In many companies today, the greatest vulnerability is not an incorrectly configured firewall. Rather, it is the authorized access through Software as a Service that has not been inspected for six months.

2. The Scale of Exposure

These organizations today use hundreds of SaaS applications that may have the right to access, manipulate, and move critical information based on the trust granted among these machine-to-machine connections that are set once but not frequently reviewed thereafter.

The forecast for 2025 made by Gartner is alarming: those security teams without visibility into their organization’s SaaS usage are five times more prone to an incident or data loss in 2027.²  It is projected that by 2027, 75% of the workforce will adopt, update, or develop technologies independently of IT, compared to 41% in 2022.³

The governance problem is no longer theoretical. Large businesses are already operating beyond their own visibility thresholds.

Accenture’s State of Cybersecurity Resilience 2025, surveying 2,286 CISOs and CIOs from $1B+ revenue companies across 24 industries, confirms that 63% of global companies reside in what Accenture calls the “Exposed Zone,” lacking both a cohesive security strategy and the technical capability to execute one.⁴

The underlying figures illustrate the scale of the governance gap. A significant number of regulated organizations have yet to adopt generative AI policies, implement encryption and access controls throughout all data states, and create a secure cloud environment complete with monitoring capabilities. Overall, these deficiencies highlight an access governance framework that lags behind adoption.

During the third quarter of 2024, IT executives estimated 1,876 weekly cyberattacks, an increase by 75% when compared to the previous year. ⁵

As federated application access grows faster than the capability to monitor it, each new connector creates additional room for vulnerabilities.

3. How Threat Actors Exploit the Identity Federation Layer

These attack patterns share one defining characteristic: they are invisible to legacy perimeter controls because they operate through legitimately authorized access. Most SIEM and EDR architectures were designed to detect malicious intrusion activity, not legitimate API behavior originating from authorized applications. That architectural blind spot is precisely where modern supply chain campaigns operate.

Delegated Credential Hijacking: In this cyber attack, cybercriminal groups target the applications that hold access credentials for accessing essential cloud software applications through third-party credentials. After hijacking such access, the criminals get full access to CRM, financial, and human resources systems, and bypass all the login warnings or MFA processes.

Over-Permissioned API Trust Chains: Service accounts are routinely granted excessive permissions at setup and forgotten. Verizon’s 2025 DBIR found that 43% of cloud credential leaks involved Google Cloud API keys, many of which were never rotated or revoked after initial deployment. ¹

Shadow Connectivity: Employees connect unsanctioned applications to enterprise data without security review. IBM’s 2025 report found that SaaS-delivered AI tools alone accounted for 29% of AI-related security incidents. Defenders cannot govern authorization pathways they do not know exist.⁶

Vendor Pivoting: Cybercriminal groups breach a smaller, less-secure vendor to obtain federated identity grants, then pivot into larger infrastructure. This island-hop strategy drove supply chain breaches to 30% of all 2025 incidents. ¹

IBM confirms that vendor and supply chain compromises cost an average of $4.91 million, the second highest of any attack vector, climbing to $10.22 million per incident in the United States.⁶

4. The Drift/Salesforce Breach: A Defining Case Study

There is no better example of the danger posed by machine-verified access than the recent Security Incident involving Salesloft and Drift at Salesforce that has been characterized by experts as “The SolarWinds moment for SaaS.”

The Threat Intelligence Team within Google Cloud detected a wide-ranging attack between August 8th and August 18th, 2025, on Salesforce. Instead of compromising Salesforce directly, the threat actors used delegated access systems within the Drift connector, which is used as a third-party conversational marketing platform.⁷

They exfiltrated customer information, company communications, and authentication credentials, including AWS access keys and Snowflake tokens, making further escalations into other cloud infrastructures possible.

The problem was that, as it started from authenticated SaaS sessions, the activity was first classified as legitimate. The operation maintained persistence through token reuse across authenticated sessions, and the absence of login anomalies allowed lateral cloud pivoting to continue undetected across multiple downstream identity systems.

Attackers claimed potential exposure of up to 1.5 billion CRM-related records across victims spanning technology firms, aviation, financial services, and cybersecurity vendors.⁸

The adversary never touched Salesforce’s own infrastructure. Security leadership must internalize that lesson: your posture is only as strong as the weakest connector in your application access architecture.

5. Why Detection Fails

Supply chain compromises take an average of 267 days to detect and contain, the longest timeline of any attack vector, according to IBM’s 2025 report.⁶

The root cause is structural. Accenture’s research found that very few large firms maintain a comprehensive inventory of AI systems and federated application access points, the prerequisite for effective supply chain risk management. Without that inventory, defenders cannot audit what they cannot see. ⁴

Gartner’s 2025 Zero Trust guidance identifies a parallel gap: SaaS applications maintain their own policy enforcement points that operate independently of enterprise IAM systems. When those application-native controls are misconfigured, threat actors bypass incomplete Zero Trust implementations and go directly to the application layer. IBM’s data sharpens the picture: 97% of enterprise estates that experienced an AI-related security incident lacked proper AI access controls.⁶ 

6. NIST’s 2025 Framework for Action

In June 2025, NIST released Implementing a Zero Trust Architecture, Special Publication 1800-35, developed over four years with 24 industry partners. The publication provides 19 real-world implementation models directly applicable to SaaS security governance.⁹

The guidance explicitly states that the traditional perimeter model “breaks down when the network perimeter has to be extended to cover SaaS applications, mobile devices, remote working, and third-party access.”

