Heeding Pat Opet's Wakeup Call – The Need for Dynamic SaaS Security

Two weeks ago, JPMorgan’s CISO Pat Opet issued a blunt warning that SaaS sprawl is “quietly enabling cyber attackers” and creating systemic vulnerabilities. His open letter reminds us that decades of secure-by-design architecture have been eroded by the ease of direct SaaS integrations. In the past, we segmented networks and applications so that a breach in one system couldn’t easily propagate. Today, OAuth APIs and embedded services have torn down those firewalls.
As Opet notes, modern integration patterns can “dismantle these essential boundaries” and even “collapse authentication and authorization” into a single trust token. In plain English: once you grant an app access to your data (say, via an OAuth token), attackers can exploit that link to jump into your systems.
Pat Opet’s core point is that convenience can no longer outpace control. Software vendors must build security in by default – no more excuses for rushed features over safe defaults. Nor can organizations treat SaaS apps as black boxes. Opet calls for a modernization of security architecture to “optimize SaaS integration and minimize risk”.
We couldn’t agree more. At Reco, we’ve been shouting the same message: the SaaS security model must become dynamic. Instead of static perimeter tools, we need continuous, context-aware protection that evolves with every new app and service.
Reco’s Dynamic SaaS Security platform is built for exactly this world. It continuously discovers and maps all SaaS apps, connections, and privileges – so you can see and control what used to be invisible. For example, Reco automatically tracks every OAuth-based link between your apps (“app-to-app discovery”) and builds a Knowledge Graph of who’s connected to what. This gives us line-of-sight into the full chain of access. We track all SaaS-to-SaaS connections and map relationships between apps, users, and data. With this insight, you can spot risky permissions before they’re abused.

As a vivid example, consider popular Gmail add-ons like Boomerang (see above): they require full access to your email, calendar, and contacts to function. That’s essentially handing over the keys to your inbox and schedule – a massive concentration of trust. In fact, Boomerang’s own support pages admit it needs access to the full email data to send and schedule messages. That kind of broad OAuth scope might be convenient, but it’s a honeypot for attackers. Using Reco, you would immediately see that Boomerang (or any other app) has such wide scopes, and you can tighten or revoke those privileges before any mischief happens.
Seeing Beyond Third-Party to Fourth-Party Risk
Pat Opet also warns about the hidden chains of trust in our supply chain: even if your primary vendor is secure, its vendors (and vendors-of-vendors) may not be. He points out that opaque fourth-party vendor dependencies can silently expand risk upstream. In practical terms, this means data or access might be passing to a company you’ve never met – and if they get breached, you are on the hook. (Regulators like GDPR make it clear that you’re responsible even for your vendor’s vendor.)
Reco tackles this problem head-on with its fourth-party risk coverage. Because we map all connections via our Knowledge Graph, we automatically see when a third-party app is sharing data with additional services. For example, we’ll alert you if your CRM exports customer lists to an external analytics engine you didn’t explicitly approve. In our managing fourth-party risks blog, we explain exactly how this works: Reco tracks all SaaS-to-SaaS connections and processes vast amounts of data to identify where your data might have gone beyond the first vendor. We call this “app-to-app discovery” – every chat app, file share, or API call gets logged in Reco’s graph. Then our contextual analysis looks at the business purpose and flags suspicious data flows.

