The 2025 supply chain breach that impacted over a billion records was more than another headline; it was a turning point for how organizations think about identity, SaaS, and risk in 2026. What began as convenience‑driven choices—trusted application connectors and long‑lived tokens quietly expanding exposure—has made one thing painfully clear: the weakest link in the digital supply chain is usually an unseen identity.
How third-party SaaS has become an identity time bomb
For years, third‑party risk management has been treated as a procedural formality rather than a serious discipline. Vendors are onboarded with questionnaires, certificates, and compliance forms, and once the boxes are ticked, everyone moves on to the next priority. What doesn´t happen is continuous monitoring and governance of the identities, tokens, and integrations that actually carry the risk.
- Problem: Third‑party risk is reduced to forms and checklists, not continuous monitoring or governance.
- Pattern: Stolen OAuth token → impersonated trusted application→ massive blast radius across customer systems.
- Root cause: Over‑privileged, long‑lived tokens sitting in a “no one owns this” governance gap.
In the 2025 breach, attackers stole OAuth tokens from a third‑party SaaS integration and used them to impersonate a trusted application, quietly accessing a slew of customer systems. Under the hood, those tokens were long‑lived, over‑privileged, and never reviewed, rotated, or revoked—an example of identity hygiene that looked fine on paper but failed under real attack conditions.
The governance gap was also cultural. Customers assumed vendors were managing tokens and permissions; vendors assumed customers owned the responsibility. In reality, no one owned the lifecycle of those credentials. They sat in a grey zone—out of sight, out of mind—until the day they became an attacker’s favorite entry point.
Shadow identities and one-click integrations: the perfect storm
The modern SaaS world moves at business speed, not security speed. Marketing teams plug a dozen apps into a CRM in a single sprint, while operations connect ERP, HR, and niche tools via APIs to streamline workflows. The promise is agility, time to market, and competitive edge; the cost is an explosion of identities and connections that security teams never see.
Business users now expect one‑click connections. With a single button, they can connect a new app, sync data, and “get things done.” But every one‑click connection creates a persistent identity—an app, bot, service account, or token—with long‑lived trust inside and across multicloud environments. Those persistent, rarely governed identities become ideal targets for attackers who prefer to impersonate trusted automation rather than brute‑force human accounts.
That is where shadow identities enter the picture. Shadow identities are often untracked users or applications operating outside the standard IT governance framework. Departments buy their own tools, set up automation with admin rights in ERP or CRM, and bypass the meticulous provisioning processes applied to human users. APIs and automation tools often end up with access to an organization’s most sensitive data without meaningful oversight.
In the breach scenario, a single OAuth token from a niche application was enough to walk into core systems that hold crown‑jewel data. What seemed like “just a tiny vendor” turned into an enterprise‑wide crisis, with downstream financial and reputational impacts far beyond what anyone had modeled.
From checkbox governance to federated, continuous control
After any major incident, there is a rush to “do something”: buy new tools, draft new policies, and add more checklists. But tools and policies alone are not governance. Governance fails when it is treated as a static checklist instead of a living culture and operating model.
A more effective approach is federated identity governance. Instead of bolting on controls in silos, federated governance orchestrates identity and access controls across ERP systems, critical business applications, token‑based integrations, ticketing systems, and IAM/IDM platforms under a single cohesive framework. Those controls already exist in pockets inside most enterprises—what is missing is a way to connect them, enforce them consistently, and close the gaps between systems.
In a federated model, token configuration is not an afterthought. Identity governance and administration (IGA) extends beyond human accounts to include applicationcredentials, APIs, bots, and integrations with the same rigor. Ownership, risk classification, and certification cycles become continuous and automated, not sporadic reviews timed around external audits. That shift is fundamental: identity governance must move from “just users” to “users plus apps plus integrations,” with a converged control fabric that cannot be managed with ad hoc workflows and piecemeal tools.
This practice must also be treated as a living organism, not a one‑time project. Risks evolve as quickly as SaaS adoption and AI‑driven automation, a theme explored further in our article on the role of AI in modern identity governance. Without continuous attention, even well‑designed governance frameworks drift out of alignment with the reality of the organization’s identity surface.
A tactical blueprint for continuous SaaS monitoring
Continuous governance becomes real when responsibility and actions are clear.
