How to Conquer the Chaos of SaaS Sprawl and Shadow AI (Nasdaq)

In early 2023, generative AI (genAI) disrupted business as usual.

As employees implemented tools like ChatGPT to boost productivity, organizations grappled with unclear security and privacy risks. JPMorgan Chase (JPM) and Verizon (VZ) halted the use of ChatGPT while Amazon (AMZN) warned its employees not to share confidential information with the chatbot. Soon after, Samsung (KRX: 005930) reported some employees had shared meeting notes and confidential source code to ChatGPT. According to Cisco’s (CSCO) 2024 Data Privacy Benchmark study, over 25% of organizations eventually banned genAI altogether over privacy and security concerns.

GenAI certainly introduces some unique risks. However, the unmitigated adoption of new technologies has challenged businesses for years.

Companies walk a fine line. Well-calibrated technologies and applications can generate efficiencies and provide the opportunity to innovate. At the same time, unmanaged Software-as-a-Service (SaaS) and AI application adoption can increase costs and introduce new problems.

As an investor, it’s important to understand how companies can responsibly address this challenge. Here’s what you need to know about SaaS and AI sprawl and how resilient businesses utilize cybersecurity innovations to balance risk and reward.

The Rise of SaaS

Since the first Salesforce (NYSE: CRM) subscription services of the late 1990s to today, SaaS has become the predominant software business model.

SaaS providers manage hardware and software resources while providing cloud-based access to applications for a fee. SaaS subscriptions allow companies to easily onboard new tools in a cost-effective manner and scale services up or down depending on their needs. Employees benefit from the global accessibility of SaaS and can quickly leverage new tools to improve their personal productivity.

Today’s enterprises use hundreds of SaaS applications to facilitate business functions and continue to add more each year. Identity and access management firm Okta (OKTA) reports that large companies (2,000+ employees) used 231 applications on average in 2023- a 10% increase from 2022.

SaaS Sprawl and Shadow IT Meet AI

As companies incorporate a growing number of applications, they struggle to maintain visibility over the tools in their environments and ensure that they are necessary and secure. Whether it’s a manager purchasing a redundant software subscription or an employee using a personal Google Drive folder for work, SaaS sprawl and Shadow IT have become the status quo. SaaS sprawl is defined as the uncontrolled use of SaaS subscriptions and applications in an organization. Shadow IT is a major contributor to SaaS sprawl and specifically refers to the unauthorized use of applications outside of IT and Security approval processes.

SaaS sprawl has accelerated significantly since the COVID-19 pandemic, which spurred rapid digitization in response to increased remote work and consumer demand for digital capabilities. Since late 2022, genAI applications have become a major player in SaaS as companies increasingly adopt AI-based applications to improve business efficiencies and enhance their products and services. As a result, we are now also seeing AI Sprawl and Shadow AI.

Companies Grapple with Rising Costs and Risks

SaaS and AI sprawl introduce financial burdens, inefficiencies, and cybersecurity risks. Companies face added costs when employees and teams deploy redundant or unnecessary applications. The impact can be staggering. Companies with 5,001-10,000 employees spend $41.7M per year on SaaS applications and waste an additional $16.8M while companies with 10,001+ employees spend $264.2M and waste $126.9M.

Teams can also grow more isolated from other departments when using their own set of applications, inhibiting collaboration. In addition, data can become siloed when applications don’t integrate properly, preventing transparency and fully informed business decisions.

Sprawl also brings cybersecurity risks. Each new application introduces a third party (the application provider) with its own unique security gaps and vulnerabilities, creating more opportunities for cyber attackers to infiltrate company environments. Shadow IT and AI amplify the risks of sprawl by preventing companies from properly vetting, securing, or blocking unsafe applications- they can’t secure what they don’t see. Companies may also overlook new threats to AI models like prompt injection and data poisoning.

At the end of the day, sprawl leads to an excessive number of application users and permissions, raising cybersecurity risks. Companies with sprawl are more likely to experience cyber incidents like data breaches which can disrupt operations, reduce revenue, compromise consumer privacy, and increase operational costs.

Leveraging Cybersecurity Innovations to Solve Sprawl

I’ve previously written about how cybersecurity both protects companies and drives digital transformations. The same dynamic applies with SaaS and AI sprawl. Cybersecurity innovations help companies reap the rewards of technology and SaaS investments without undue risk.

For example, SaaS security startup Nudge Security utilizes a patented application discovery capability to help companies find and manage SaaS and GenAI enabled applications at scale. Nudge Security’s platform enables companies to securely on-board and off-board SaaS and AI tools using automated user-friendly “nudges” that connect IT and security teams with employees, facilitating more effective and secure application usage. This ultimately helps companies cut costs, monitor third party software breaches, implement strong governance policies, reduce risks data exposure and privacy violations, and enable regulatory compliance.

Evaluating Company SaaS and GenAI Application Posture as an investor

The software composition and security of a company’s SaaS and GenAI enabled application environment has a direct impact on its risk profile and growth potential. Most cyber breaches occur due to the exploitation of vulnerabilities in the software composition. As such, new solutions have emerged to assess the software bill of materials (SBOM) by performing scans to understand the software composition analysis.  According to ReversingLabs, software supply chain threats rose 1300% from 2021 to 2023.  Gartner estimates that that software supply chain attacks costs will rise from $46 billion in 2023 to $138 billion by 2031 (a 200% increase). There is no longer doubt that software supply chain security risk is real and growing- while traditional application security and third-party risk management practices fall short of spotting these threats and attacks. ReversingLabs offers a complete software supply chain security and malware analysis platform, to prevent these breaches.

At the end of the day, sprawl increases costs and the risk of breaches which can negatively impact the bottom line- and the stock price. Here are a few ways to evaluate a publicly traded company’s SaaS and AI posture:

• Listen to earnings calls for discussions of cybersecurity strategies and capabilities
• Research recent cybersecurity breaches and company responses
• Review cybersecurity or privacy regulatory violations (like GDPR violations)
• Read press releases and articles about company partnerships with cybersecurity or SaaS management providers

In general, look for commitments to strong IT and security governance. Companies with a resilient SaaS and AI security posture are well-positioned to reap the benefits of innovative technologies while lowering costs and managing security risks.

Disclosure: Forgepoint Capital invests in Nudge Security and ReversingLabs.