The Collaboration Stack Crisis: Managing SaaS Sprawl in the Hybrid Workplace
It started with the best of intentions.
When the world shifted to remote work a few years ago, businesses scrambled to keep teams connected. They spun up Zoom here, Slack there, added a project management tool for one department, a shared whiteboard app for another, and a document signing platform that one vendor required. Fast-forward to 2026, and the average mid-size business is running somewhere between 130 and 200 SaaS applications — many of them redundant, undermanaged, or completely forgotten by IT.
This isn't a minor organizational annoyance. It's a full-blown crisis hiding in plain sight.
SaaS sprawl — the unchecked proliferation of cloud-based software across a hybrid organization — has quietly become one of the most significant IT and security challenges businesses face today. According to Productiv's 2025 SaaS Intelligence Report, companies pay for an average of 65 applications per 100 employees, yet only about 45% of those tools see regular active use. Meanwhile, Gartner estimates that through 2026, 99% of cloud security failures will be the customer's fault — not the vendor's — most often stemming from misconfiguration and poor access governance.
The hybrid workplace made this problem exponentially worse. Employees working from home, the office, and everywhere in between have become accustomed to solving their own productivity problems with a quick app download or a free trial signup. IT doesn't always find out until a security audit, an invoice reconciliation, or — worst case — a data breach.
What Is SaaS Sprawl, Exactly?
SaaS sprawl refers to the uncontrolled growth of software-as-a-service applications within an organization, often adopted without formal IT review, procurement processes, or security vetting.
It shows up in a few different ways:
Shadow IT is the most commonly discussed form — employees downloading apps or signing up for cloud services without IT's knowledge. A marketing coordinator syncing company files to a personal Dropbox. A sales rep using a free AI writing tool that stores conversation history on a third-party server. A project manager inviting the whole team to a new task app because they preferred it to the company-approved one.
Zombie apps are the quieter threat. These are tools that were officially approved and provisioned but are no longer actively used — yet still have active licenses, still connect to company data via OAuth tokens, and still represent open doors into your environment.
Redundant stacks happen when different departments independently adopt tools that do the same thing. It's not unusual to find a company running three separate video conferencing platforms, two different e-signature tools, and four project management solutions simultaneously — often because no single team had visibility into what the others were using.
Why Hybrid Work Accelerated the Problem
Before the pandemic, most software procurement flowed through IT or at least through a finance approval process. Physical offices created natural checkpoints. When everyone was on-site, IT could see the devices, manage the network, and maintain some visibility over what was being installed.
The distributed hybrid model shattered that model.
Employees now operate largely autonomously across home networks, personal devices, and a mix of managed and unmanaged endpoints. The pressure to stay productive — and the cultural expectation that workers should solve their own problems quickly — created an environment where shadow IT isn't the exception. For many organizations, it's the norm.
A 2025 survey by Torii found that 71% of IT leaders said their SaaS environment had grown significantly harder to manage since the shift to hybrid work. More telling: 58% admitted they didn't have accurate, real-time visibility into all the applications their employees were using.
That's a majority of IT teams flying partially blind.
The Real Cost of SaaS Sprawl
Financial Waste at Scale
Let's start with the budget impact, because it's substantial. When applications are provisioned without central oversight, you end up paying for seats that aren't being used, renewing contracts nobody remembers signing, and missing volume discount opportunities because purchases are fragmented across departments.
For a 150-person company, that waste can easily reach tens of thousands of dollars annually — sometimes six figures. In an era where every IT dollar is scrutinized, that's money that could fund meaningful security improvements, additional staff, or infrastructure upgrades.
This is one of the reasons Layer27's Cloud Services practice spends significant time helping clients develop SaaS governance frameworks as part of broader cloud optimization engagements. Getting visibility into what you're running and what it actually costs is almost always the first step — and the savings often surprise business owners.
Security Exposure You Can't See
The financial waste is bad. The security exposure is worse.
