Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
A Grip Security report analyzing 23,000 SaaS environments reveals that 100% of organizations run AI-enabled SaaS apps, with a 490% year-over-year spike in public SaaS attacks. The report highlights how compromised OAuth tokens in shadow AI environments can cascade across multiple organizations, exemplified by the Salesloft-Drift incident that affected over 700 organizations including major security firms.
Summary
A Grip Security report analyzing 23,000 SaaS environments reveals that 100% of organizations run AI-enabled SaaS apps, with a 490% year-over-year spike in public SaaS attacks. The report highlights how compromised OAuth tokens in shadow AI environments can cascade across multiple organizations, exemplified by the Salesloft-Drift incident that affected over 700 organizations including major security firms.
Full text
A new report from Grip Security analyzes 23,000 SaaS application environments. The statistics it found include: 100% of analyzed companies operate SaaS environments with embedded AI; there has been a year-over-year 490% spike in public SaaS attacks; and 80% of documented incidents involve PII and/or customer data. “But what really surprised me,” says Chad Holmes, product marketing consultant at Grip Security, “is that organizations have an average of 140 AI-enabled SaaS environments.” If an AI-enabled app is breached, any integral agentic AI can be used first to access data from connected systems, secondly to cascade from the one breach to a breach of every other AI-enabled environment within the organization – and potentially to expand further into AI-enabled environments in other organizations. This is chaos. The poster boy example of this cascading chaos is the Salesloft Drift incident (the ‘Great SaaS Breach of 2025’). Ultimately more than 700 organizations were affected, including security firms Cloudflare, Palo Alto Networks, Zscaler and CyberArk. UNC6395 attackers compromised Salesloft’s internal systems, starting with their GitHub repositories and moving from there into the Drift AWS environment. Here they stole the active OAuth and refresh tokens used by customers to connect the Drift Chatbot to local installations of Salesforce and other apps such as Slack. Armed with the legitimate pre-approved OAuth token, the attackers were able to impersonate Drift and log directly into Salesforce installations into companies also using the Drift chatbot. One breach of a SaaS app (Drift) cascaded into hundreds of compromises in different companies across the globe. Now it is fair to say that this incident prompted a drive to improve the security of SaaS apps and their AI implementations, but Grip is not convinced it will be enough. “One thing we’re seeing,” comments Holmes, “as we’ve moved outside the traditional perimeter, outside firewalls and network level protections, identity is the new perimeter. The focus is on identity, and if we have that identity, we can log into any environment anywhere.” For attacks against SaaS AI, the key ‘identity’ is a valid OAuth token. It’s worth briefly examining why this is such a threat, if control hasn’t been achieved. Much of it is down to the current need for speed in business. SaaS developers are tempted to rapidly include agentic AI within their own products to improve efficiency ahead of their competition, and they don’t always make the implications apparent to their customers. The customer may have installed shadow AI without knowledge. ‘Shadow’ is the epithet used to describe the use of AI or autonomous agentic AI without formal oversight from the IT and security departments – and if the customer is unaware of the AI within the SaaS app, it is automatically ‘shadow’.Advertisement. Scroll to continue reading. Customers adopt these apps too hastily, again to rapidly improve their own efficiency, and often without auditing them. Meanwhile, they have become so accustomed to issuing OAuth tokens that they may do so automatically as required by the SaaS app without considering wider implications from installing shadow AI. While complexity is the enemy of security, SaaS is the disguiser and multiplier of complexity, through poor visibility into its shadow AI. An attacker can often find greater visibility into a SaaS app by stealing the right OAuth access and/or refresh token (courtesy of the modern infostealer that can enter, scrape and depart without the victim realizing it). Armed with the right OAuth token, the attacker can enter the app unhindered, and start gathering data from whatever other systems are connected to the agentic system simply by feeding it tailored prompts through the APIs. However, the danger is not limited to the single SaaS app containing the shadow AI’s own environment – it can cascade to other environments within the organization. IdentityMesh can be an unintentional flaw resulting in a single unified authentication context. This allows the attacker inside the SaaS app to access all other agentic systems within the environment. If one of these has access to third party apps or shared service accounts used across organizations, the attacker can then pivot the attack across multiple organizations – and the cascading effect caused by a single stolen OAuth token in one company can cause the loss of data in many others. “AI is not a future risk, nor is it ‘just an IT problem’,” notes the report. “And crucially, governing it is not optional. It is now one of the most influential forces shaping how modern businesses operate and take on risk.” The report suggests that 2026 may be the worst year yet for SaaS breaches, warning that the increased blast radius may expand further as autonomous workflows outpace existing security controls. There are attempts at regulation, but globally, such regulations are moving in different directions with conflicting mandates, uneven enforcement and increased compliance friction. “AI regulation will get messier before it gets clearer,” says the report. But the chaos can be brought under control. “The way out is not more policy or slower innovation. It is a shift in how AI is governed in practice,” adds the report. The key is increased visibility into, and understanding of, SaaS shadow AI, and more dynamic governance. “Leaders who succeed replace static approvals with continuous oversight, discovery, and risk-based controls. AI becomes a managed third-party risk, monitored continuously, aligned to business outcomes, and governed with the same rigor as any critical supplier.” Learn More at the AI Risk Summit Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI Related: Microsoft Highlights Security Risks Introduced by New Agentic AI Feature Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime Related: Security Analysis of Moltbook Agent Network: Bot-to-Bot Prompt Injection and Data Leaks Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend AI, APIs and DDoS Collide in New Era of Coordinated CyberattacksCISO Conversations: Aimee Cardwell‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating PayloadKevin Mandia’s Armadin Launches With $190 Million in FundingNation-State iOS Exploit Kit ‘Coruna’ Found Powering Global AttacksHacker Conversations: Inti De Ceukelaire, Raging Against the Machine CreativelyHow Pirated Software Turns Helpful Employees Into Malware Delivery AgentsQuantum Decryption of RSA Is Much Closer Than Expected Latest News Virtual Summit Today: Supply Chain & Third-Party Risk SummitEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsManifold Raises $8 Million for AI Detection and ResponseIranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachApple Debuts Background Security Improvements With Fresh WebKit PatchesResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchTech Giants Invest $12.5 Million in Open Source SecurityUK Companies House Exposed Details of Millions of Firms Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security expert