5 Identity Security Risks We Found in a Regulated Enterprise

Even the most mature enterprises encounter new, subtle, and complex identity security challenges from the rapid growth of SaaS. When a Fortune 100 organization in a tightly regulated industry first partnered with Grip, we found an environment struggling with fragmented governance, unmanaged SaaS expansion, and widespread password sprawl—issues we observe across many large enterprises.

This case study illustrates the effects of SaaS advancing more rapidly than infrastructure, and how the right visibility, prioritization, and action can turn risk into resilience. Here's what we discovered.

Discovery 1: SaaS Adoption is Outpacing Identity Governance

Modern work demands speed; on average, this organization adds 75 new SaaS apps each month. However, our analysts found that 60 of these applications were password-based, compared to only 15 apps connected via SSO. In other words, unmanaged SaaS was outpacing SSO by more than 3 to 1.

At the current rate and without intervention, by mid-2027, nearly 4,000 apps would operate outside of centralized identity governance, including 3,000 unmanaged SaaS apps with no visibility, no offboarding, and no password hygiene.  This was an area the security team wanted to get under control.

The disconnect between SaaS adoption and identity control isn’t unusual, but it creates a meaningful attack surface and operational risk at this scale. This challenge is fairly common with large, decentralized organizations and is the byproduct of how easily SaaS can be acquired and deployed by end users. Designed for speed and simplicity, modern SaaS makes it effortless to bypass traditional IT channels, but without deliberate action, the problem only accelerates as the business grows.

Discovery 2: Credential Sprawl is Widespread

As we dug deeper into the company's SaaS and identity landscape, we uncovered extensive credential sprawl affecting every corner of the organization. The risks were not confined to isolated departments or lower-priority apps; they extended into the heart of the business.  

Amongst our findings:

A higher concentration of unmanaged apps existed in select departments.

The highest concentration of unmanaged credentials was found in high-risk departments, including sales, HR, marketing, and finance. These teams regularly access sensitive financial, employee, and customer data, but many SaaS tools were operating outside of centralized control. Without SSO, visibility, or governance, these users represented some of the largest identity risks across the enterprise.

Passwords were the only thing standing between bad actors and sensitive data.

Critical application security relied heavily on passwords. Financial systems, which manage the organization’s most sensitive financial records and transactions, had 6,318 users accessing them through credential-based logins. These applications store essential operational data, yet they remain outside SSO governance.

Similarly, customer data platforms, another crown jewel for the business, demonstrated significant reliance on passwords. Over 3,200 users accessed systems with valuable customer information via unmanaged, password-based authentication.

Both organizational security and compliance standards were at risk.

Almost 13,000 unmanaged logins existed across financial, sales, and customer data applications. These were not fringe or low-value tools; they were essential to daily operations and critical for compliance requirements in the company’s regulated industry.

One of the most pressing challenges was that many of these high-value applications do not support SAML or federated access. As a result, the organization was locked into a password-dependent model for critical systems, making it difficult to fully enforce modern identity security controls. Without federated authentication options, risk cannot simply be "onboarded away" — it must be managed strategically and continuously through password managers.

Download your free Guide to Identity Security

Discovery 3: Credential-Based Vulnerabilities Were Extensive

Credential-based vulnerabilities were widespread and measurable, and the scale of the risk was substantial. Our analysis revealed that over 12,000 SaaS accounts were exposed to significant credential-based vulnerabilities.

The breakdown across critical risk categories shows why targeted intervention is essential:

• Weak passwords were present on 1,398 accounts (11%), making sensitive systems easier for attackers to access via simple guessing or brute-force techniques.

• Leaked credentials were found associated with 2,543 accounts (21%), meaning a substantial portion of user credentials have already appeared in known data breaches, exposing the enterprise to credential stuffing and takeover attacks.

• Shared accounts were identified across 756 instances (6%), undermining offboarding processes and making it nearly impossible to maintain effective audit trails and user accountability.

• Password reuse affected 7,724 accounts (62%), multiplying the impact of any single compromised password across dozens of different applications and systems.

These figures highlight that password risk is not abstract; it’s quantifiable, persistent, and deeply embedded across an enterprise’s SaaS environment. Without action, every unmanaged password becomes a potential foothold for attackers seeking financial data, customer records, or intellectual property.

Discovery 4: Hidden Risk Multipliers Existed Inside the User Population

Further analysis showed that identity risk was not evenly distributed across the enterprise. Certain users, based on the number of unmanaged credentials they held, represented concentrated points of potential compromise.

• 812 users managed credentials for 11 or more apps, making them “power users” of unmanaged SaaS, increasing the likelihood that a single compromised account could open access to multiple systems.

• 43 users managed credentials for 20 or more apps, creating outsized risk exposure. If even one of these users experienced credential compromise, dozens of critical SaaS applications could be affected instantly.

Beyond user behavior, the environment showed that password management practices also introduced new layers of risk. Password managers are being used, but without centralized oversight or governance:

• 479 enterprise accounts were distributed across six different password management platforms. Each platform operated independently, with no consistent policy enforcement, auditability, or centralized offboarding processes in place.

In practice, every unmonitored password manager becomes its own hidden identity risk, creating blind spots that go unnoticed during employee transitions and security events.

Discovery 5: Credential Risks Were Amplifying the Enterprise Attack Surface

The combination of unmanaged credentials, fragmented password management, and password reuse created a broad and exploitable attack surface.

By the numbers:

• Over 12,000 SaaS accounts were at heightened risk from credential-based vulnerabilities across weak passwords, leaked credentials, shared accounts, and password reuse.

• Unmanaged credentials accessed vital business functions, from financial systems to customer data platforms and sales and marketing tools.

• Due to technical limitations, critical SaaS applications managing financial records, legal documents, customer data, and intellectual property cannot be onboarded to SSO. Consequently, password risks in these areas must be mitigated through alternative controls.

Together, these factors created a fragile identity environment. Without visibility, governance, and risk reduction strategies, each unmanaged credential jeopardized the organization’s security posture.

Building Resilience in an Era of SaaS Sprawl

SaaS adoption isn’t slowing down, nor are the identity challenges it creates.  

When this enterprise turned to Grip, they were navigating the complexities of rapid SaaS growth, fragmented governance, and widespread credential sprawl. Like many large organizations, traditional security models couldn’t keep pace with the speed and decentralization of modern work.

Grip provided the visibility, prioritization, and action needed to regain control. By uncovering unmanaged SaaS, surfacing credential-based risks, and highlighting fragmented access patterns, we helped this organization strengthen its security posture without slowing down innovation. Together, we built a foundation for resilient, adaptive identity security, one that’s ready to scale with the future of work.

To discuss how we can help your organization do the same, book time with our team.

‍