75% of companies hit by SaaS security incidents, AppOmni report finds

CALIFORNIA, UNITED STATES — A staggering 75% of organizations faced Software-as-a-Service (SaaS)-related security incidents in the past year, yet 91% remain confident in their defenses, reveals AppOmni’s 2025 State of SaaS Security Report. 

The divide is illustrative of the devastating erosion of trust in vendors and legacy routines, coupled with the lack of governance of AI and widespread misconfigurations.

Illusion of control in SaaS security

The report attributes this gap to misplaced trust in SaaS vendors, with 53% of breached firms believing they had appropriate visibility, yet 41% of incidents stemmed from permission mismanagement.

Legacy audit practices worsen the problem. Fifty-two percent rely on periodic reviews, leaving dynamic SaaS environments vulnerable to configuration drift. Only 43% use continuous monitoring, despite SaaS apps updating daily. 

“What we need now is clarity. SaaS security must evolve from an ad hoc, reactive process to a mature, repeatable discipline,” notes Brendan O’Connor, AppOmni Chief Executive Officer (CEO), urging a shift from reactive checks to real-time enforcement.

AI governance emerges as a top threat

AI tools are now a critical risk vector, with 61% of respondents prioritizing AI oversight in 2025. Non-human identities often lack governance, mirroring the risks associated with shadow IT. 

“AI agents now need their own non-human identities. They need to be thought of as users, where the information that they have access to is tightly controlled, just like John Doe, Sally Smith, etc.,” emphasizes Brian Wasko, Principal at Microsoft Security, as unchecked integrations expose sensitive data.

Generative AI platforms further complicate compliance. The Verizon 2025 Data Breach Investigations Report notes a rise in data leaks via AI integrations. Yet, only 13% of firms deploy dedicated SaaS Security Posture Management (SSPM) tools to monitor such threats. 

As AI adoption accelerates, the report recommends implementing strict identity governance and least-privileged access to mitigate breaches.

Ownership gaps and tooling shortfalls undermine defenses

SaaS security suffers from fragmented accountability. While 65% of firms have cloud security teams, 43% delegate ownership to business units, creating inconsistent enforcement. The report cites problems stemming from unclear roles, with 41% of permission-related incidents.

Only 13% utilize SaaS Security Posture Management (SSPM) solutions, while 38% opt for combined platforms like Security Service Edge (SSE) or Cloud Access Security Broker (CASB), which do not provide comprehensive protection at the SaaS level. 

AppOmni recommends prioritizing mission-critical apps, 20% of which hold 80% of sensitive data, and adopting continuous monitoring to replace “good enough” approaches.