Why are ID Security Vendors Expanding into SaaS Security?

This post explores why top identity vendors like Okta, CrowdStrike, and Microsoft are expanding into the SaaS stack to solve the “blind spots” created by autonomous AI agents, over-privileged non-human identities, and the 2026 certificate crunch

Knock Knock, who is there?

User

User who?

Malicious User!

No, it is not an AI-written joke. Rather, it points out a key anomaly with identity security that has become a main reason for identity security vendors to expand into SaaS security: once you log in, unless you have risk systems, what you are doing remains no one’s concern until it is way too late. But this is not the only reason why ID security vendors are expanding into SaaS security.

The second reason is also to do with visibility into user activity. Organizations no longer want one tool to manage the “who” (IAM) and another to manage the “what” (SSPM). The basic reason is that who and what in different buckets make no sense. The introduction of AI has queered the pitch further. Autonomous AI agents move between apps, call APIs, and make decisions on their own. They don’t “log in” in a way that IAM tools can easily track, and they don’t just “sit” in a SaaS app where SSPM tools can watch them. If your IAM tool sees a “successful login” and your SSPM tool sees “normal app settings,” both report green lights. But neither tool can see that an autonomous agent is currently “chaining” those two things together to move data from a secure database to a public Slack channel. The fragmentation itself creates a blind spot where the AI agent operates.

The third is the most obvious continuation of the second: AI in everything everywhere all at once. Vendors are accordingly updating their products. The latest example is Salesforce, which has recently launched a new platform that brings together AI with CRM and voice, which is essentially a convergence of Contact Center as a Service (CCaaS) and CRM.  These AI agents can perform tasks, call APIs, and move data on their own, which has turned identity as the control plane. This has more to do with AI agents built to be “helpful.” To achieve this objective, they are often configured to inherit the full permissions of the user who launched them. If that user has “excess privilege” in a SaaS tool, the AI agent becomes a high-speed vector for data exfiltration. This is how dangerous this situation can get. This problem is also (un)fondly called the “confused deputy” problem.

The fourth point is one we have already talked about: the absolute proliferation of Non-Human IDs. Most SaaS security leaks do not happen via a login page; they happen through over-privileged OAuth tokens that connect one app to another, such as a “notetaking” AI app having full read/write access to your corporate Slack. There is one more factor that increases the fun factor. SSL/TLS certificate validity has now been massively reduced. It is 200 days now and 47 days by 2029. Frankly, the manual management of these thousands of service accounts and bots is, to put it mildly, not an enviable job.

The response

We have already explained the primary reason for identity vendors moving into SaaS security. The vendors are moving into SSPM to gain “in-app” visibility by monitoring what a user actually does after they log in to ensure it matches their identity risk profile.

Regarding “AI everywhere” and IAS-SSPM, identity vendors are already offering the SaaS-aware Identity Threat Detection and Response (ITDR) software. ITDR provides the “in-app” visibility required to monitor user behavior against an established risk profile. By treating identity as the core control plane, vendors can enforce Least Privilege across both humans and the AI integrations they spawn. This integration solves the confused deputy problem and enables real-time issue remediation.  For example, if an SSPM check identifies a misconfigured folder in Salesforce, the identity tool can immediately revoke the user’s session or force a re-authentication. This is especially important as newer laws, like the EU AI Act, make transparent audit trails and manual “kill switches” mandatory for autonomous agents classified as high-risk.  

The visibility into active sessions allows organizations to identify and reclaim “zombie” accounts that are no longer being used. Enabling users to reclaim, downgrade, or reassign them so they are not paying for shelfware. This process is known as license harvesting.

Regarding NHIs, Identity vendors are best positioned to govern these “identities,” by treating a Slack bot or an API key with the same lifecycle and governance rigor as an employee.

In the following part, we will understand what players are entering the space, and how they are helping solve these issues.

Vendor Landscape

CrowdStrike remains a dominant force here due to its acquisition of Adaptive Shield, which it has rebranded into Falcon Shield. Its primary focus is on merging Endpoint/XDR telemetry with SaaS configurations. This allows the platform to detect when a compromised laptop is being used to alter global settings in a SaaS tenant, like disabling MFA or creating new global admins in Microsoft 365. The core capability here is SaaS Security Posture Management (SSPM), which continuously audits over 10,000 security settings across hundreds of apps to find “drift” from a secure baseline.

QKS Group Principal Analyst Sujit Dubal elaborates, “The identity market is expanding into SaaS security because authentication alone is no longer an effective boundary of trust. Once access is granted, risk shifts to what users, agents, and integrations do inside the application estate. That makes SaaS activity, entitlement governance, and non-human identity control central to the future of identity security. The vendors gaining momentum will be those that treat identity not as a login layer, but as the runtime control plane for SaaS, AI agents, and interconnected enterprise workflows.”

Okta has taken a different route by focusing on the active session rather than just the configuration. Its Okta Identity Security Posture product specializes in Universal Logout, which is a high-speed “kill switch.” If the product detects a session hijacking attempt or an anomalous IP change, it can simultaneously terminate the user’s active tokens across Slack, Salesforce, and Box. This effectively solves the “zombie session” problem, where a user is blocked at the front door but remains logged into their desktop SaaS apps for days.

Microsoft Entra offers App Governance owing to the capabilities of its Cloud Access Security Broker (CASB). This product is specifically designed to hunt for “Shadow AI” and risky OAuth grants. Microsoft’s strategy is built on the fact that most SaaS breaches in 2026 involve a user inadvertently granting a third-party AI tool full read/write access to their email or files. Entra now treats these app-to-app permissions as “identities” that require the same governance as a human employee.

Saviynt and SailPoint have both expanded from traditional Identity Governance (IGA) into Identity Security Posture Management (ISPM). Saviynt’s Identity Cloud is particularly strong at managing “Complex ERP” security, such as SAP or Oracle, where permissions are deeply nested and often invisible to standard security tools. SailPoint, meanwhile, has doubled down on Non-Human Identity (NHI) management, providing a dedicated dashboard to track the thousands of service accounts and bots that typically exist without oversight in large SaaS environments.