Insights

Read time: 3 minutes

In most organizations, SaaS adoption happens by accumulation. A project team adopts a new task management tool. Marketing subscribes to an analytics platform. HR brings in a scheduling application. Finance approves subscriptions through expense reports. Over time, the software environment stops being something IT teams actively design and becomes something IT teams inherit.

This is SaaS sprawl, and for most growing businesses it's already well underway. According to Zylo's 2025 SaaS Management Index, organizations wasted an average of $21 million on unused SaaS licenses last year, with this number increasing 14.2% per year. For CIOs seeking executive alignment, this level of financial leakage creates a clear and compelling entry point. Every dollar recovered from unused licenses, duplicate tools, or unreviewed renewals is budget that can be redirected toward initiatives with real strategic impact.

AI adoption is accelerating the problem. According to a 2025 Zapier survey of over 500 enterprise leaders, only 35% of organizations say their AI tools go through proper approval channels. This means the majority of AI tools entering the businesses surveyed were following the same ungoverned path as the SaaS subscriptions that created the sprawl problem in the first place.

The good news is that SaaS sprawl is entirely preventable with the right governance in place. The first step to getting ahead of it is understanding exactly how it accumulates.

Multi-factor authentication (MFA) was supposed to solve the credential problem. For years, adding a second factor to the login process stopped the vast majority of attacks that relied on stolen passwords, and for most organizations, it felt like a significant step forward. That progress was real. But traditional MFA was never a complete fix, and attackers have spent the past several years learning how to work around it.

For CISOs, the authentication landscape in 2026 looks meaningfully different than it did even two years ago. The techniques used to bypass traditional MFA have matured from niche to mainstream, the regulatory and insurance pressure to adopt stronger alternatives is accelerating, and the window for treating phishing-resistant MFA as a future consideration rather than a current priority is closing faster than most security leaders realize.

Understanding what's changed, what it means for your authentication architecture, and what a realistic migration path looks like is now a near-term operational requirement.

In this episode, Chad talks with Bill Newell, CEO and Founder of SparxWorks. SparxWorks is a creative, dynamic, experienced, and innovative company focused on augmented reality (AR), 3D, and mobile development.