Security firm Grip Security recently released a report analysing 23,000 software-as-a-service (SaaS) application environments and warned of risks arising from shadow AI outside corporate control.

The report said 100 percent of the companies analysed operated SaaS environments with embedded AI.

Attacks on SaaS surged 490 percent from a year earlier, and 80 percent of documented incidents were related to personally identifiable information (PII) or customer data.

Grip Security product marketing consultant Chad Holmes (채드 홈스) said the most surprising point was that companies run an average 140 AI-enabled SaaS environments.

The company said if a single AI-enabled app is breached, damage can spread across all other AI-enabled environments within an organisation. It could also spread to other organisations.

What is worsening the problem is a race for speed. SaaS developers are rapidly embedding agent AI into their products. For customers, that increases the likelihood of installing shadow AI without knowing it.

OAuth tokens for authentication are also often issued as requested by SaaS apps without much review.

In the report, Grip Security said, "AI is not a future risk, nor is it a simple IT issue. Controlling it is not an option," and warned that 2026 could be the worst year on record for SaaS breaches. It proposed improving visibility into shadow AI and adopting dynamic governance. The report said, "Successful leaders replace static approval with continuous monitoring and risk-based controls," and added, "AI must be managed at the same level as core vendors."