Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Human Cyber Risk
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
The Shadow Supply Chain: The SSO & AI Visibility Gap
Publish date
April 22, 2026
{x} minute read

The Shadow Supply Chain: The SSO & AI Visibility Gap

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Shane Moosa
Content Writer
Shane is a cyber writer with a software development background.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

In the previous blog post in this series, we uncovered a massive 72.9% inventory gap between what organizations track on their official vendor procurement list and what users are actually using in their day-to-day.

This sprawl of hidden tools (what we call a shadow supply chain) is becoming increasingly larger over time. The unfortunate reality uncovered in our latest research report, The Shadow Supply Chain, is that traditional visibility tools are no longer sufficient on their own, leaving leaders blind to what is really happening in the shadows.

Many teams assume that as long as they have a robust Identity Provider (IdP) like Okta or Azure AD and use Single Sign-On (SSO), they are protected, but this creates a dangerous Illusion of Control. Below, we examine the "direct login" epidemic and the explosive rise of Shadow AI—the two biggest drivers of architectural blindness.

Why SSO can no longer see your true supply chain

The move from "intent" to "behavior" is driven by a simple reality: traditional Single Sign-On (SSO) was designed to secure the front door, but today’s employees are increasingly entering through the windows, back doors, and the ceiling. This bypass isn't usually an act of negligence; it is a byproduct of a product-led growth world where users prioritize speed over formal procurement. 

Whether it’s a marketing team spinning up a free instance to bypass branding restrictions or an engineer using a personal account to avoid IT approval delays, these interactions happen in seconds. Our data shows that 31.4% of all vendor interactions now occur via direct browser access, bypassing OAuth or SAML logs entirely and leaving your identity perimeter behind.

31.4% of vendor interactions we analyzed bypass SSO.

This applies to users engaging vendors that are not on the official list, but the officially procured vendors aren't immune. "Sanctioned" apps that organizations track often also go dark, as users often spin up instances of these tools via direct browser logins. For instance, a company has a Zoom Enterprise contract, and the security team monitors that specific corporate tenant (e.g., company.zoom.us). However, direct logins happen when:

  • Marketing spins up a free Zoom account for a webinar series to bypass branding restrictions.
  • A sales rep uses a personal Zoom account for customer calls because they find the interface easier to manage.
  • Engineering creates a separate workspace to avoid IT approval delays for specific plugins or integrations.

The data showcased in our report also supports this; officially sanctioned tools are accessed directly, bypassing SSO and IdP, which likely sees sensitive data shared with these services:

  • 555 users are accessing SharePoint via direct logins.
  • 141 users on Jira are bypassing the identity perimeter.
  • Gmail: 119 unmonitored users on personal Gmail accounts.

It's become clear that if you only track authorization, you aren't tracking actual usage. You’re watching the lobby while the rest of the building is unmonitored.

The illusion of control: What you see vs. reality

When your main methods of visibility and monitoring miss a third of your active vendor supply chain, your reporting, risk metrics, and discovery are dramatically understated. This means that while you might have green flags for the rest that you monitor, real risk may be hiding in the third of vendors you can't see, and thus can't govern.

This creates an illusion of control that, if left unchecked, may lead to breaches as more and more tools and applications are added to the stack of unmonitored vendors. But it doesn't stop there; as we mentioned earlier, even sanctioned and “trusted” vendors that are procured can still be directly accessed by many users for various reasons.

For example, many organizations in our dataset have officially adopted ChatGPT Enterprise, but our telemetry shows that 64% of those that use it are unmonitored. That's roughly 7 out of 11 instances running completely in the dark, even though we should have “control”, as it has been adopted officially.

This results in shadow tenants that can still leak high-risk information, even though the vendor itself is flagged as “all green” in your vendor inventory, creating yet another illusion of control. 

Your official green list represents a controlled environment where vendors are officially procured, undergo rigorous risk assessments, and are bound by data processing agreements. In contrast, these unmonitored viral instances bypass those safeguards entirely, operating without oversight or the ability to off-board those vendors once users leave the organization.

The Security Score Mirage and Its Risks

A major contributing factor to the illusion of control isn't just recognized names such as ChatGPT on the official procurement list and the conclusion that things are secure; it extends even further to those trusted for their security scores. A high score no longer means a “trusted” vendor, as users can still access them directly, bypassing security and handing off sensitive data.

Let's consider Zoom—boasting an "Excellent" 913 security score—is used across 13 of 20 organizations, yet it is monitored in only 2 of them. The result is 1,044 users operating on unmonitored Zoom instances. Zooming out (pun not intended), we can look at the 299 vendors we analyzed in our report with high security scores (850+), and discover that 81.6% of them had unmonitored instances running at the time of analysis.

The illusion of control, whether through monitoring only the two-thirds that pass through SSO and IdP, or through trusting vendors with reputable names or high security scores, is a common reality, leaving an unaddressed gap with consequences and risks that are becoming more concerning over time.

The unmonitored "shadow" population is significantly riskier than the vendors you actively track:

  • Average Security Score Drop: While monitored vendors maintain a solid average security score of 815, unmonitored vendors drop to an average of 777.
  • 3x Higher "Poor" Risk: Unmonitored vendors are three times more likely to have "poor" security scores (below 700).
  • 6x Higher "Critical" Risk: In the most high-stakes tier, unmonitored vendors are six times more likely to meet the criteria for "critical" risk (scoring below 600).

