You need to enable JavaScript in order to use the AI chatbot tool powered by ChatBot
Home
 >  
Case Studies
 >  

How CloudEagle.ai Assigned GenAI Risk Scores to Every SaaS Tool For an IT Services Enterprise

 “We had 287 approved SaaS vendors. CloudEagle showed us that 63 had quietly become GenAI platforms, and 11 were training on our data by default. We switched AI training off in 8 of them in a single afternoon. The other 3 went straight into access lockdown while we worked out the rest.”

~ Chief Information Security Officer, IT Services Enterprise

63 of 287
approved SaaS tools use GenAI
11
train on customer data
8
training disabled in one day

63 of 287

approved SaaS tools use GenAI

11

train on customer data

8

training disabled in one day
Problems
Challenge
  • Previously approved SaaS vendors across CRM, collaboration, design, and support quietly added GenAI features and updated terms without visibility.
  • The board asked which vendors used customer data for AI training, answering it meant manually reviewing privacy policies across 287 apps.
  • Where it couldn’t be disabled, sensitive data continued flowing through user access with no link between risk and provisioning.

Solutions
Solution
  • CloudEagle surfaced GenAI Usage and AI Training Exposure signals for every SaaS vendor in the portfolio, inside each vendor's profile alongside spend and usage data.
  • A single filterable view across all seven GenAI risk signals replaced manual privacy-policy research with one filter applied to the full 287-app portfolio.
  • AI Disable Controls signal per vendor showed where training could be turned off at the enterprise account level. 

Profit
Result
  • 63 of 287 approved SaaS vendors identified as GenAI-enabled, with risk scores, including tools the security team had originally approved as traditional SaaS.
  • 11 vendors confirmed to train AI on customer data by default, with the full list produced in one filter instead of 11 manual reviews.
  • AI training switched off in 8 of the 11 vendors in a single afternoon, with the action and owner recorded against each vendor record.

Challenge

A leading IT services enterprise had built a well-governed SaaS portfolio of 287 applications, each tool having been vetted at the time of adoption.

Over 2025 and into 2026, many of these applications quietly introduced generative AI features, copilots, AI search, summaries, and automated insights, while some updated their privacy terms to allow customer data to be used for model training. None of these changes were centrally tracked.

Soon, the board began asking questions the security team couldn’t easily answer: which vendors now used GenAI, which ones trained on customer data, and which allowed those capabilities to be disabled. Finding answers meant manually reviewing policies, checking settings across hundreds of tools, and maintaining spreadsheets that went out of date almost immediately.

The CISO needed a centralized, portfolio-level view to identify every GenAI-enabled application, assess data exposure risks, and understand control gaps, all in one place.

Solution
  • GenAI Risk Scores applied to every SaaS vendor in the portfolio, covering AI training exposure, AI disable controls, GenAI usage, MFA support, SSO support, certifications, and data center standards.
  • Shadow AI & Shadow IT discovery surfaced GenAI features inside already-approved SaaS, including AI assistants added to collaboration, CRM, and design tools after the original contract.
  • Filterable portfolio view across all seven risk signals, so security could isolate every tool that trains AI on customer data, every tool without MFA, and every tool without SOC 2 certification in one query.
  • AI Disable Controls signal per vendor, showing whether GenAI features could be switched off at the enterprise account level, with links into the relevant admin configuration.
  • Self-Service App Catalog tied each access request to the vendor's GenAI risk score, so new provisioning to high-risk AI-training vendors required a risk acceptance before approval.

Why CloudEagle.ai?
  • GenAI risk visibility across the full SaaS portfolio in one view, not one vendor at a time through manual privacy-policy research.
  • Seven risk signals per vendor, including the three most consequential for GenAI governance: AI training exposure, AI disable controls, and GenAI usage.
  • Risk signals live inside each vendor's profile alongside spend, usage, and contract data already in CloudEagle, so governance runs in the same place as the rest of SaaS management.
  • Risk score wired into access provisioning through the Self-Service App Catalog, so the score gated who could use high-risk vendors rather than sitting in a dashboard.
  • Portfolio-level filtering answers board questions directly: every tool that trains AI on customer data, every tool without MFA, every tool without SOC 2, in one query.

Impact

Portfolio-Wide GenAI Visibility

  • 63 of 287 approved SaaS vendors identified as GenAI-enabled, including tools originally approved as traditional SaaS.
  • Board questions about GenAI vendor exposure answered through a single filter on the portfolio rather than manual privacy-policy research.
  • Risk signals for every vendor maintained continuously alongside spend and usage data, so the view stayed current as vendors added or changed GenAI features.

AI Training Exposure Mitigated

  • 11 vendors confirmed to train AI on customer data by default, surfaced as a filtered list rather than discovered one at a time.
  • AI training switched off in 8 of the 11 vendors in a single afternoon, with the action and owner recorded against each vendor.
  • Access to the remaining 3 training-enabled vendors scope-reduced through User Access Reviews, narrowing the pool of users able to push sensitive data into those tools.

Sustained GenAI Governance Posture

  • New access requests to GenAI-enabled vendors now route through the Self-Service App Catalog gated by the vendor risk score.
  • Risk signal changes (a vendor adding AI training, losing a certification, dropping MFA) surface as alerts rather than being discovered at the next board meeting.
  • Board-level GenAI risk reporting moved from manual document pulls to a live dashboard with vendor scores and disable-control status attached.

The Transformation

Before CloudEagle
GenAI adoption assumed to be a shadow IT problem, with approved SaaS vendors treated as already-reviewed.
Vendor AI training status researched manually by reading privacy policies one tool at a time.
AI disable controls sat in each vendor's admin settings with no central record of which vendors offered them.
App access requests routed through intake with no reference to the vendor's GenAI risk posture.
Board questions about vendor-level AI risk answered through ad-hoc spreadsheets compiled under deadline.
After CloudEagle
Check box
Every approved SaaS vendor carries a GenAI risk score covering training exposure, disable controls, and five other security signals.
Check box
Vendor AI training status filterable across the full 287-app portfolio in one query, with results current alongside spend and usage data.
Check box
AI Disable Controls signal per vendor surfaces which tools offer enterprise-level disable, with links into the relevant admin configuration.
Check box
Access requests to GenAI-enabled vendors gated by the vendor risk score through the Self-Service App Catalog.
Check box
Board questions about vendor-level AI risk answered from a live dashboard with vendor scores and disable-control status attached.

Achieve similar success with CloudEagle!

Book a demoContact us

Other case studies

How Lob Reclaimed Unused Licenses, Automated Contract Renewals, and Cut SaaS Spend by 20% from Day One
How ICEYE Cut $300K From a $2.2M SaaS Bill in 120 Days by Right-Sizing Licenses and Renegotiating 33 Contracts
How Aira Turned SaaS Spend Into Board-Ready Reports with Department-Level Visibility