The transition to cloud-based operations has fundamentally redefined the enterprise attack surface, moving the “perimeter” from the corporate office to the diverse APIs and configurations of global SaaS platforms. As organizations increasingly rely on tools like Salesforce, ServiceNow, and Microsoft 365, the complexity of securing these environments has outpaced traditional manual auditing capabilities. My guest today is a veteran of the cybersecurity industry with over two decades of experience leading product and marketing strategies at giants like Palo Alto Networks and McAfee. Now serving as the CMO of AppOmni, he is at the forefront of a movement to automate SaaS security, providing the continuous visibility and AI-driven insights necessary to protect over 101 million users and billions of monthly data events.
The following discussion explores the evolution of SaaS security, the risks of interconnected third-party applications, the emergence of “Shadow AI,” and the practical steps leaders can take to implement a Zero Trust posture across their entire digital estate.
Many organizations find that manual security audits for platforms like Salesforce or ServiceNow can take months, during which settings often change. How does this lag impact an enterprise’s risk posture, and what specific steps are required to compress these audit timelines to just a few hours?
The lag inherent in manual audits creates a dangerous “security gap” where an organization is essentially flying blind for the majority of the year. When an audit takes several months to complete, the results are often obsolete by the time the report is finalized because SaaS environments are dynamic; application owners frequently update configurations or add new integrations that bypass original security assumptions. I have seen customers in the legal industry struggle with this exact problem, where they were unable to maintain a consistent risk posture because the pace of change simply outstripped their ability to document it. To compress these timelines to just a few hours, organizations must move away from manual checklists and adopt agentless architectures that continuously monitor SaaS APIs and configurations in real-time. By leveraging automated platforms that provide immediate visibility and step-by-step remediation actions, security teams can transition from a reactive “snapshot” mentality to a proactive model that “burns down” critical issues within a single day.
Modern SaaS ecosystems rely heavily on interconnected third-party apps and OAuth tokens, which are frequently exploited in sophisticated supply chain attacks. What are the primary indicators of a rogue SaaS-to-SaaS connection, and how should security teams govern non-human identities without disrupting business productivity?
Rogue SaaS-to-SaaS connections often hide in plain sight, masquerading as helpful productivity integrations while silently granting excessive permissions to sensitive data. Primary indicators of risk include “hidden” OAuth tokens that have not been reviewed, connections that grant broad “read/write” access to PII without a clear business case, and anomalous behavior from non-human identities, such as a third-party app accessing records at an unusual volume or frequency. To govern these without stalling the business, security teams need to map out the entire ecosystem of third- and fourth-party apps to identify exactly who—or what—has access to the environment. We advocate for an “Identity Fabric” approach that manages both human and non-human identities through a lens of least-privilege, ensuring that every automated connection is continuously governed and analyzed for threats like those seen in recent campaigns by actors like UNC6395. This allows the business to remain agile while ensuring that the automated “mesh” of the SaaS estate does not become a backdoor for supply chain exploitation.
As organizations integrate autonomous AI agents into their core business applications, new vulnerabilities such as prompt-injection and data loss violations emerge. How do you effectively distinguish between sanctioned and “Shadow AI” tools, and what protocols are necessary to enforce least-privilege access for these agents?
Distinguishing between sanctioned and “Shadow AI” requires deep discovery capabilities that can uncover both known AI extensions and unknown, unauthorized agents that employees might be using to process corporate data. We see “Shadow AI” as a subset of the broader “Shadow SaaS” problem, where visibility is the first line of defense; you cannot secure what you cannot see. To protect business-critical platforms like ServiceNow, we have developed specific protocols like AgentGuard, which acts as a real-time security layer to prevent prompt-injection attacks and block data loss violations by monitoring how AI agents interact with data. Enforcing least-privilege for these agents involves treating them as high-risk identities that require specific configuration checks and quarantined interaction zones if they exhibit malicious behavior. It is critical to enforce Zero Trust principles from day one, ensuring that an AI agent only has the minimum data access required to perform its specific task, thereby limiting the blast radius of a potential compromise.
