Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
We're exploring how organizations adapt IAM to AI. Take the AI Identity and Risk Readiness Survey by September 5 →

Visibility ≠ Security: The SaaS Illusion That’s Putting Enterprises at Risk

Published 08/12/2025

Home
Industry Insights
Visibility ≠ Security: The SaaS Illusion That’s Putting Enterprises at Risk
Originally published by AppOmni.
Written by Madeleine Doyle.

The SaaS security reality check: What 800+ security leaders revealed about the true state of SaaS risks.

At first glance, the SaaS story looks great: Dashboards are green, audits are clean, and executives feel safe. But dig a little deeper, and a different picture emerges. AppOmni’s 2025 State of SaaS Security Report surveyed 803 security leaders worldwide and surfaced a widening chasm between confidence and control. A sharp increase in SaaS security incidents, a rising complexity in application ecosystems, and that new risks from AI-enabled apps exacerbate the disconnect between widespread confidence in current security measures versus actual risks.

The headline numbers:

  • 75% of organizations suffered a SaaS-related security incident or breach in the past 12 months
  • 91% still rate their SaaS posture as “secure,” even among those that were breached
  • 89% of compromised organizations believed they already had “appropriate visibility”
  • And more

 

Why confidence runs ahead of control

Why does optimism persist despite the breach count? First, ownership is muddled. Only 16% of organizations place SaaS security squarely in the security team’s remit; in many firms, business units run the show, creating seams adversaries exploit. Second, security inspections remain outdated: 52% of organizations still rely on periodic, point-in-time audits that fail to catch daily drift in permissions, integrations, and role changes. Finally, many leaders find comfort in vendor assurances: 53% of the “very confident” group say they trust their SaaS providers more than their own telemetry. As AppOmni CEO Brendan O’Connor warns, “Visibility alone is not security, and trust in SaaS vendors is not a strategy.”

The resulting exposure is painfully basic: 41% of incidents begin with permission errors and 29% with app misconfigurations. Put simply, the fundamentals are costing enterprises real money and their reputation.

 

The next wave: SaaS AI governance

Sixty-one percent of security leaders expect AI agents and copilots to dominate next year’s agenda, adding thousands of non-human “users” that need the same least-privilege controls and continuous monitoring as people. Governing those identities is quickly moving from novelty to necessity.

 

What keeps CISOs up at night

Beneath the headline numbers lie very human anxieties. More than half of leaders fear intellectual-property theft, over one-third worry about customer-data exposure, and nearly one-third dread accidental leaks that erode brand trust. No wonder 96% predict SaaS security will become even more critical over the next three years, with 72% ranking it a top-three priority.

 

Four quick wins you can accomplish this quarter

  1. Identify your vital 20%. Twenty percent of apps hold eighty percent of your crown-jewel data. Start there to shrink risk fastest.
  2. Shift from periodic audits to always-on. Stream SaaS config and identity logs into your SIEM/SOAR so drift or rogue OAuth tokens surface in minutes, not quarters. Only 43% of organizations do this today.
  3. Clarify who owns what. Map each mission-critical app to a named business owner and a security contact. Clear accountability beats diffuse responsibility every time.
  4. Deploy a dedicated SaaS Security Posture Management (SSPM) platform. Just 13% of organizations use SSPM solutions to automate least-privilege checks, flag stealthy misconfigs, and free up teams already spending 5+ hours a week chasing SaaS risk.

 

Final thoughts

SaaS security confidence should be earned, not assumed.

The data is blunt: Visibility without enforcement is an illusion, and periodic audits are yesterday’s playbook. But SaaS security doesn’t have to be complicated, only continuous. With real-time insight, defined ownership, and tools that uncover more than surface-level, teams can turn SaaS from a visibility gap into a business accelerator.

Ready for a deeper dive? Download the full report and benchmark your own SaaS security program.

C-LevelRisk ManagementSurveysSaaS Governance

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register Now for CSA's Virtual AI Summit 2025
Secure IAM for Agentic AI Systems
Participate in the Data Security in AI Environments Peer Review
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
Securing the Agentic AI Control Plane: Announcing the MCP Security Resource Center

Published: 08/20/2025

Proactive Defense Starts with the Platform: Why Security Can’t Just Be a Checklist

Published: 08/19/2025

Assets Under Attack: Email Threats Targeting Financial Services Jump 25%

Published: 08/14/2025

Why You Should Say Goodbye to Manual Identity Processes

Published: 08/13/2025