The SaaS Security Disconnect: Why Most Organizations Are Still Vulnerable
A new report from AppOmni captures a significant misplaced confidence in the security of software-as-a-service applications and escalating risks associated with these cloud services. The third annual State of SaaS Security 2025 is based on a survey of more than 800 security leaders and decision-makers within finance, healthcare, manufacturing and software.
Most respondents come from large organizations — three-quarters with more than 2,000 employees — and their responses reveal a disconnect: While SaaS ecosystems grow more complex and AI introduces fresh vulnerabilities, too many teams cling to an illusion of control that could very well leave them exposed.
The report underscores how SaaS is one of the most targeted aspects of an organization’s attack surface, yet it’s often the least defended. Incidents are increasing, as 75% of organizations reported a SaaS-related breach in the past year, up from 44% in 2024. Wim Remes, founder of cybersecurity consultancy Wire Security, is not surprised by the findings.
“Organizations are still dealing with the shift to SaaS, and they need to shift their thinking away from focusing on securing the data itself, and toward better securing the systems that hold and process that data,” Remes said.
A Widening SaaS Security Disconnect
The findings highlight a widening disconnect between the security levels organizations think they have and their actual levels of security. A complete 91% of respondents expressed confidence in their SaaS security postures, even as three-quarters dealt with actual incidents involving their SaaS applications. The report identified the cause of this overconfidence to stem from several root causes: Scattered ownership models, misunderstandings of the shared responsibility framework with vendors, and a heavy reliance on visibility tools without the enforcement to back them up.
For instance, 89% of those hit by compromises thought they had “appropriate visibility” into their environments, only to learn the hard way that seeing isn’t the same as securing. AI is adding fuel to the fire, creating new governance headaches. A full 61% of leaders predict it will dominate SaaS security conversations in the coming year, particularly around managing non-human identities and access to generative AI tools embedded in apps. Meanwhile, fundamental hygiene issues persist — 41% of incidents traced back to permission problems, and 29% to misconfigurations — proving that even in 2025, the fundamentals can trip up the most sophisticated setups. Tooling gaps aren’t helping.
However, Remes contended organizations aren’t really “seeing” all of their SaaS applications, either. “You only see what you see. And unfortunately, “Shadow IT” is still a thing. There’s the cloud and SaaS that’s in use that organizations know about. Then there’s the other stuff, the shadow IT, and most of that shadow IT is not using standard practice,” he said.
One of the biggest challenges, Remes said, is that all the different components and SaaS suffer from “implementation drift.” Organizations may have a reference architecture, but the actual implementation will differ and continue to evolve. “Since a cloud and SaaS environment consists of many individual components, the drift accelerates, which introduces weaknesses, misconfigurations and vulnerabilities,” Remes stressed.
Despite those challenges, only 13% of organizations are using dedicated SaaS security posture management (SSPM) products, despite nearly a third recognizing they need one. And while 96% agree SaaS security is growing in importance, legacy habits and awareness shortfalls keep holding them back.
Brendan O’Connor, CEO at AppOmni, said that the report shows a concerning ‘illusion of control,’ where the vast majority of security leaders feel confident in their SaaS security posture, even as a substantial number of them are dealing with SaaS-related incidents.
Yet, SaaS security doesn’t have to be overwhelmingly complex. In fact, with better governance, the right tools and a shift to proactive, scalable cloud security programs, organizations can turn the threats back.
