At the governance level, Accenture’s 2025 cybersecurity resilience research identified a widening readiness gap across enterprise cloud and AI security programs. Only one in ten organizations surveyed demonstrated sufficient preparedness against AI-augmented cyber threats, while 77% lacked mature AI and data security controls across modern cloud and SaaS environments.³

The breach this report examines does not trigger a perimeter alert because the activity often appears operationally legitimate. The attacker is already inside the trusted workflow.

2. The Collapse of the Traditional Security Perimeter

For over twenty years, enterprise cybersecurity architecture was based on the notion of a well-defined trust boundary. The firewall, intrusion protection system, secure gateway, and other parts of the virtual private network were engineered to examine traffic traversing the network perimeter and prevent malicious attempts from penetrating the network.

This paradigm has changed.

The employee accesses cloud-based software as a service via unmonitored remote connections. Critical business information is stored in cloud-based applications that security staff do not control, and inter-application exchanges take place using encrypted APIs that cannot be monitored by conventional means.

NIST directly addressed this architectural shift in its June 2025 Zero Trust guidance, emphasizing that modern digital ecosystems cannot be secured using perimeter-centric assumptions designed for centralized infrastructure environments. The agency described Zero Trust as a continuous verification operating model rather than a traditional network defense architecture.⁴

Despite the evolution in the nature of modern-day attacks that are being carried out via sessions within SaaS environments, identities in federation, OAuth trust models, and privilege elevation in cloud-native environments, many organizations still focus on endpoint visibility and inspection at the network layer.

3. Why SaaS Has Become the Modern Attack Surface

The enterprise SaaS ecosystem has evolved into one of the largest unmanaged trust surfaces in modern cybersecurity.

Large organizations now operate across extensive collections of cloud applications spanning collaboration, finance, HR, DevOps, CRM, analytics, AI productivity, customer support, and operational automation functions.

Research from BetterCloud found that the average enterprise environment operates more than 100 SaaS applications, while a substantial percentage of active cloud services remain outside centralized IT governance.⁵

Threat actors increasingly target these environments because SaaS ecosystems provide operational scale, persistent access opportunities, and low-friction lateral movement through trusted relationships rather than traditional exploitation.

IBM X-Force’s 2026 cloud threat research documented that many modern cloud intrusions stemmed not from advanced malware or zero-day exploitation, but from weaknesses in identity governance, hybrid-cloud integration, excessive privileges, and trust relationship abuse.

IBM specifically described incident response cases where attackers pivoted from on-premises infrastructure into cloud environments by exploiting Active Directory Connect relationships, enabling privilege escalation within Microsoft Entra ID and expanding access across interconnected SaaS ecosystems.⁶

IBM’s broader 2026 threat intelligence analysis also identified a 44% increase in attacks exploiting public-facing applications and highlighted identity-focused threat groups such as Scattered Spider, LAPSUS$, and ShinyHunters as major contributors to SaaS-centric compromise activity.¹

Traditional firewalls were never designed to detect compromise activity unfolding through legitimate identity workflows inside approved SaaS infrastructure.

4. The Visibility Crisis Inside Enterprise SaaS Environments

One of the biggest myths in cybersecurity for businesses is that network visibility is equivalent to security visibility.

Businesses invest in huge telemetry for their endpoints, network flows, and infrastructure, but they lack visibility into what happens on the other side of the authentication process within the SaaS application.

The network security platform would be able to tell you if you were authenticated to Microsoft 365 or Salesforce. It may not identify that the same account, compromised weeks earlier through credential theft, subsequently exported large volumes of sensitive data using legitimate platform functionality.

This is why SaaS-native compromise becomes hard to detect using perimeter-oriented controls.

Detection increasingly demands application-level telemetry, behavioral analysis, OAuth insights, and identity analysis within SaaS environments.

Most enterprises do not operate these capabilities at sufficient scale.

Accenture’s State of Cybersecurity Resilience 2025 survey stated that cloud usage and the accelerated development of AI have resulted in a situation whereby the expansion of cyber risk exceeds the capacity of security programs to respond. In particular, the visibility of cloud infrastructures, AI ecosystems, data flows, and associated workflows is increasing.⁷

A single breach in any SaaS application will rapidly spread across connected applications and identities.

Organizations often do not have full visibility into their SaaS integrations, OAuth integrations, and machine identities.

5. Identity Abuse Has Replaced Malware as the Primary Intrusion Path

One of the most consequential shifts in the modern threat landscape is the transition from malware-centric compromise toward identity-centric compromise.

An attacker operating through stolen credentials, session tokens, OAuth permissions, or browser cookies frequently generates activity that appears indistinguishable from legitimate user behavior at the network and operating system level.

The 2025 report from IBM X-Force indicated that valid account abuse was responsible for 30% of intrusions examined by researchers during 2024, emphasizing how hackers are now choosing credential theft over malware use. ¹

Phishing attacks that resulted in the spread of infostealer campaigns became significantly prevalent throughout the year, alongside 16 million infected devices that used various infostealer malware samples in 2025.⁶

What follows credential acquisition is often operationally subtle.

