SaaS Security Report Highlights Critical Risks from Unmanaged Guest Accounts, OAuth, and Weak MFA
A new report, Kaseya's 2026 SaaS Security Report: Closing the Unmanaged Trust Gap, has revealed critical vulnerabilities in how organizations manage access within their SaaS environments. The report highlights three primary drivers of risk: the proliferation of unmanaged guest accounts, the widespread use of OAuth integrations with broad permissions, and continued weak adoption of multi-factor authentication (MFA). Specifically, guest accounts constituted 69% of monitored SaaS accounts in 2025, exceeding licensed users by more than two-to-one, significantly expanding the attack surface. These guest accounts often retain access long after their necessity, creating overlooked pathways to corporate data. Furthermore, OAuth integrations, while enabling seamless connectivity for AI assistants and collaboration tools, frequently grant extensive permissions that can persist even if the integrating application becomes malicious or compromised. Compounding these issues is the ongoing challenge of weak MFA adoption, leaving accounts vulnerable to credential stuffing and password spraying, now made more efficient by AI-assisted enumeration techniques.
This development is crucial for senior cloud, DevOps, and AI analysts, as these findings are a stark warning about the evolving identity-centric attack surface in modern enterprises. The sheer volume of unmanaged guest accounts represents a massive blind spot, offering attackers persistent access points that are difficult to detect. The broad permissions granted to OAuth-connected applications introduce a new class of supply chain risk, where a compromise of a third-party app can directly lead to data exfiltration or system takeover. The report's emphasis on AI-assisted account enumeration underscores that traditional, reactive security measures are no longer sufficient; adversaries are leveraging automation to scale their attacks. This directly impacts the integrity of CI/CD pipelines, data security in cloud storage, and the overall trust model of distributed systems, making robust identity and access management (IAM) a foundational pillar of cloud security.
This report aligns with a broader, well-established trend in cybersecurity where identity has become the new perimeter. As organizations shift from on-premises infrastructure to cloud-native and SaaS-heavy environments, traditional network-based defenses become less effective. The focus has increasingly moved to securing identities—human and machine—and their access privileges. This is reflected in the rise of Zero Trust architectures, which advocate for continuous verification of every access request, regardless of origin. The proliferation of SaaS applications and the growing reliance on third-party integrations (often via OAuth) have made identity governance and administration more complex. Furthermore, the increasing sophistication of AI in both defensive and offensive cybersecurity means that identity-related attacks are becoming more targeted and harder to detect, pushing organizations to adopt AI-powered security platforms to combat AI-driven threats.
In practice, practitioners must prioritize a comprehensive review of their SaaS identity landscape. This involves implementing stringent lifecycle management for guest accounts, ensuring they are provisioned with least privilege and de-provisioned promptly. Organizations should also conduct regular audits of OAuth integrations, scrutinizing the permissions granted to third-party applications and revoking unnecessary access. Crucially, universal and strong MFA adoption across all user types, including guest accounts and service principals, is non-negotiable. DevOps teams should integrate identity security checks into their pipelines, leveraging tools that can scan for overly permissive access tokens or dormant accounts. Furthermore, investing in AI-powered identity threat detection and response (ITDR) solutions is becoming essential to identify anomalous behavior indicative of AI-assisted account compromise. Ignoring these risks means accepting a significantly elevated risk of breach, as attackers will continue to exploit these well-documented weaknesses.
Read original source