Author: Nikhil

The introduction of AI means that SaaS renewals are no longer just about pricing and license counts. As platforms like Microsoft, Salesforce, ServiceNow, Slack, and Zoom embed AI more deeply into core workflows, enterprises need to assess not just product value, but how renewal terms may expand data processing scope and operational risk. This blog examines why SaaS renewals are becoming a critical checkpoint for AI governance. Despite the AI shakeup, SaaS continues to be a mainstay of organizations of all sizes. While AI remains a bugbear, SaaS providers are adopting AI into their products and services. The most recent…

This post explores why top identity vendors like Okta, CrowdStrike, and Microsoft are expanding into the SaaS stack to solve the “blind spots” created by autonomous AI agents, over-privileged non-human identities, and the 2026 certificate crunch Knock Knock, who is there? User User who? Malicious User! No, it is not an AI-written joke. Rather, it points out a key anomaly with identity security that has become a main reason for identity security vendors to expand into SaaS security: once you log in, unless you have risk systems, what you are doing remains no one’s concern until it is way too…

The word “SaaSpocalypse” has been mainstreamed following the introduction of Anthropic’s Claude Cowork AI tool and the subsequent bloodbath in share markets. The reason is pretty obvious. You do not need to log into anything. Simply put, you get a conversational interface rather than the application. You do not need to log into a CRM, marketing platform, or support tool and perform tasks inside it. You can simply “talk” with the tool to get the job done. What this does is make the SaaS product a background data source. This shift reduces the vendor’s control over the user experience and…

SaaS procurement looks easier than traditional software purchasing. There is no capex approval for infrastructure, no data center planning, and a subscription model that appears budget-friendly. For small teams or departmental purchases, this can indeed move quickly. For the bigger entities, as they say, the devil is in the details. While there are other challenges like vendor risk, challenges with integrations, stakeholder and contract management, we will strictly focus on the security aspect, or rather, the blind spots that can trip up the client companies. Certification is not enough Two certifications are essential for every SaaS procurement:  ISO 27001…

In a way, auditing shares similarities with a full-body checkup. While the process is rarely enjoyable, it remains the bedrock of smooth operations and proactive risk management. Central to this effort is security compliance, which requires the cultivation of identity evidence capable of withstanding rigorous examination. To achieve this level of defensibility, an organization must enforce verification methods and record-keeping practices so resilient that regulators can verify identities with absolute certainty. This state of “audit-readiness” is best realized by aligning internal protocols with regulatory standards, implementing high-assurance identification technologies, and maintaining immutable, tamper-evident records. The four Ws of audit The…

How high-stress crises turn temporary backdoors into permanent security vulnerabilities (and how to prevent such a situation) Plan B is an essential step for every strategy. It is particularly essential for organizational security, as like any war, another strategy is needed if Plan A doesn’t work. In fact, a break-glass account may not fit the description of a Plan B. Calling it Plan Z would be more accurate. And since it is the last resort, what is essentially a backdoor actually is an ethically necessary strategy. After all, what course of action is left in a situation where normal authentication fails, such as during outages, lockouts, or breaches? However, curiously, while they are justifiably a double-edged sword, these accounts…

Microsoft defines a Service Account as “A service account is a user account that’s created explicitly to provide a security context for services that are running on Windows Server operating systems. The security context determines the service’s ability to access local and network resources.” Yet, they can be compared to the (false) stereotype of the “quiet kid in the school.” They are rarely discussed in boardrooms, seldom included in transformation roadmaps, and almost never part of employee lifecycle conversations. Yet when breaches are investigated, these accounts often emerge as vectors. Why service accounts sprawl (and become un-disableable)? Service accounts are essential for automation. Modern tech environments depend on background processes such as application-to-application communication, API integrations, batch processing, monitoring tools, and patch management. These processes need…

2026 is finally here. The expected finalization of the Cyber Incident Reporting for Critical Infrastructure Act, 2022 rules is expected to happen in May this year. In John Cena’s words, “the time is now.” Provided there is no extension, enforcement expectations will ensure that the gap between “we usually handle incidents this way” and “this is how reporting is supposed to work” will no longer be theoretical. First off, critical infrastructure operators must notify CISA within 72 hours of experiencing a significant cyber incident. The time shrinks to 24 hours if a ransomware payment is made. This tight deadline ensures…

We have already talked about machine IDs. In this blog, we zoom out and focus on Non-Human IDs (NHIs). Both types of IDs share another similarity: there are just way too many of them. NHI secrets, including API keys, service accounts, and Kubernetes workers, now outnumber human identities by at least 45-to-1 in DevOps environments. outnumber human identities by at least 45-to-1 in DevOps environments. And how much is too much, considering that APIs, containers, service accounts, bots, IoT devices, AI agents, and automated pipelines all rely on digital identities to function? This is a nightmare situation, as governance practices have not evolved at the same pace, and managing them can be a problem. This widening gap between identity growth and identity…

Apart from AI, what is another new thing you can almost certainly find in modern network environments? It is machine IDs. Both share another similarity: careless use and misuse of both will result in absolute disasters. Why? Because, unlike human accounts, machine identities do not benefit from natural security checkpoints. Unlike people, machines cannot leave organizations, change roles, or trigger access reviews. A service account created years ago may still have full access rights, even if the service it supported has been partially redesigned or replaced. From a defense standpoint, this means that access is rarely reduced. Over time, machine identities accumulate privileges that far exceed their original purpose, creating a large and silent attack surface. …