Attacks tend to progress gradually, extending privilege and access. Persistence occurs via registration in OAuth applications, manipulation of tokens, mailbox forwarding rules, or integration through APIs that can survive password resets.

The takeaway from the above is simple: identifying attacks in native SaaS environments will require behavioral analysis and not just malware detection.

6. How Threat Actors Move Laterally Across SaaS Ecosystems

Attackers who penetrate Microsoft 365 accounts will also have access to any related SaaS partnerships linked to that particular identity.

With this access, hackers can freely move laterally among collaboration tools, cloud storage services, CRM software, and other applications without raising alarms from the classic segmentation security measures.

IBM X-Force identified incidents where hybrid identity-based vulnerabilities led to attacks that bridged on-premises and cloud networks, bypassing the segmentation barrier via trusted identities.⁶

NIST’s 2025 Zero Trust guidance specifically addressed this issue by emphasizing continuous verification, least-privilege enforcement, and identity segmentation rather than relying exclusively on traditional network segmentation.⁸

The implication for enterprise leadership is operationally significant.

Network segmentation does not meaningfully constrain attackers who are already authenticated inside trusted SaaS ecosystems and moving through approved identity relationships.

7. Why Firewalls Cannot Detect SaaS-Native Breaches

The limitations of firewalls in modern SaaS environments are architectural rather than technological.

Firewalls were designed to inspect traffic flows crossing defined network boundaries. Modern SaaS-native breaches increasingly exploit identity trust flows occurring inside encrypted cloud sessions and legitimate application workflows.

Those are fundamentally different threat surfaces.

From the firewall’s perspective, the traffic often appears completely legitimate.

An attacker authenticating into Microsoft 365 with stolen credentials still generates valid HTTPS traffic to approved Microsoft infrastructure.

The attacker may then export sensitive data, register persistence mechanisms, create mailbox forwarding rules, or abuse cloud automation workflows entirely within authenticated SaaS sessions.

The firewall observes encrypted traffic to trusted cloud endpoints and sees little operational reason to intervene.

IBM X-Force documented continued growth in identity-focused cloud intrusions during 2025, while enterprise breach investigations increasingly involve trusted SaaS workflows rather than conventional perimeter compromise activity.⁶

The challenge is not that firewalls have failed. The challenge is that many of today’s most consequential attack paths operate outside the visibility scope of those systems they were originally built to monitor.

8. The Operational Risks Enterprise Leaders Are Underestimating

Board-level cybersecurity assessments still frequently prioritize infrastructure-centric metrics, including:

• Endpoint coverage
• Firewall deployment
• Vulnerability remediation rates
• Patch cycle compliance
• Infrastructure uptime

Those metrics remain operationally important.

They are no longer sufficient indicators of resilience against modern SaaS-layer compromise.

Many of the fastest-growing enterprise risks now originate from:

• Identity sprawl
• Excessive OAuth permissions
• SaaS privilege accumulation
• Shadow SaaS expansion
• Machine identity exposure
• Token persistence
• AI workflow access
• Third-party SaaS integrations

Gartner’s 2025 Digital Identity research identified fragmented identity systems and non-human identity visibility as rapidly expanding governance concerns across modern enterprise environments.⁹

Research from BetterCloud additionally found that a substantial portion of active SaaS applications in enterprise environments remain outside formal IT approval processes, creating unmanaged permission surfaces that frequently escape centralized governance.⁵

Token persistence represents another increasingly important operational concern.

OAuth tokens, session cookies, API keys, and machine credentials may maintain active access even after passwords are reset, depending on revocation architecture and SaaS platform design.

IBM X-Force specifically documented attacker interest in harvesting live session cookies because those artifacts frequently bypass MFA enforcement entirely.⁶

Accenture’s study, revealing that almost two-thirds of organizations are still within its “Exposed Zone,” highlights the strategic challenge that many cybersecurity systems are designed to protect against infrastructure hacks, but the latest cyberattacks are focused on compromising identity and cloud trust ecosystems.³

9. The Rise of AI-Driven SaaS Exposure

Adoption of AI solutions within enterprises is contributing to the rapid increase in complexity associated with SaaS applications.

AI-driven systems are spawning completely novel sets of machine identities, trust mechanisms, automation flows, and privileged access paths between SaaS components.

AI copilots, autonomous agents, workflow automation systems, and machine-driven analytics platforms frequently operate with extensive permissions across email systems, collaboration environments, customer data repositories, document platforms, cloud storage systems, and enterprise knowledge bases.

These systems do not simply consume data.

Increasingly, they:

• Generate decisions
• Execute workflows
• Trigger automation
• Move data between systems
• Access sensitive repositories
• Interact with APIs autonomously

Accenture’s April 2025 collaboration with CyberArk highlighted growing concerns around AI identity governance, emphasizing that security models originally designed for human users are insufficient for continuously operating AI agents interacting across multiple enterprise systems simultaneously.¹⁰

IBM’s 2025 Cost of a Data Breach research additionally identified shadow AI as an increasingly important breach vector, with organizations reporting incidents tied to unsanctioned AI usage involving sensitive data exposure and intellectual property risks.¹¹

Gartner’s 2025 CIO research further indicated that employees across a substantial majority of enterprises now use personal AI accounts for work-related tasks without centralized governance approval.¹²

This creates parallel trust surfaces operating entirely outside traditional enterprise monitoring and data governance structures.

