451 Research - Agentic AI Report

451 Research Report on Agentic AI and Non-Human Identities

Download Now

451 Research Report on SSPM Current Trends and the Journey Ahead

451 Research Report on SSPM Current Trends and the Journey Ahead

Download Now

About the speakers

amir profile
Amir Khayat

CEO and co-founder of Vorlon

Amir Khayat is the CEO and co-founder of Vorlon, a cybersecurity company that helps enterprises secure the sensitive data flowing across their converged SaaS and AI ecosystem. Amir’s journey through twenty years in cybersecurity has taken him from hands-on software development to being a founding team member at Demisto, the widely adopted SOAR platform, and through Demisto’s acquisition by Palo Alto Networks, where he ran global solutions engineering for their XSOAR platform. But while helping hundreds of global enterprises automate and streamline their security operations, Amir saw a new and rapidly growing need to protect sensitive data in motion from one system to another. He graduated from Reichman University, Herzliya, Israel (IDC) with a BA in Computer Science, and he holds an MBA from the Hebrew University of Jerusalem.

justin lam
Justin Lam

Senior Research Analyst at 451 Research

Justin Lam is a Senior Research Analyst at 451 Research. Justin leads data security research, and if you’ve read any of his work, you know he has a rare ability to bridge the gap between what security buyers need and why vendors innovate. Across his career, Justin has worn just about every hat—from engineering and product management to customer success and sales leadership—and he’s been part of five successful exits, including two IPOs.

RESOURCES > PRODUCT TOURS

Employee termination flow

 <iframe src="https://capture.navattic.com/cmalaj88v000004la3o0bead3" style="border:none;width:100%;height:100%;" data-navattic-demo-id="cmalaj88v000004la3o0bead3" allow="fullscreen"></iframe>

When an employee leaves, does their access leave with them? You’ve disabled their SSO, but what about the API keys and non-human identities they created years ago? In this interactive walkthrough, you’ll step into a live scenario where an ex-employee, "Ethan Exiter," attempts to access sensitive Salesforce data and GitHub source code after resigning. See firsthand how Vorlon detects the breach, identifies the specific secrets involved, and allows you to "break the glass" to revoke access instantly—stopping data exfiltration in its tracks.

SOC Analyst Day in the Life

From raw alert to resolved ticket—in minutes. Step into the shoes of a security analyst facing a high-risk Salesforce anomaly. Your morning starts in the SIEM, but the real power lies in the automation. This walkthrough demonstrates how Vorlon feeds your SOAR playbooks with the missing piece of the puzzle: the identity behind the traffic. See how we bridge the gap between a suspicious IP address and a compromised API key, enabling you to automate blocking and assign a Jira ticket to the business owner without ever leaving your flow.

Executive summary: Securing the Converged SaaS and AI Ecosystem: What CISOs and Practitioners Need to Know

Traditional security frameworks don’t fit today’s reality

The enterprise perimeter has shifted. Organizations are no longer securing just endpoints and networks. Sensitive data now moves across a converged SaaS and AI ecosystem where:

  • SaaS applications are interconnected through APIs and OAuth integrations
  • AI copilots, agents, and automations access sensitive records with organizational authority
  • Data constantly flows between human and non-human identities

Legacy SSPM and DSPM tools were designed for static environments. Today’s attack surface is dynamic, interconnected, and much harder to govern.

Nearly every organization runs on a converged SaaS and AI ecosystem

Justin Lam, 451 Research:
“Security has never been a solitary effort. Enterprises now operate inside a converged SaaS and AI ecosystem — one unified attack surface. If you treat SaaS and AI separately, you’re already behind.”

What defines this shift:

  • Broad SaaS adoption makes apps the backbone of daily business operations.
  • AI models and copilots act at machine speed, moving sensitive data instantly.
  • Together, they form a SaaS+AI ecosystem moving faster than most security frameworks can address.

Why Vorlon was founded

Amir Khayat, Vorlon:
“Organizations don’t own their data pipelines anymore. They flow through the converged SaaS and AI ecosystem. Vorlon was built to restore visibility and control for security teams operating in this new environment.”

Key founding insights:

  • Enterprises lost direct ownership of data movement.
  • Productivity gains created fragmented oversight.
  • Security teams need a way to see, govern, and remediate risks across SaaS+AI ecosystems.

