In a nutshell: 69 percent of SaaS accounts in the Kaseya study have more uncontrolled guest access than licensed users, leading to significant security and compliance gaps.
The Kaseya SaaS Security Report 2026 documents that uncontrolled trust relationships between SaaS applications are becoming a significant security risk in enterprise environments. The study reveals severe deficiencies in the management of guest access.
According to the report, 69 percent of the examined SaaS accounts have a higher number of guest access accounts than actually licensed users. This points to a widespread practice of providing external parties – suppliers, partners, or contractors – with generous access rights without these rights being formally documented through licenses.
For CISOs, this scenario presents several concrete risks: On one hand, visibility gaps emerge because guest access is often not centrally managed, and thus oversight of actual users is lost. On the other hand, guest access is typically configured with less strict authentication and authorization mechanisms than internal users. This opens up potential attack surfaces, particularly if access rights are not regularly reviewed and reduced.
From a compliance perspective, particularly under NIS2, the uncontrolled granting of guest access is problematic: The directive requires precise control and documentation of access permissions, especially for systems that are critical to the provision of essential services. Incomplete or faulty inventories of guest access thus also jeopardize the demonstrability of security measures in audits.
The study results underscore the need to systematically capture, categorize, and regularly validate guest access and external trust relationships in SaaS environments – as an essential component of identity and access management.
Source: itwelt.at · Published 1 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.