Every SaaS application must be treated as an untrusted resource requiring continuous verification, with no implicit trust extended to any approved connector or federated identity grant.

For regulated U.S. industries, NIST SP 1800-35 is not optional reading. Infrastructure owners that fail to extend Zero Trust principles to their SaaS layers face escalating regulatory and contractual exposure alongside direct breach risk.

Conclusion

The SaaS trust layer has fundamentally altered the enterprise threat model. Modern breach campaigns increasingly originate not through perimeter compromise, but through authorized application relationships that security teams approved months or years earlier and never reassessed.

The core challenge is no longer visibility into malware alone. It is governance over machine-to-machine trust, federated access pathways, and delegated credentials operating silently across interconnected SaaS environments.

With supply chain incidents now accounting for 30% of confirmed breaches (Verizon DBIR 2025) ¹  and U.S. breach costs averaging $10.22 million per incident (IBM Cost of a Data Breach Report 2025),⁶, inadequate SaaS integration governance has become both a cybersecurity and business resilience issue. Organizations that fail to inventory, audit, and continuously monitor these trust relationships will continue to face extended detection timelines, escalating operational disruption, and growing regulatory exposure.

The next major enterprise breach is unlikely to begin with a sophisticated zero-day exploit. It will more likely originate from a trusted integration that no longer receives meaningful security oversight.

Frequently Asked Questions

Q1. Why are SaaS integration attacks different from other types of attacks?

The difference between SaaS integration attacks and other forms of attacks lies in the fact that the former utilizes pre-existing, authorized links between enterprise solutions and third-party software instead of breaching the infrastructure itself. The attackers take advantage of access infrastructure, including APIs, that have already been authorized by the regulated company. The 2025 study conducted by IBM proves it.⁶

What is the typical number of SaaS solutions managed by an average large organization?

An average enterprise ecosystem leverages more than 200 external applications through application federation and APIs. Gartner estimates that by 2027, up to 75% of end-users will independently change their technology stack without formal approval from IT, indicating that actual connections usually outnumber the ones known to the security team. ¹⁰

Q3. Why does the United States carry the highest breach costs globally?

The US is reported by IBM to have the highest costs per incident at an average of $10.22 million in the 2025 report.⁶ he contributing elements are stringent compliance regulations in healthcare, finance, and critical infrastructure; post-breach litigation costs; notification requirements; and presence of valuable intellectual property within US-based companies. The owners of healthcare infrastructure incur the maximum cost of $7.42 million per breach.

Q4. What made the Drift/Salesforce breach so difficult to detect in real time?

The attack succeeded because it operated entirely through authenticated SaaS sessions. Conventional anomaly-detection systems initially categorized the activity as legitimate business traffic. Persistence was maintained through token reuse across authenticated sessions, and the absence of authentication anomalies allowed lateral pivoting across downstream identity systems to continue undetected.⁷

Q5: What should be the first three steps taken by the CISO to mitigate SaaS integration risk?

Firstly, conduct a comprehensive inventory of all federated identities, API trust relationships, and third-party connections. Secondly, revoke overly authorized and unused delegated credentials for those apps not being used anymore. Lastly, enable MFA at all service accounts and SaaS administrative interfaces. IBM’s report for 2025 reveals that regulated organizations that have adopted MFA and artificial intelligence security saved an average of $2.2 million per incident.⁶ 

References

[1] Verizon Business, 2025 Data Breach Investigations Report (DBIR), 2025,

 [2] Calero, Gartner 2025: Mind the SaaS Security Gaps, 2025,

 [3] Gartner, Gartner Identifies the Top Cybersecurity Trends for 2025, March 3, 2025,

[4] Accenture, State of Cybersecurity Resilience 2025, June 26, 2025,

[5] Check Point Research, A Closer Look at Q3 2024: 75% Surge in Cyber Attacks Worldwide,   2024,

[6] IBM Security, Cost of a Data Breach Report 2025, 2025,

[7] Google Cloud Threat Intelligence, Threat Intelligence Blog and Incident Analysis, 2025,

[8] BankInfoSecurity, ShinyHunters Counts 1.5 Billion Stolen Salesforce Records, 2025,

[9] National Institute of Standards and Technology (NIST), Implementing a Zero Trust Architecture, SP 1800-35, 2025,

[10] Gartner, Gartner Security & Risk Management Summit EMEA 2025 Day 2 Highlights, September 23, 2025,