The Urgency of Now: AI & Evolving Threats to SaaS
Recent high-profile software-as-a-service (SaaS) data breaches have caught many Chief Information Security Officers (CISOs) and Information Security (InfoSec) professionals by surprise, exposing a false sense of security.
While organizations know that SaaS providers invest significant resources in security, they often overlook their own responsibility for protecting data on those platforms. This is reflected in the “confidence paradox” from the 2025 CSA State of SaaS Security Report : 79% of organizations are confident in their SaaS security programs, yet have significant capability gaps. Furthermore, the CSA SaaS Security Capability Framework (SCCF) highlights that misalignment between vendors, application owners, InfoSec, and risk teams leads to delays, wasted resources, and unnecessary risk exposure.
This gap is widened by the different experience and terminology of InfoSec and SaaS teams, contributing to the “InfoSec↔SaaS Divide.” Bridging this divide is essential for securing SaaS data and unlocking the future benefits of agentic AI. The authors have combined their general InfoSec and specific SaaS knowledge and experience to help organizations secure these environments.
InfoSec↔SaaS Divide
InfoSec teams are responsible for establishing standards and maintaining visibility across all IT systems, but don’t delve into the intricacies of every SaaS platform. They rely on security alerts and audit reports to detect problems, expecting SaaS administrators to implement enterprise IT governance within each environment. However, SaaS administrators often lack the security expertise to understand how these rules apply in the systems they manage. This lack of shared understanding can result in serious SaaS security gaps, including:
- Failure to follow identity and access management best practices.
- Insecure integrations (e.g., lack of IP restrictions, mTLS, least privilege).
- Inadequate classification or protection of sensitive data.
- Improper management of privileged accounts.
- Presence of sensitive data in development and test environments.
- Insufficient monitoring of event logs for anomalies.
Although teams believe they have closed these gaps, the fixes may not be verified or complete, meaning they have only scratched the surface of SaaS security. Limitations in InfoSec tools and experience can hide widespread standing access to sensitive data within SaaS environments. When the Principle of Least Privilege (PoLP) isn’t followed, malicious attackers can potentially exfiltrate sensitive information, external portals can expose internal data, and AI agents can produce unintended outcomes.
This article outlines three strategies to bridge the InfoSec↔SaaS divide and strengthen SaaS security. Success requires assigning responsibility and accountability, and determining who to consult and inform.
Strategy 1: Configure your SaaS Securely
An effective way to bridge the divide is for InfoSec and SaaS teams to collaborate on establishing a secure baseline configuration.
PoLP dictates limiting access and permissions to only what is essential for a task. Maintaining this in SaaS environments requires understanding evolving threats and the intricacies of role-based permissions and security configurations. InfoSec knows of threats that SaaS administrators may not, so they must work together to avoid misunderstandings.
To demonstrate how this divide can lead to misconfigurations in SaaS environments, consider connected apps. InfoSec teams may not be familiar with securing connected apps and SaaS API integrations. SaaS administrators may not be trained to secure connected apps against emerging threats or consider the risks of giving integration accounts broad permissions, such as the ability to access and modify all data.
Securing these apps involves a complex interplay between third-party software vendors, custom internal applications, and the SaaS platform itself. The resolution is for InfoSec and SaaS teams to combine their knowledge to review app configurations, remove apps that are not risk-appropriate for the business, change self-authorization defaults, manage access and permission settings, and monitor OAuth settings – just as Enterprise Application Architects do when enabling connectivity with third-party services. This is an ongoing activity; like renewing certificates, connected apps should be regularly reviewed for relevance, usage, commerciality, and security.
Manually maintaining a secure baseline configuration as a SaaS environment evolves is time-consuming and error-prone, particularly at scale. Automation and agentic AI can help fix problems more comprehensively and consistently, reducing risks from insecure configurations and excessive permissions.
Strategy 2: Perform a Security Self-Assessment
Security threats continually evolve; it’s not a “set it and forget it” task. With a secure baseline established, the next step is for the InfoSec and SaaS teams to perform an in-depth security self-assessment. This process uncovers additional risks to mitigate and fills knowledge gaps for both teams, serving as a prime opportunity to clearly define security responsibilities and exchange knowledge. The following table highlights some of the common differences between InfoSec and SaaS perspectives when assessing SaaS security risks.
Performing a security self-assessment reveals whether your organization has the right skills, knowledge, and tools. Do you need to train existing personnel, hire a SaaS security specialist, or engage consultants for a security risk assessment? Does your team need SaaS security tools with codified expertise – including automation and agentic AI – that streamline SaaS security assessments by finding sensitive data, prioritizing risks, and recommending remediations?
Strategy 3: Implement Effective Threat Monitoring
InfoSec and SaaS teams can build on their partnership to establish a robust approach for monitoring emerging threats, defining what each team monitors and what detections they create. For example, InfoSec may use a centralized Security Incident & Event Monitoring (SIEM) tool to monitor security-related alerts and detect anomalies across multiple SaaS applications. They may also use a multi-SaaS Security Posture Management (SSPM) tool to cover common concerns across a wide variety of systems.
However, these InfoSec tools typically don’t perform specialized SaaS security tasks, such as real-time detecting and blocking of risky permission assignments, unexpected environment modifications, or sensitive data exports. Therefore, SaaS teams benefit from solutions that offer codified security expertise and observability dashboards tailored to their specific system.
Together, InfoSec and SaaS teams and tools can provide defense in-depth, covering the full scope of dangerous user activities and configuration changes. For instance, they can work together to monitor connected app logins and configure real-time blocking of unauthorized access to sensitive data.
Working in unison allows InfoSec teams to gain a broad security overview while SaaS teams to delve into the detailed logs and configuration settings within specific environments, increasingly with help from agentic AI (e.g., Agentforce in Security Center).
Regular testing should be performed to ensure that process escalation paths are working and understood, proving their effectiveness before an emergency arises.
Final Thoughts
Bridging the InfoSec ↔ SaaS divide is a security imperative amid increasing cyber attacks. This partnership requires overcoming assumptions and establishing a shared understanding of the actual SaaS security landscape. InfoSec must collaborate closely with SaaS administrators, leveraging their expertise to mitigate risks, manage threats, and resolve incidents. SaaS owners should view InfoSec involvement as an opportunity to gain domain-specific support for securing their systems. To strengthen cooperation and knowledge exchange, some organizations embed a SaaS specialist within InfoSec or appoint a security liaison as a bridge between teams.
No single tool can solve all aspects of SaaS security. Complex environments often require both a SSPM tool and specialized solution for a specific SaaS platform for defense in depth. As SaaS evolves with agentic AI, its rapid data processing can amplify sensitive data exposure.
To keep pace, specialized SaaS security AI agents can help identify and remediate exposures quickly and comprehensively. For instance, Salesforce’s Agentforce in Security Center can automatically find and fix security issues, like sensitive data that can be modified and exported by many users from any IP address. The AI agent can also help respond to threats, such as unusual, large-scale sensitive data exports, by triggering an immediate response such as reauthenticating or blocking the user.
By fostering collaboration, clarifying responsibilities, and implementing AI-enabled security systems that support shared understanding between InfoSec and SaaS administration teams, organizations can transform their SaaS environments and AI applications from potential vulnerabilities into truly secure frontiers.