Reco basically closes the visibility gap. You get an automated inventory of every data path from your org to any third- or fourth-party. If any link in that chain is risky (for example, an external service has admin rights on your Box account), Reco sounds the alarm. This kind of visibility is important, because as the letter notes, a compromise at one SaaS provider can “ripple through its customers” if unchecked.
Monitoring Privileged Accounts and Admin Access
Another blind spot in SaaS security is who has privileged access – especially hidden or backdoor accounts. Pat Opet’s letter infers that many SaaS integration models give far too much trust to external identities.
As one example, consider the story we uncovered at SailPoint. SailPoint’s cloud IdentityIQ has two built-in admin accounts (slpt.services and slpt.support) that have Org-Owner privileges on your entire tenant. That means for six months after you set up SailPoint, those support accounts can log in with full admin rights – and many teams don’t even notice them. If an attacker ever stole their credentials, it would be game over.
Reco treats this risk as unacceptable. Our platform continuously monitors all privileged accounts in every app – including hidden ones like these SailPoint built-ins. We provide real-time alerts on any unusual activity: for example, logins from an unexpected IP or after-hours use of a support account. We also run posture checks to ensure those accounts are locked down (e.g. enforcing multi-factor auth) and that no unnecessary permissions were granted.
In the SailPoint blog, we describe how Reco continuously monitors the activity of built-in admin accounts and triggers alerts if anything suspicious happens. That same capability applies to your Office 365 global admins, ServiceNow system accounts, or any other privileged identities. By tracking every login, permission change, and session in the SaaS ecosystem, Reco adds an identity threat-detection layer on top of the apps themselves (an ITDR approach).

This is more important than ever. Pat Opet’s letter reminds us that software providers themselves often have privileged access to customer systems – and if their accounts or code are compromised, they have carte blanche. We saw this in SailPoint’s case, and we also know that admin tools can introduce risk.
For instance, in 2024, CISA added a command-injection vulnerability in BeyondTrust’s privileged remote-access products to its Exploited Vulnerabilities list. (The vulnerability CVE-2024-12356 scored 9.8/10 and allowed attackers to run arbitrary commands as an unauthenticated user.) In plain terms, once a vulnerability like that is out in the wild, any endpoint running BeyondTrust software could be commandeered as easily as clicking a link. If that happened, attackers would essentially have full control of the admin tool – and any other systems it’s attached to.
Reco helps defend against that class of problem as well, by treating all privileged software and APIs as potential attack vectors. Our platform monitors the configuration and use of those tools just like any other app: we check that patches are applied, we log who can administer the tool, and we alert on unusual usage. In the scenario of a critical BeyondTrust exploit, Reco could at least alert you if an admin console was accessed unexpectedly or if that app started behaving oddly.
Governing the AI-Powered Explosion
Perhaps the most explosive growth area in SaaS is generative AI and automation. As Pat Opet notes, the increase of new AI-based services and AI agents can quickly distribute risk throughout every organization. In practice, that means end-users signing up for cloud AI tools and plugging them into corporate data sources without telling IT. Shadow AI is already a thing, just like shadow IT, and it creates gaping holes in your data governance.
Reco’s platform includes dedicated AI-governance capabilities to address this. Through generative AI discovery and shadow app discovery, we automatically find every AI-related SaaS that’s connected to your environment – whether it’s a sanctioned tool like Microsoft Copilot or an unsanctioned chatbot in a marketing tool. As we describe in our shadow AI article, Reco uncovers unauthorized SaaS tools that might otherwise go unnoticed. We see exactly which data each AI app can access and monitor how it’s used. This way, you can enforce policies (for example, blocking a LLM from reading HR data) and detect any unusual data transfers.

Moreover, Reco applies its AI expertise to security alerts themselves. We’ve introduced Reco AI Agents to triage and investigate SaaS alerts and anomalous behaviors. In effect, Reco becomes a force multiplier for your security team in an AI based world. Whenever a user tries to connect a new AI tool, or an app starts uploading documents to a third-party model, Reco catches it and helps you remediate. In the end, AI need not be an extra blindspot – if you have the right governance tools in place. Reco’s approach makes sure that as your people adopt AI at warp speed, your security posture keeps pace.
Take Your Next Steps With Reco
SaaS security challenges aren’t going away, if anything, they’re getting harder to spot. Reco gives you a clear, ongoing view of every app connection, permission, and data flow in your environment.
You can see which apps have risky access, track privileged accounts, catch hidden fourth-party sharing, and monitor how AI tools interact with your data. Instead of reacting after something goes wrong, Reco helps you stay a step ahead.
If you’re ready to take control of your SaaS ecosystem without slowing down your teams, we’re here to help. Request a demo to see how Reco makes SaaS security simpler, smarter, and more proactive.