The attack surface expands with SaaS and AI convergence

The converged SaaS and AI ecosystem accelerates work, but it also widens exposure:

  • SaaS apps, plug-ins, and AI add-ons increase data touchpoints
  • Secrets and tokens power integrations without oversight
  • Shadow SaaS and AI tools bypass security review
  • Sensitive data-in-motion is rarely governed end-to-end

Amir Khayat compared this to driverless cars: you trust them until the moment they don’t behave as expected. Security leaders cannot rely solely on vendor assurances.

Cracks in the shared responsibility model

The ShinyHunters phishing campaign exposed Salesforce customers without breaching Salesforce itself. Attackers used OAuth abuse to compromise customer environments.

Justin Lam:
“The shared responsibility model often feels like shared fate. Vendors can’t be accountable for risks across your converged SaaS and AI ecosystem.”

Enterprises must take ownership of how SaaS and AI integrations are secured, monitored, and remediated in their use.

Shadow SaaS and shadow AI

Every organization already runs on more SaaS+AI tools than leadership realizes.

  • Unsanctioned SaaS apps create hidden connections
  • AI copilots and plugins access data without approval
  • Inter-app automations silently move sensitive information

Mapping the converged SaaS and AI ecosystem is the first line of defense.

SaaS and AI convergence drivers

According to 451 Research, three forces are accelerating the convergence of SaaS and AI:

  1. Frictionless adoption — with low-code and API-first design, new SaaS+AI tools are added easily, often outside IT.
  2. Vendor stickiness — established SaaS vendors embed AI into their platforms to deepen reliance and lock-in.
  3. Reward-first culture — enterprises prioritize productivity and innovation over controls, leaving governance gaps.

Shared risk vectors across SaaS and AI

Amir Khayat notes that the risks are not separate; they converge inside one ecosystem:

  • Overshared access rights and privilege drift
  • Shadow SaaS and AI usage outside IT governance
  • Data exfiltration risks from opaque data flows
  • Non-human identity (NHI) risks from service accounts, tokens, bots, and AI agents

These are now shared risks across the SaaS+AI ecosystem, not siloed categories.

Data is the constant

Justin Lam:
“No matter how fast the SaaS and AI landscape evolves, the constant is the data. Protecting data-in-motion across the converged SaaS and AI ecosystem is the only sustainable defense model.”

CISOs should prioritize risk management by data impact: intellectual property, customer records, employee HR data, and regulated financial or healthcare information.

Case study: stopping ShinyHunters in the SaaS+AI ecosystem

Amir shared how Vorlon detected and mitigated a Salesforce-focused OAuth compromise aligned with ShinyHunters tactics:

  • Discovery: Vorlon monitored eight SaaS applications but auto-detected 51 downstream connections, including AI tools
  • Detection: Alert triggered when a new OAuth app with full permissions appears
  • Enrichment: Vorlon correlated identity misuse, TOR IP communication, and data-access patterns
  • Response: Tokens revoked automatically or delegated to IT. Mean-time-to-response reduced from weeks to minutes

This shows the importance of continuous monitoring across the entire converged SaaS and AI ecosystem, not just the primary vendor app.

Secure by design vs. secure by operation

  • Vendors may design their SaaS+AI products with security features.
  • Enterprises still need to operate their own environments securely.

That requires:

  • Continuous monitoring of every new connection
  • Governing tokens and non-human identities
  • Rapid detection of abnormal behaviors and data flows

Closing insights

Key takeaways for security leaders:

  • Visibility is foundational. You can’t secure what you can’t map.
  • Shared responsibility ≠ shared protection. Enterprises must secure their own use cases.
  • Data-in-motion is today’s perimeter inside the converged SaaS and AI ecosystem.

Amir Khayat:
“Don’t cede your company’s security destiny to SaaS vendors. The future is proactive, unified defense across the converged SaaS and AI ecosystem.”

Next steps for security leaders

  • Map your converged SaaS and AI ecosystem: uncover every sanctioned and shadow connection
  • Treat non-human identities like users: monitor bots, scripts, tokens, and copilots carefully
  • Secure data-in-motion: track and prioritize risks by the sensitivity of data flows
  • Invest in unified SaaS+AI ecosystem security platforms: avoid piecemeal tools that create blind spots

Get proactive security for your SaaS ecosystem

Book a Demo