60% of enterprise SaaS and AI tools deployed without IT involvement, survey finds

Organisations have lost visibility into 60% of SaaS and AI tools, according to a new survey. (Photo: wutzkohphoto/Shutterstock)

More than half of enterprise SaaS and AI applications, at 60%, are currently operating without IT oversight, a new survey has found. The finding, from research conducted by CloudEagle.ai, highlights how this lack of visibility is contributing to rising identity governance challenges, as enterprises struggle to manage access across an expanding landscape of decentralised tools. The data is based on responses from 1,000 CIOs and CISOs across industries.

Respondents indicated that this unmonitored application growth, often referred to as “shadow IT”, is leading to security exposures, audit failures, and regulatory compliance risks, particularly as these systems frequently bypass traditional identity and access management (IAM) controls.

“Traditional IAM tools can’t keep up with today’s SaaS and AI-driven environments because not all apps are managed by IT, and not everything sits behind a centralised IAM system,” said CloudEagle.ai CEO and founder Nidhi Jain.

The report revealed that 50% of employees hold privileged access beyond what their roles require. Despite this widespread overprovisioning, only 5% of enterprises currently enforce least-privilege access policies across departments. This gap between access levels and governance enforcement represents a growing operational risk, particularly in environments with sensitive data workflows.

Additionally, only 15% of surveyed organisations have implemented Just-In-Time (JIT) access, a model designed to minimise standing privileges by granting access on an as-needed basis. The remaining 85% continue to rely on static access rights that persist regardless of usage frequency.

According to the survey, 48% of former employees retain access to enterprise applications several months after their departure. This retention often results from delayed deprovisioning processes and a lack of automation in identity lifecycle management. Such delays can lead to unauthorised access, data exfiltration, and audit discrepancies.

The survey highlights that most organisations continue to use manual access workflows, including onboarding and offboarding procedures that depend on coordination between multiple teams, often resulting in inconsistencies and oversights.

The survey also found that 70% of CIOs view the use of unauthorised AI tools as a top-tier data security concern. These tools, which are frequently adopted by business units without prior IT evaluation, contribute to identity sprawl by introducing unmanaged applications into the enterprise environment. Because these tools are not integrated with central IAM platforms, access rights often go untracked.

Respondents noted that this fragmentation makes it difficult to conduct effective access reviews or apply uniform governance controls, further elevating the risk profile.

Identity governance teams are now receiving more budget and operational authority

Historically, identity governance teams have operated with limited resources and low executive visibility. However, CloudEagle.ai’s data suggests a shift in strategic focus. Respondents reported that governance functions are now receiving increased funding and decision-making authority, previously reserved for broader security operations.

The report calls for enterprises to automate provisioning and deprovisioning based on real-time usage, apply JIT access for high-risk roles, and conduct continuous AI-driven behavioural access reviews. It also recommends appointing a chief identity officer to unify access oversight across departments and ensure policy consistency.