Every SaaS application connected to your business environment represents a potential attack surface. When those applications are approved, configured, and managed by IT, that surface can be monitored and controlled. When apps are adopted informally — without security review, without SSO integration, without proper offboarding procedures — each one becomes an unguarded entry point.
Consider what happens when an employee who used a shadow IT application leaves the company. IT performs an offboarding checklist, disables their Active Directory account, and revokes access to known systems. But nobody thinks to revoke the OAuth token the employee granted six months ago to a third-party productivity tool that still has read/write access to the company's Google Drive or Microsoft SharePoint environment. That access often persists indefinitely.
This is precisely the kind of persistent, low-visibility access that threat actors are increasingly exploiting. Rather than launching a noisy brute-force attack, a sophisticated adversary will look for forgotten integrations, stale tokens, and under-monitored application permissions — and use them to move laterally through your environment without triggering obvious alerts.
For businesses that have deployed Managed Detection & Response (MDR) or rely on Layer27's 24x7 SOC for continuous monitoring, these risks are significantly easier to catch. Security teams watching for anomalous OAuth activity, unusual data access patterns, and logins from unexpected application contexts can identify these threats before they escalate. But without that visibility, many organizations simply wouldn't know.
Compliance and Data Governance Failures
For businesses operating in regulated industries — healthcare, financial services, legal, government contracting — SaaS sprawl isn't just a security issue. It's a compliance landmine.
HIPAA requires covered entities and business associates to have Business Associate Agreements in place with every vendor that handles protected health information. If a healthcare office manager is using an unapproved scheduling tool or a free chatbot that processes patient names and appointment details, that's a potential HIPAA violation — even if nothing bad ever comes of it.
Similarly, PCI-DSS requirements around cardholder data environments become nearly impossible to enforce when employees are passing payment-related information through unsanctioned communication tools or cloud storage services.
The SaaS governance problem and the compliance problem are the same problem. Layer27's Compliance practice regularly encounters organizations that have strong controls in their known, mapped systems — and significant gaps in the applications IT doesn't know about. Closing those gaps requires both technical discovery and organizational policy work.
Building a SaaS Governance Framework That Works
The answer to SaaS sprawl isn't to lock everything down so tightly that employees can't get work done. That approach backfires — people find workarounds, shadow IT gets worse, and productivity suffers. The goal is managed flexibility: a structure that allows the business to move fast while maintaining visibility, security, and cost control.
Step 1: Get a Complete Inventory
You can't govern what you can't see. Start with a comprehensive discovery process that identifies every application currently in use across the organization. This typically requires a combination of:
- SSO/IdP logs — What apps are people authenticating to through your identity provider?
- Network and DNS analysis — What cloud destinations are generating traffic from your environment?
- OAuth and API integrations — What third-party apps have been granted permissions to access core platforms like Microsoft 365 or Google Workspace?
- Expense and procurement records — What SaaS subscriptions are showing up on credit cards or invoices?
- Endpoint discovery tools — What browser extensions and locally installed apps are running on managed devices?
No single source will give you the full picture. You need all of them.
Step 2: Classify and Rationalize
Once you have a complete inventory, categorize each application by business function, data sensitivity, and usage level. Then ask the hard questions: Are we paying for tools we're not using? Do we have three apps that do the same thing? Does this application have access to sensitive data, and if so, has it been security reviewed?
Rationalization isn't just about cutting costs (though that's a benefit). It's about deliberately choosing the applications that support how your business operates and retiring the ones that don't — rather than letting that list grow by default.
Step 3: Establish an Intake Process
Prevention is easier than cleanup. Create a lightweight but formal process for evaluating new SaaS applications before they're adopted. This doesn't need to be a bureaucratic obstacle course. It can be as simple as a short intake form that routes to IT for a quick security and compliance review before a new tool gets provisioned.
The key is cultural: employees need to know the process exists, understand why it matters, and feel that IT is a resource rather than a roadblock. Layer27's Security Awareness Training programs specifically address shadow IT behaviors — helping employees understand the risks of unapproved tools and making the case for why the intake process protects them, not just the company.
