The third annual State of SaaS Security Report also finds the majority of organizations demand better oversight of AI-enabled applications
AppOmni, the leader in SaaS & AI security, released its third annual The State of SaaS Security 2025 Report, revealing troubling trends: A sharp increase in SaaS security incidents, a rising complexity in application ecosystems, and that new risks from AI-enabled apps exacerbate the disconnect between widespread confidence in current security measures versus actual risks. Data is based on a survey of over 800 global security leaders from the U.S., U.K., Germany, Australia, and Japan hailing from finance, healthcare, manufacturing, and software industries – three-quarters of which work for large organizations with more than 2,000 employees.
Also Read: CIO Influence Interview with Dipto Chakravarty, Chief Product and Technology Officer at Black Duck
New @AppOmniSecurity study finds 91% of organizations are confident in their #SaaS #security posture, even as 75% experienced a #databreach or security incident in the last year
Findings reveal that even as SaaS becomes one of the most actively targeted layers of the enterprise attack surface, it remains one of the least proactively defended. It underscores the urgent need for enterprises to move beyond the illusion of control and adopt resilient SaaS security strategies to meet quickly evolving threats. This year’s report also investigates the widening gap between confidence and real-world resilience, how organizations are failing to operationalize SaaS security, and whether security mindsets are evolving fast enough to address emerging challenges such as AI governance and tightening regulations.
“This report marks a critical inflection point for the industry: The data shows a concerning ‘illusion of control,’ where the vast majority of security leaders feel confident in their SaaS security posture, even as a huge number of them are dealing with SaaS-related incidents,” said Brendan O’Connor, CEO of AppOmni. “SaaS risks are not theoretical—they’re real, and they’re impacting businesses now. The key lesson for enterprises is that visibility alone is not security, and trust in SaaS vendors is not a strategy. We need a fundamental shift from ad hoc, reactive processes to a mature, disciplined approach built on continuous monitoring and clear ownership. Our report helps organizations with a path forward, so they can move from SaaS complexity to clarity and build true resilience.”
While 96% of respondents agree that SaaS security is becoming more important, legacy habits and a lack of awareness are holding them back. Root causes of this security gap range from scattered, default ownership models, to a critical misunderstanding of the shared responsibility model.
Specifically, the research finds:
- AI is creating new governance challenges: 61% of respondents expect artificial intelligence to dominate SaaS security discussions in the coming year, demanding better oversight of non-human identities (NHI) and generative AI tool access within SaaS apps.
- SaaS security incidents are surging: 75% of organizations experienced a SaaS-related security incident in the past year, a 33% increase over 2024.
- Secure in theory. Breached in practice: 91% of organizations express confidence in their SaaS security posture, even as three-quarters experienced a SaaS incident, revealing a serious disconnect.
- Visibility ≠ security: 89% of compromised organizations believed they had “appropriate visibility” into their SaaS environment, demonstrating the dangerous false sense of security created by visibility without enforcement or continuous validation.
- Tooling gaps remain wide: Just 13% of respondents currently use a dedicated SaaS Security Posture Management (SSPM) solution, even though nearly one-third say they need one.
- Lack of basic security hygiene is still behind most issues: 41% of incidents stemmed from permission issues, while 29% resulted from misconfigurations.
These point to a simple, yet important truth: SaaS security doesn’t have to be complex, but strategies must adapt to meet the increased threats. With the right tools and clear ownership, organizations can transform reactive processes into scalable, repeatable programs.
Serving as both a benchmark of the industry’s current posture and a directive for future readiness, this report urges a move from reactive fixes to simple yet proactive programs. Download The State of SaaS Security 2025 Report, including a framework to simplify and operationalize your SaaS security program. And join the webinar on August 20th for report highlights, field learnings from customers, and to learn how you can improve your SaaS security posture.
Also Read: The CIO’s New Mandate: Weaving the Unified Data Fabric for AI-Powered Enterprise Decisions
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
