Why Traditional IAM Leaves 48% of Former Employee Access Undetected

In a recent CloudEagle webinar, we addressed one of the most urgent challenges that IT teams face today: hidden access and the rapid growth of unmanaged apps.

Employees are adopting SaaS tools faster than IT can govern them,  especially with the rapid rise of generative AI applications. Many of these tools are purchased without IT approvals, bypassing procurement, security reviews, and budget limitations.

The challenge is that traditional identity management solutions were never designed for this kind of SaaS and AI sprawl. These systems were built on the assumption that IT controls all purchasing. In reality, most modern apps let users manage themselves, which creates risks that current controls can’t handle.

To stay ahead of the shadow IT and shadow AI crises, organizations need a new automated governance approach, which was the core of our webinar.

Our panel featured:

• Anubhav, Enterprise Account Executive, CloudEagle.ai
• Lenin Gali, Chief Digital and Business Officer, Atomic Work (former CIO and CISO)
• Titus, Practice Director, Everest Group

Lenin emphasized that SaaS governance has been a decade-long challenge, and with AI adoption accelerating, CIOs and CISOs face even greater urgency to rethink access control. Titus highlighted how hidden access is still not discussed enough, despite being a daily burden for IT and security leaders.

The session unfolded across four parts, each focused on uncovering the problem, analyzing risks, and laying out a modern strategy for identity governance.
‍

Part I: Understanding the Scale of Shadow AI and Hidden Access

Q1: What is your first reaction when you hear that 60% of SaaS apps operate outside of IT visibility?

Lenin Gali: This statistic reflects a common reality. For years, IT has been overwhelmed and seen as too slow to meet business needs. As a result, employees and departments made their own technology decisions. What started with a handful of tools grew into hundreds of applications across the enterprise.

This expansion created a cascade of challenges:

• Security risks: Employees bought SaaS tools on credit cards without review. Accounts often remained active even after employees left.
• Financial waste: Budgets expanded rapidly with little visibility. Leaders often lacked clarity on where money was going or why certain apps were in use.
• Reactive IT: Instead of managing proactively, IT was left scrambling to discover hidden apps and patch risks after the fact.

According to Lenin, this is not a one-time issue. Without proactive governance, organizations remain stuck in a cycle of recurring gaps in visibility, cost, and security.

Q2: From a research perspective, how does the 60% figure compare to what you were seeing 12 to 18 months ago before the AI boom?

Titus: Shadow IT is not new, but the pace of change in the past year has been alarming. Just 12 to 18 months ago, 20 to 30% of IT spend was unaccounted for in large enterprises. Today, research shows that 50 to 55% of SaaS spend is not visible to IT. With AI agents proliferating, that number could reach as high as 90%.

Key findings include:

• Rapid growth: SaaS and AI adoption has doubled in just 12 to 18 months.
• Governance gaps: Traditional identity systems cannot keep up, as many SaaS vendors enable purchases directly with credit cards, bypassing procurement and ERP systems.
• Accelerated expansion: The growth of AI tools has dramatically multiplied the number of unmanaged endpoints.

This brings us to the fact that without stronger identity and access governance, enterprises risk losing visibility and control altogether.

Q3: From an operational standpoint, what is the biggest challenge when you discover unauthorized use of AI applications?

Lenin Gali: The first reaction is fear. The scope of the problem is almost always larger than expected. Once unauthorized use is uncovered, IT leaders realize they need additional people, budget, and resources to manage it.

The operational hurdles are considerable:

• Unplanned costs: AI apps are often usage-based. Once adopted, enterprises must also invest in new security and compliance staff—costs that were never budgeted.
• Complex visibility: IT needs immediate answers to questions such as who is using the app, why they are using it, how often, and where sensitive data is stored.
• Leadership pushback: CFOs often challenge the need for unplanned spending, adding friction to the process.
• Compounding risks: Each new AI application adds complexity and exposes organizations to greater compliance and data security challenges.

Lenin compared it to a game of snakes and ladders: productivity gains may appear at first, but the organization often slides backward as technical debt and compliance risks mount.

Q4: Research shows that marketing leads in unauthorized SaaS and AI purchases. What is driving this departmental difference?

Titus: Marketing technology is now a $300 billion market, nearly as large as traditional IT. The reasons for marketing’s lead in shadow adoption are clear:

• Mandates for speed: CMOs are under constant pressure to move quickly and generate results. Waiting for IT approvals is often seen as too slow.
• Lack of oversight: Security reviews and audits are frequently bypassed in the rush to launch campaigns.
• Short-term wins vs. long-term risks: While the tools deliver immediate gains, they introduce compliance and security issues that surface later.
• Expanding behavior: Marketing is leading today, but finance, operations, and other departments are likely to follow.

This reveals that unless real-time oversight is embedded into the process, shadow adoption will only increase.