Step 4: Integrate Everything Into SSO
Every approved SaaS application should be connected to your central identity provider through Single Sign-On. This isn't optional — it's the foundational control that makes everything else manageable.
When apps are integrated with SSO, you get a single place to provision and deprovision access, you can enforce MFA consistently, and you create an audit trail. When an employee leaves, you disable their IdP account and access is revoked everywhere — including all the SaaS tools on the approved list.
For businesses that haven't fully centralized identity management yet, this is often the highest-leverage security investment you can make. It directly supports a Zero Trust architecture and dramatically simplifies compliance reporting.
Step 5: Monitor, Review, and Offboard Continuously
SaaS governance isn't a one-time project. Applications change. Business needs evolve. Employees come and go. Build quarterly review cadences into your IT operations to audit active licenses, review usage data, revoke dormant OAuth tokens, and retire applications that no longer serve the business.
Layer27's Co-Managed IT model works particularly well here — organizations that have internal IT staff can leverage Layer27 as a strategic partner to handle the ongoing governance and monitoring work that tends to fall through the cracks when internal teams are stretched thin.
Securing the Data That Lives in Your SaaS Stack
Even with a solid governance framework, some risk is inevitable in a hybrid environment. Employees will always have access to data — that's the point. The question is whether that access is appropriate, auditable, and recoverable in the event of a problem.
A few additional controls are worth highlighting:
Data Loss Prevention (DLP) policies within your core platforms (Microsoft 365, Google Workspace) can flag or block sensitive data from being shared through unapproved channels or copied to personal cloud storage. This is a powerful complement to application governance.
Backup and recovery for SaaS data is still poorly understood by many businesses. A common misconception is that because Microsoft or Google hosts your data, they also back it up in a way that's sufficient for business continuity. They don't — at least not with the granularity and retention policies most businesses actually need. Layer27's Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) offerings include coverage for SaaS environments, ensuring that data stored in cloud applications can be recovered even in scenarios involving accidental deletion, ransomware propagation through connected apps, or vendor-side outages.
Conditional access policies tied to device compliance status add another layer — ensuring that even if an employee authenticates successfully, they can only access sensitive SaaS applications from a managed, compliant endpoint.
Where to Start if You're Behind
If your organization has never done a formal SaaS audit, the size of the problem might feel paralyzing. Here's the practical starting point: don't try to solve everything at once.
Pick the highest-risk applications first — specifically, any tool that has access to sensitive customer data, financial information, or regulated records. Audit those for proper security configuration, SSO integration, and active usage. Then work outward from there.
If you're not sure where to start or don't have the internal bandwidth to run the discovery process, that's exactly the kind of engagement where a managed services partner adds immediate value. Layer27's Infrastructure Pro and CloudStart services both include SaaS environment assessments as part of onboarding — giving new clients a clear, prioritized picture of where the gaps are and what to tackle first.
For organizations that want a security-first lens on the process, Safe Start and Protect Pro combine that infrastructure visibility with the security controls needed to properly monitor and protect a hybrid SaaS environment from day one.
The Bottom Line
The hybrid workplace is here to stay. The SaaS tools that power it aren't going away either — and the business case for using them is real. The problem isn't the tools. It's the absence of governance around them.
SaaS sprawl is costing businesses money, creating compliance exposure, and leaving security gaps that sophisticated attackers are actively looking to exploit. The companies that get ahead of this problem in 2026 will be better positioned, better protected, and operating leaner than their competitors who are still paying for zombie apps and hoping shadow IT doesn't bite them.
Visibility, governance, and continuous monitoring aren't nice-to-haves anymore. In a distributed hybrid environment, they're the foundation of a functional IT operation.
Ready to Get Your SaaS Environment Under Control?
If you're not sure what's running in your environment — or you suspect the number is larger than you'd like — Layer27 can help. Our team works with businesses across the U.S. to audit SaaS environments, build governance frameworks, and implement the security and backup controls needed to protect the data that lives in your cloud applications.
Get in touch with the Layer27 team today. We'll start with a conversation, not a sales pitch — because understanding your specific environment is always step one.