- Half of employees hold excessive rights across AI and SaaS estates, CloudEagle report finds
- Invisible IT hides 60% of apps undermining traditional identity controls
- Study recommends AI governance plus just in time access and reviews
Half of enterprise staff now hold excessive privileges to critical applications, new research has claimed.
CloudEagle.ai’s latest identity governance report surveyed 1,000 CIOs and CISOs and found 60% of SaaS and AI tools sit outside IT’s oversight.
Invisible IT is expanding insider risk, driving breaches, audit failures, and compliance headaches, the report says.
Privilege creep
It found 70% of leaders listed unsanctioned AI tools as a leading data worry, while 48% admitted former staff still hold access, even months after leaving.
Privilege creep is common, yet only five percent of organizations actively enforce least privilege settings, and just fifteen percent use just in time access company wide, despite mounting proof that temporary credentials cut risk and audit scope.
“Traditional IAM [Identity and Access Management] tools can’t keep up with today’s SaaS and AI-driven environments because not all apps are managed by IT, and not everything sits behind a centralized IAM system. IGA [Identity Governance and Administration] is at a tipping point, and enterprises must shift to AI-driven access management to stay secure and compliant,” says Nidhi Jain, CEO and Founder, CloudEagle.ai.
CloudEagle.ai’s platform positions itself as an AI-centric answer, yet the report stresses that technology alone is not enough.
It recommends appointing a Chief Identity Officer to coordinate policies across business units and automate provisioning, reviews, and removals. Zero trust, context-aware controls should replace broad standing access, while behavioral analytics help flag anomalies before they become incidents.
The study also suggests continuous access reviews powered by machine learning can shrink privilege windows without slowing work.
With shadow SaaS use rising and insider-led events now dominating breach reports, the era of annual checklists appears to be over.
Analysts say boards pay closer attention as regulators fine organizations for permission sprawl that exposes customer records and intellectual property. Without time view of every identity, leaders concede they cannot meet zero trust goals or prove compliance under cyber insurance questionnaires.
