SaaS has a big identity problem

With more guest access than licensed users, firms are being compromised through the trusted identities and collaboration tools they rely on every day

AI concept image showing digitized human eye monitoring digital interfaces and software.
(Image credit: Getty Images)

Unmanaged SaaS guest accounts are creating massive security liabilities for small and mid-sized businesses, new research has shown.

According to Kaseya’s 2026 SaaS Security Report, 69% of SaaS accounts have more guest access than licensed users, with persistent third-party access and externally shared data leaving small and mid-sized businesses open to attack.

Gaps in multi-factor authentication (MFA), OAuth sprawl, and external file sharing are widening the SMB attack surface, the study noted. Indeed, threat actors are now abandoning perimeter attacks in favor of softer targets like identities, OAuth integrations, and collaboration workflows.

This, Kaseya noted, leaves a trust gap most small and mid-sized businesses can't even see, let alone close.

Latest Videos From

“Today’s AI-emboldened threat actors see one interconnected attack environment, whereas most organizations defend their infrastructure in pieces,” said Jim Lippie, chief product officer at Kaseya.

“The most resilient organizations will be those that embrace continuous monitoring, identity governance ,and automated response as foundational requirements.”

AI scramble has caused OAuth chaos

The rush to adopt AI has led to a sprawl of third-party OAuth integrations that use persistent tokens instead of credentials, and that risks granting attackers permanent data access even after password resets.

As a result, non-human service principal logins now account for one-fifth of critical security alerts.

At the same time, attackers are using AI-driven automation to instantly locate and exploit dormant guest accounts, moving faster than manual defenses can respond.

Legacy controls like geolocation blocks are also failing to help, as attackers route traffic through trusted cloud hosts and VPNs.

Outside North America, Kaseya found nearly half (44%) of unauthorized logins originated from trusted infrastructure and outsourced hubs.

India accounts for 14%, the Philippines 10%, Germany 7%, the UK 7% and the Netherlands 6%.

Hackers are exploit SaaS identity gaps

Once inside, attackers are able to exploit massive identity gaps, with 56% of accounts lacking active MFA and only 27% of SMBs enforcing it across the organization.

Meanwhile, researchers found data leakage is through the roof in productivity environments. In Microsoft 365, 45% of all shared files were sent outside the organization.

Companies are also failing to keep up with severe alerts. Last year, while 98.9% of security events monitored by SaaS Alerts were classified as low severity, organizations still faced more than 278 million medium- and critical-severity alerts requiring investigation.

Kaseya recommends transitioning from rigid perimeter defenses to active, identity-first governance frameworks.

"Bridging the modern trust gap requires businesses to move away from static event tracking and instead prioritize automated behavioral monitoring that can flag anomalous activity inside trusted accounts," the company said.

"By aggressively consolidating security stacks, enforcing organization-wide MFA and continuously auditing machine identities and external sharing permissions, SMBs can eliminate critical visibility silos and systematically neutralize attacker persistence before a breach occurs."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.