The traditional perimeter model for inspecting an environment is not made for scenarios that involve autonomous AI-driven agents ensuring SaaS connectivity to several connected business applications.

The growing realization amongst security executives is that the AI-driven SaaS ecosystem is an identity-driven environment.

10. What Security Leaders Must Prioritize Next

Among organizations that show resilience to attacks on the modern cloud SaaS-native world, there is a common trend these organizations have shifted their focus from perimeter detection to an identity-centric approach.

Some priorities seem to be gaining significance.

Identity-Centric Security Operations

Every access request should be treated as a continuously evaluated security event rather than a one-time authentication decision.

This includes extending identity analytics beyond human users to encompass:

• Service accounts
• API credentials
• OAuth tokens
• Machine identities
• AI agents
• Automation workflows

SaaS Security Posture Management

Continuous discovery and governance visibility are essential for organizations in all their SaaS products, which include shadow SaaS products, third-party integrations, inactive users, excessive permission levels, and managed OAuth connections.

Behavioral Analytics Tailored to SaaS

Signature-based analytics models cannot detect low-and-slow attacks conducted within valid SaaS business processes.

The identification of anomalies becomes critical, including the following:

• Unusual export activity
• Abnormal access timing
• Suspicious OAuth registration
• Unexpected privilege escalation
• High-risk API activity
• Cross-platform anomaly correlation

Continuous Authorization

Modern access decisions should dynamically incorporate contextual risks, including:

• Device posture
• Geographic anomalies
• Behavioral risk indicators
• Session intelligence
• Threat intelligence correlations
• Credential exposure indicators

Machine Identity Governance

Non-human identities increasingly represent a significant percentage of enterprise credentials.

Service accounts, automation agents, AI workflows, and API keys require:

• Least-privilege enforcement
• Credential rotation
• Lifecycle governance
• Behavioral monitoring
• Session visibility

IBM’s cloud security guidance specifically recommended transitioning away from long-lived static API keys toward short-lived identity-based credential models wherever operationally feasible.⁶

Zero Trust as an Operational Model

NIST continues emphasizing that Zero Trust is not a single technology category or procurement exercise.

It is an operational philosophy built around the assumption that compromise may already exist within enterprise environments, requiring continuous verification and visibility across identities, applications, workloads, and workflows.⁸

Organizations implementing Zero Trust solely as a network modernization initiative without extending it into SaaS governance, machine identity control, and application-layer behavioral visibility will struggle to address the operational realities of modern cloud compromise.

11. Conclusion

The most dangerous assumption in enterprise cybersecurity today is that the absence of alerts means the absence of compromise.

Within modern SaaS ecosystems, these factors become less related.

The attackers who use stolen credentials, session cookies, OAuth attacks, AI workflow hacks, and SaaS integrations produce behavior that may look completely legitimate from an operational standpoint.

It is not necessarily a complex hack; it is simply a difficult compromise to spot because it happens within environments based on implied trust, which perimeter-based security tools are not equipped to judge.

IBM X-Force has repeatedly documented the accelerating shift toward identity-focused compromise activity. Accenture’s research highlights the widening preparedness gap facing enterprise cloud and AI environments. NIST’s Zero Trust guidance reflects the architectural reality that modern security models must continuously validate trust rather than assume it.

What remains unresolved in many organizations is the operational transition away from perimeter-centric thinking toward identity-centric visibility, SaaS governance, behavioral analytics, machine identity security, and continuous verification.

Firewalls remain necessary, but they are no longer sufficient visibility platforms for modern SaaS-driven threat environments.

In modern SaaS ecosystems, the firewall often does not see the breach. The breach is already operating inside the trusted workflow.

References

[1] IBM, X-Force Threat Intelligence Index 2025: Attackers Steal and Sell User Identities at Scale, April 2025

[2] IBM, Cloud Attacks Are Evolving: What 2025 Trends Mean for Defenders in 2026, March 17, 2026

[3] Accenture, Only One in 10 Organizations Globally Are Ready to Protect Against AI-Augmented Cyber Threats, June 26 2025

[4] NIST, NIST Offers 19 Ways to Build Zero Trust Architectures, June 11 2025

[5] BetterCloud, State of SaaS 2025 Report, 2025

[6] IBM, Cloud Attacks Are Evolving: What 2025 Trends Mean for Defenders in 2026, March 17, 2026

[7] Accenture, State of Cybersecurity Resilience 2025, June 25 2025

[8] NIST, NIST Offers 19 Ways to Build Zero Trust Architectures, June 11 2025

[9] Gartner, Hype Cycle for Digital Identity 2025, 2025

[10] Accenture, CyberArk Strengthens Identity Security for AI Agents with Accenture’s AI Refinery, April 10 2025

[11] IBM, Cost of a Data Breach Report 2025, 2025

[12] Gartner, Gartner Newsroom Research and Press Releases, 2025