These gaps exist because vendors entering through procurement undergo at least a cursory security review, whereas the unmonitored "long tail" of employee-adopted apps self-selects for lower security standards.

Because these vendors bypass security reviews entirely, the result is a misleading risk posture in which dashboards report only on the high-scoring "monitored" slice, while the riskier shadow remains invisible.

How shadow AI widens the gap quickly & quietly

We’ve explored how the visibility limitations of modern organizations allow for shadow vendors to operate almost unseen across your supply chain, but one factor is expanding the inventory gap rapidly and deepening its scope: Shadow AI.

We’ve discussed the sudden rise of Shadow AI in our recent Shadow AI report and concluded that it is the fastest-growing risk category we’ve ever tracked. The reason for this is that AI tools have moved from "experimentation" to "dependency" almost overnight.

Users are now adopting AI tools more readily and rapidly alongside unvetted SaaS applications into their workflows and processes. With the leading AI vendor in our study averaging 78 users per organization, usage is shifting from simple task assistants to full operational dependency—all without any security oversight.

This rapid transition from individual experimentation to core business dependency has created a fragmented risk landscape that traditional "blocklist" strategies simply cannot contain. Our research highlights several critical factors behind this expansion:

  • Rapid expansion of the inventory gap: Shadow AI is the fastest-growing, most data-intensive, and least monitored vendor risk category in our dataset.
  • From experimentation to dependency: AI has evolved from a collection of experimental tools into a deep organizational dependency relied upon for daily output.
  • The scale of fragmentation: The research identified 63 distinct AI applications from 56 different vendors operating across 14 functional categories.
  • Widespread unmonitored usage: These tools generated 1,160 user instances across 15 of the 20 organizations analyzed.
  • The failure of simple blockers: Implementing a "No ChatGPT" policy only addresses one door; in our study, that would leave 62 other AI applications continuing to run completely unchecked and hidden from SSO visibility.

Not only is shadow AI increasing the inventory gap of vendors you don't see, but the risks are also getting increasingly more alarming. AI Meeting Assistants are one category of Shadow AI, and in our study, we found that they remain unmonitored in 93.8% of instances. These bots "attend" sensitive M&A or HR meetings, recording every word and sending it to unvetted third-party servers.

This is just one example, but AI has fragmented its capabilities across dozens of specialized tools and assistants that do more than just provide unmonitored access; they facilitate an unmonitored, continuous exchange of corporate data. 

Unlike static SaaS apps, these generative systems actively ingest, process, and potentially train on the sensitive information they receive—including proprietary source code, financial models, and strategic plans. This creates a governance failure where your most confidential data is transmitted to unvetted servers and used to tune opaque models, all without the protection of data processing agreements or security reviews.

Laying the groundwork for the path ahead

It's becoming blindingly clear that with the rise in both SaaS and Shadow AI usage across organizations, leaders need a better way to monitor and govern these tools where they are used, not just where they are on an official list. 

SSO and IdP have clear monitoring gaps, and without visibility into the browser, these tools remain invisible to traditional procurement until a breach occurs.

If we, as leaders, want to secure our organizations from the inherent threats posed by freely available, accessible tooling, apps, and assistants that are becoming easier and faster to spin up, we need to begin following the user, not the purchase order and inventory lists. 

In our next and final entry to this series, we’ll delve into exactly that and explore the path forward we champion to handle this shadow supply chain crisis: usage-based discovery.

Want to see the full data on the visibility gap of SSO and the effects of AI acceleration? 

Download the free Shadow Supply Chain report here.

Related posts

Learn more about the latest issues in cybersecurity.
Human Cyber Risk

The Shadow Supply Chain: A Pivot To Usage-Based Discovery

Pivot from "purchase-based" to usage-based discovery. See how browser telemetry and identity logs work together to secure your true vendor footprint.
Shane Moosa
Shane Moosa
April 22, 2026
Human Cyber Risk

The Shadow Supply Chain: A 72.9% Gap In Your Vendor Inventory

Your real vendor inventory is 8x larger than your official list. Discover how user behavior creates a hidden shadow supply chain that legacy tools miss.
Shane Moosa
Shane Moosa
April 16, 2026
Human Cyber Risk

What is Shadow IT?

Explore more on what Shadow IT is, its examples, risks, and the rapid rise of Shadow AI. Learn how mid-market teams are bridging the visibility gap.
Edward Kost
Edward Kost
April 16, 2026
Human Cyber Risk

Emerging Risks: Typosquatting in the MCP Ecosystem

The MCP server ecosystem is susceptible to brand impersonation for both local and remote servers.
Greg Pollock
Greg Pollock
April 10, 2026
Human Cyber Risk

YOLO Mode: Hidden Risks in Claude Code Permissions

Developers are frequently granting Claude Code permission to download, execute, and delete code, creating fertile ground for prompt injection attacks.
Greg Pollock
Greg Pollock
January 16, 2026
Human Cyber Risk

Solving Human Risk: Build a Measurable, Security-First Culture

Turn your workforce into your first line of defense. Learn how User Risk builds a measurable, security-first culture and secures your human layer.
Shane Moosa
Shane Moosa
December 8, 2025
All posts