Traditional “castle and moat” security models often fail to provide visibility at the application layer in a remote-work environment. How does Zero Trust Posture Management bridge the gap left by network-centric solutions, and what metrics should leaders track to validate the effectiveness of their identity fabric?
Network-centric solutions like Secure Service Edge (SSE) are effective at securing the “pipe,” but they are often blind to what happens once a user is actually inside a SaaS application, which is why the “castle and moat” model is obsolete in a remote-first world. Zero Trust Posture Management (ZTPM) bridges this gap by focusing on the application layer, providing granular visibility into user behaviors, configuration settings, and data exposure levels from a single pane of glass. To validate the effectiveness of their identity fabric, leaders should track metrics such as the number of over-privileged accounts, the frequency of anomalous login or data access events, and the time-to-remediation for identified misconfigurations. By combining ZTPM with existing SSE suites, organizations can ensure that Zero Trust principles are applied not just to how a user gets onto the network, but to every action they take within a platform like Microsoft 365 or Workday.
Analyzing billions of monthly cyber events requires a standardized approach to audit logging across diverse platforms. Can you explain the practical application of a maturity matrix for event logging and how normalizing these logs helps security teams reduce the time spent on manual data engineering?
The SaaS Event Maturity Matrix (EMM) is a framework we developed to help cybersecurity teams assess and catalog the logging capabilities of different SaaS platforms, which can vary wildly in terms of detail and format. Without a standardized approach, security teams are forced to waste thousands of hours on manual data engineering just to make sense of logs from Salesforce versus those from Google Workspace. By normalizing these logs into a consistent format, we enable these events to be seamlessly integrated into SIEM and SOAR systems, allowing for automated threat detection at scale. Our platform currently analyzes 60 billion cyber events each month, and this volume would be impossible to manage without the intelligence provided by normalized data, which highlights anomalies and suspicious behaviors without requiring a human to manually parse every line of code. This maturity model essentially provides a roadmap for organizations to move from basic log collection to sophisticated, AI-driven threat investigation.
SaaS security is often a fragmented responsibility shared between application owners and security departments. What specific strategies foster better cross-functional collaboration, and how can businesses move away from treating SaaS security as an afterthought during digital transformation?
Fostering collaboration starts with acknowledging the shared responsibility model and moving away from the idea that security is just the “IT department’s problem.” A successful strategy involves providing application owners with intuitive, easy-to-use reporting and policy management tools that don’t require them to be security experts to keep their platforms safe. We recommend using a reference policy library and customized risk levels that align with frameworks like SOC2 or NIST CSF, which creates a common language between the business-focused app owners and the risk-focused security teams. To stop treating SaaS security as an afterthought, it must be integrated into the digital transformation roadmap from the beginning, rather than being “bolted on” after a breach occurs. This cultural shift requires education and the implementation of automated platforms that provide the visibility and control essential to mitigate risks efficiently across hundreds of different SaaS applications.
What is your forecast for SaaS and AI security?
My forecast is that the distinction between SaaS and AI security will eventually disappear, as these two technologies are essentially two sides of the same coin. We are moving toward a future where “agentic AI” architectures will be the primary way users interact with SaaS data, which means that securing the identity and the “intent” of the AI agent will become the most critical frontier in cybersecurity. I expect to see a 43% or higher growth in the adoption of specialized SaaS security solutions as traditional network tools continue to fail against sophisticated, application-layer attacks. Organizations that do not adopt AI-driven automation to monitor their massive event streams—often exceeding billions of events monthly—will find it impossible to keep pace with the speed of modern threats. Ultimately, a secure, SaaS-first digital future is within reach, but only if businesses make deep, centralized posture management a cornerstone of their operational strategy.
