Identity Sprawl Is the New SaaS Sprawl

December 22, 2025
 |  No Comments
Abstract illustration showing identity-based access controls securing cloud applications.

IT Trends Weekly — a curated, citation-first roundup for busy IT leaders.

Identity Sprawl Is the New SaaS Sprawl

Context. Over the last month, many organizations have done the right things: reduced SaaS waste, planned Windows 11 migrations, upgraded Wi-Fi, and tried to rein in collaboration overload. Yet breaches, audit findings, and ransomware incidents continue to trace back to the same root cause: identity sprawl. Identity — not networks, servers, or endpoints — is now the primary attack surface for modern organizations.[Microsoft][CISA]

Browse prior issues on the IT Trends Weekly hub or subscribe for weekly copy-paste checklists.

Table of contents

What changed (why identity is now the perimeter)

The network is no longer the boundary. Cloud-first applications, remote work, and SaaS platforms allow users to authenticate directly to services without touching internal networks. VPN usage continues to decline while identity-based access expands. Microsoft and CISA both now frame identity as the foundational security control in Zero Trust architectures.[Microsoft][CISA]

SaaS growth outpaced governance. Industry benchmarks show organizations routinely operating 100+ applications, each with its own users, OAuth grants, API tokens, and admin roles. Identity cleanup rarely happens when projects end or employees depart, leaving behind persistent access paths.[Okta][Zylo]

MFA adoption plateaued. While MFA is widely deployed, enforcement is often inconsistent. Legacy authentication, service accounts, and “temporary” exclusions remain common entry points exploited during modern attacks.[Microsoft][Mandiant]

Why it matters beyond “turn on MFA”

  • Identity breaches scale instantly. A compromised identity grants access across email, files, finance systems, and collaboration platforms simultaneously.[Microsoft]
  • Audits start with access. Regulators and public-sector auditors increasingly focus on privileged access, justification, and documentation rather than perimeter defenses.[CJIS][NIST]
  • Identity debt compounds quietly. Unlike outages or failed patches, identity risk remains invisible until exploited — often with catastrophic impact.[CISA]

First 48 hours: the identity truth audit

  • Export all identities. Users, guests, service accounts, and privileged roles from your primary IdP.
  • Classify accounts. Human, external, service, and emergency/break-glass.
  • Validate MFA reality. Identify exclusions, legacy protocols, and conditional access gaps.
  • Flag dormancy. Accounts inactive for 60–90 days without owners or justification.[Microsoft]

Operational realities

  • “MFA will break things” is rarely true. Most exclusions persist due to convenience, not technical necessity.
  • Service accounts are high risk. They often lack rotation, ownership, or logging.
  • Too many admins exist. Standing privilege increases blast radius and audit exposure.[Microsoft][NIST]

Evidence leaders want

  • % of identities with MFA enforced
  • Number of privileged accounts
  • Count of dormant identities removed
  • Applications authenticating outside SSO
  • Service accounts with assigned owners

7-day plan: reduce identity risk fast

  • Day 1–2: Inventory and classify identities
  • Day 3: Enforce MFA and block legacy auth
  • Day 4: Reduce standing admin privileges
  • Day 5: Disable dormant and orphaned access
  • Day 6: Document and secure break-glass accounts
  • Day 7: Publish an identity risk scorecard

AI trend (blurb)

AI amplifies identity mistakes. Copilots and automation tools inherit user permissions. Over-permissioned identities combined with AI increase the speed and scope of data exposure, making identity governance a prerequisite for responsible AI adoption.[Microsoft]

FAQ

  • Is MFA enough? No. MFA without least privilege and lifecycle management still leaves organizations exposed.
  • What about shared accounts? Shared accounts undermine accountability and should be eliminated.
  • How often should access be reviewed? Quarterly at minimum, immediately upon role change.

CTA: Stay ahead each week

Subscribe to IT Trends Weekly for one concise, citation-first brief each week.

Sources & citations

  1. Microsoft — Zero Trust and identity security guidance
  2. CISA — Zero Trust Maturity Model
  3. Okta — Businesses at Work Report
  4. Zylo — SaaS Management Index
  5. Mandiant — Identity-based attack analysis
  6. NIST SP 800-53 / 800-63 — Digital identity guidance
  7. CJIS Security Policy — Access control & auditing
IT Trends Weekly