and more ) to SaaS, the more we must reckon with the risks.The question isn’t whether to trust SaaS providers. It’s how to verify that trust—and whether your identity infrastructure is strong enough to support it.
Karen “Pepper” Hoffman has been writing and analyzing IT security, financial technology and general business and technology issues for more than three decades. She lives in Olympia, Wash.