Step 1: Inventory the integrations and identities
Every organization needs a unified inventory of human, application, and third‑party identities, as well as the integrations that connect them. This is about understanding both the risk surface and the asset surface: not just the obvious financial system of record, but also nuanced, long‑running applications that quietly handle sensitive, business‑critical data. Ownership typically sits with the identity or security architecture team, but depends on applicationowners and business process owners to keep it accurate.
If your team is early in this journey, resources on identity security fundamentals and best practices for identity governance can help set the baseline.
Step 2: Baseline behavior and tune alerts
Security teams must ask: what do these apps normally do, when do they access data, how much, and through which channels? That behavioral baseline becomes the foundation for real‑time alerts on abnormal activity. The advice is to cast the net wide in the first iterations, then iteratively refine and focus on what matters so systems do not choke on noise. This work is usually led by the SOC or blue team, with input from applicationowners on what “normal” really looks like.
Over time, organizations can focus monitoring on critical technical and business values—similar to how legacy monitoring tools in enterprise apps, such as early JD Edwards monitoring tool,s learned to watch specific fields and events rather than every table and column—so that they catch real risk without grinding core systems to a halt. Here, continuous controls monitoring becomes a key enabler.
Step 3: Govern multicloud and application credentials with rigor
Centralized identity governance in a multicloud world is difficult, especially with agentic AI adding new non‑human actors into the mix. Some fundamentals, however, are non‑negotiable: authentication must be mutual, communication between systems must be encrypted, and standards like SAML and OAuth 2.0 tokens must be managed with the same discipline as high‑value human identities. This responsibility often sits with the identity governance / IAM team, in partnership with platform teams implementing rotations and mutual authentication.
That means enforcing token lifetimes, rotations, and revocations, and building closed‑loop provisioning and attestation cycles for non‑human identities as well as human accounts. When application credentials are treated with rigor rather than as an afterthought, organizations can mandate stronger encryption and more frequent key rotation without fear that every change will break critical integrations. Real‑time monitoring thresholds for privileged escalation and abnormal access can then tie directly into operational playbooks, supported by proper documentation rather than tribal knowledge. The outcome is governance that is proactive, agile, and visibility‑focused.
Turning identity controls into board-level metrics
Boards are not interested in token configurations or SIEM alerts; they care about risk, reputation, and return on investment. For CISOs, the challenge is to translate identity controls into metrics that make business sense. That starts with avoiding practices such as storing sensitive data in tokens and prioritizing continuous monitoring so that investments in controls translate into measurable outcomes.
Reporting to the board should convert technical work into business impact: how governance investments protect brand reputation, how risk exposure has been reduced, and what the ROI of these efforts looks like over time. Instead of telling the board “we improved token hygiene,” show them a slide that says: “We reduced exposed high‑risk integrations from 120 to 18 and cut modeled breach exposure from 2 million to 200,000 by enforcing short‑lived tokens and continuous attestation.” *hypothetical outcome rather than a reported case.
For organizations operating under SOX or similar regimes, tying this narrative to ITGC controls for SOX compliance and to how policy‑based IGA reduces audit costs will resonate strongly with both audit committees and finance.
Rather than treating compliance as just reporting, organizations can build an evidence lake of controls, automate attestations, and prepare playbooks for “regulators not in the room” scenarios. Boards want transparency, assurance, and clear ROI—both reduced operational drag from audit friction and reduced downside risk from breaches—and they are more likely to fund modern identity programs when those levers are presented in quantified, business‑ready terms.
2026 must-dos—and the next frontier
Looking ahead, the must‑dos for 2026 are both simple and demanding. Most companies already have policies that look good on paper; the gap is in enforcement. Bringing those policies to life through continuous governance of key controls aligned with high‑likelihood, high‑impact risks is essential for real breach resilience.
Equally important is treating all identities—human and non‑human—with equal rigor. Automate where possible, baseline and review regularly, and actively seek out blind spots where smart companies still fail audits and suffer breaches. That means moving past false comfort in patchwork controls and embracing a more honest view of how identities actually behave across the SaaS and multicloud estate.
The organizations that will avoid the next billion‑record breach are the ones that, this year, put three basics in place: a unified inventory of human and non‑human identities, short‑lived and governed tokens for every integration, and board‑ready metrics that show how identity controls cut real business risk.
Are you ready to put this blueprint into practice? Talk to our team about how you can uncover shadow identities, high‑risk SaaS integrations, and opportunities to cut modeled breach exposure from the billion‑record range down to something your board can live with.