‍

Part II: The Hidden Risks of Lingering and Privileged Access

Q1: Nearly half of ex-employees retain access to systems. What problems can this cause, and how can enterprises mitigate them?

Lenin: The figure of 48% should keep every CIO and CISO awake at night. Lingering access is not a small issue; it is a governance gap.

He outlined the risks:

• Untracked access: Employees who purchase SaaS outside IT remain invisible. When they leave, their SSO may be deactivated, but external apps remain active.
• Unintended access: Former employees sometimes log into systems like Google Analytics using personal credentials tied to corporate assets.
• Blind spots: Accounts outside IT’s purview remain active long after an employee exits, leaving doors open.

Titus added that privileged access is even more dangerous. An employee may switch roles but retain admin rights they no longer need. In AI environments, those privileges can control agents that make critical business decisions in seconds.

The key takeaway: lingering access is not a task to clean up later; it must be addressed proactively with continuous monitoring and fast deprovisioning.

Q2: Traditional IAM wasn’t built for the license-level complexity of SaaS and AI. How should enterprises rethink security in this new environment?

Lenin: Traditional IAM systems were never designed for today’s explosion of SaaS and AI. Many applications bypass SSO entirely, creating hidden risks. He emphasized that:

• 77% of breaches involve compromised credentials. Attackers log in rather than break in.
• End users remain the weakest link, with forgotten passwords and poor practices creating entry points.
• Organizations must embrace zero trust and ensure every purchase goes through security.

Titus reinforced this by pointing out that SaaS risk is continuous, not periodic. Enterprises cannot afford annual or quarterly reviews. Metrics such as mean time to revoke access are critical.

The panel agreed that without automated, proactive governance, enterprises will face not only more frequent breaches but also much higher costs.

‍

Part III: The Strategic Response – Building AI-Driven Identity Governance

Q1: What does a modern identity governance solution need to address?

Lenin: Enterprises can no longer afford open access and ungoverned adoption. The focus should be on:

• Risk appetite: Understanding tolerance and taking steps to minimize exposure.
• Governance and awareness: Making security everyone’s responsibility, not just IT’s.
• Cultural shift: Embedding accountability into daily operations.
• Proactive processes: Continuous detection and monitoring to close gaps.
  
  

Q2: Why are traditional IGA tools struggling, and what defines a modern solution?

Titus: Traditional IGA was built for static, on-premises applications. Today’s SaaS and AI landscape is dynamic and constantly evolving. A modern solution must have:

• AI at the core: Not as an add-on, but central to governance.
• Real-time operations: Continuous monitoring, not delayed batch jobs.
• Federated ownership: Shared responsibility across business units.
• Modern architecture: Event-driven ingestion, APIs, and webhooks.
• Zero trust by design: Applying least privilege to all identities, human and non-human.

Q3: What is the first step teams should take when facing visibility and access issues?

Lenin: Start with real-time visibility. Without it, governance and zero trust cannot succeed. Teams should:

• Place guardrails around access.
• Monitor unusual activity.
• Remove access to test necessity.
• Challenge assumptions around what employees truly need.

Q4: CloudEagle’s survey shows that 85% of companies have not adopted AI-powered governance. Why?

Lenin: AI-powered governance is still in its early stages. Enterprises hesitate because of unproven maturity, transparency concerns, and skepticism about ROI.

Titus added that explainability is the biggest barrier. Many vendors claim to be AI-powered but are not. Enterprises want proof, clarity, and real results before paying for it.

‍

Part IV: Building a Future-Ready Identity Governance Program

Q1: What is holding teams back from continuous access reviews and automation?

Lenin: Manual reviews are repetitive and ineffective. Traditional audits rely on sampling, which misses risks. Continuous reviews are necessary, but only possible with automation. Adoption is slow because of reliability concerns, lack of clarity, and cultural resistance.

Q2: What happens if companies delay tackling identity governance and automation?

Titus closed with a stark reminder. Benchmarking shows that for every $1 not spent on governance, enterprises incur $8 to $10 in breach-related costs. With regulatory fines, compliance requirements, and rising risks, the cost of delay will only grow.

The message was clear: governance is no longer optional. It is a strategic necessity for enterprises that want to reduce financial exposure, meet compliance, and secure their future.

‍

‍

Closing Thoughts

The webinar highlighted a growing crisis that is both invisible and urgent. Hidden access, shadow IT, and the rise of AI agents have outpaced traditional governance models. Enterprises can no longer rely on periodic reviews or reactive clean-up.

The way forward lies in continuous, automated governance. Security, compliance, and cost control must be embedded into daily operations. Leadership must set the tone, but ownership must be distributed across the organization.

The panel left attendees with one undeniable truth: in a world where 60% of SaaS is invisible, proactive governance is not just best practice—it is survival.

‍