EP 5 – Identity Debt: The Hidden Risk in SaaS Applications

Imagine this: It started with a single signup form. A product marketing manager was working late, prepping for a board presentation. She needed sharper visuals fast, so she found an AI-powered slide tool online and quickly logged in with her corporate email. No approvals. No red tape. She uploaded sensitive financial data and hit generate.

By morning, security was in crisis mode. That AI tool? Built by a 15-person startup—no security team, no SSO, no offboarding protocols. And no idea it was now holding confidential files from a Fortune 500 company. This wasn’t just a one-off—it was one of many apps quietly adopted across the company. Every click created yet another unmanaged identity—something today’s guest, Lior Yaari, calls identity debt.

Lior Yaari is the CEO and co-founder of Grip Security, a SaaS identity risk management platform that helps companies regain control of sprawling SaaS environments. He’s also a former officer in Israel’s elite Unit 8200, where he cut his teeth in cybersecurity.

In our conversation, he affirms why identity is the new security perimeter—and what organizations can do to protect themselves from within.

Let’s get into it.

David Puner:
CEO and co-founder of Grip Security—welcome to Security Matters. Thanks for coming down to the podcast.

Lior Yaari:
Well, thank you for having me. I’m really happy to be here.

David Puner:
Yeah, absolutely. It’s a Friday afternoon in March. It feels a little springlike here in the Boston area. We’re doing deals in real time. Really excited that you’re taking the time to speak with us in the midst of all the excitement.

Lior Yaari:
Always happy to finish the week and finish it with a good podcast. So I’m really excited for today.

David Puner:
Excellent. So why don’t we get right into things so we can get to the weekend. Grip Security is a SaaS identity risk management platform. To start things off, what does that mean? And how has the market for SaaS identity risk management and SaaS security posture management evolved since you started the company back in January 2021?

Lior Yaari:
SaaS identity risk management—and the SaaS security space in general—is growing. It’s growing because we live in a world now where the barrier to adopting a new app is just a signup form. Every user, every business unit, can go ahead and sign up for any application they want.

We used to view this as a supply chain problem. All of these apps contain data that belongs to the company. But it’s also an identity problem. When people sign up, they create identities in applications. They create identity debt for the organization. And those identities need to be governed and managed by all our identity tools.

We founded the company when we saw the entire technology innovation shift to SaaS. If you want to buy new technologies for the business, there’s no real alternative anymore. All of these AI tools are just SaaS apps with AI under the hood. There’s a signup form, there’s an admin panel, and they process sensitive business data.

Lior Yaari:
The data we’ve seen over the last four years—even before the market caught up—is that every company increased the number of vendors they use by about 30% year over year. Four years at that pace? The problem more than doubles in size.

And now the market is responding. Whether it’s Gartner reports calling out the issue, major acquisitions by companies like CrowdStrike, or significant investments in the space—including in Grip—there’s growing awareness. Customers are prioritizing SaaS security as a core project for the year ahead. It’s a great time to be working in this space.

David Puner:
These days, you’re based in Boston. From your accent, I’m guessing you were born in Israel?

Lior Yaari:
Yes—if anyone hasn’t picked up on it yet. I was born in Israel and moved to Boston about two years ago. I made the move when the company was scaling. Our engineering team is still based in Tel Aviv, but now half of our company is in the U.S.

I relocated right before our Series B round to help establish and grow our U.S. headquarters. Most of our partners and customers are here in the States, and as CEO, I wanted to be close to the team and lead the go-to-market side of the business with boots on the ground.

David Puner:
You began your career as an officer in Israel’s Unit 8200—which is kind of like the NSA in the U.S. or the U.K.’s GCHQ, right?

Lior Yaari:
That’s what Wikipedia would say, yes.

David Puner:
And what would you say?

Lior Yaari:
Go with what Wikipedia says.

David Puner:
Alright. So you started there—how did that experience shape your career path and eventually lead to founding a SaaS identity risk management company?

Lior Yaari:
Before anything, I was surrounded by incredible people. I spent seven years in the military learning a lot about technology, but what had the biggest impact on me was seeing how many of the people I served with went on to become founders and leaders in cybersecurity.

After I left the army, I worked at a startup, then became CTO at a major cybersecurity investment firm. That was a turning point. I got really interested in SaaS security from an investor’s perspective. It was clear—even in 2020 during COVID—that SaaS wasn’t going anywhere.

The traditional security solutions couldn’t scale to meet the growing risks. Customers weren’t satisfied with what was on the market—whether it was legacy CASBs or the first generation of SaaS security tools focused solely on misconfigurations or single platforms like Salesforce and Microsoft 365.

Lior Yaari:
Salesforce and Microsoft 365 are probably the two most important SaaS apps a company uses—but they’re just two out of potentially thousands in an enterprise environment. With SaaS adoption growing 30% year over year, that number quickly multiplies. You simply can’t secure these applications one by one.

That’s where identity comes in. Identity becomes the scalable gateway to securing applications. Our goal with Grip was to bring an identity-first approach to SaaS security.

David Puner:
Let’s talk more about organizations. What are some of the common challenges they face when trying to map, govern, and manage SaaS applications to reduce risk?

Lior Yaari:
Great question. Let me give you a real-world example. Disney made headlines recently for being breached—twice. In both cases, an ex-employee logged back into an application they previously had access to. They didn’t hack anything. They used the same login, the same credentials, and downloaded the same data—just to a private laptop instead of a corporate one.

It’s an identity challenge: no offboarding, weak password reliance, no SSO. It’s also a data breach, because that data left the organization’s perimeter. But it’s not some sophisticated attack—it’s something that happens every day across companies. The core challenge is that SaaS moves faster than security does.

The business units are the ones choosing and adopting these apps. They’re creating new identities, managing configurations, and in doing so, they’re creating identity and security debt. Security teams are left holding the bag—responsible for cleaning up and securing everything after the fact.

Lior Yaari:
And that mismatch—between the teams creating the debt and the teams paying for it—is a big part of the problem. Business leaders are under pressure to innovate quickly. You’ve probably heard the quote: “Companies that don’t use AI are going to die.” So now the CEO, the board, the COO—they’re all pushing to adopt tools fast, and they don’t need IT’s help to do it.

That leaves security teams scrambling to secure what’s already been adopted. The risks range from supply chain and compliance issues—like understanding what vendors you’re actually using—to identity lifecycle challenges, like offboarding users at the right time and enforcing safe credential use. There’s also the risk of misconfigurations or lack of SSO across critical apps.

And the reality is that managing all of this manually just doesn’t scale. The volume is too high, the pace too fast. That’s why we built Grip—to automate SaaS governance and security at scale.

David Puner:
You mentioned AI. How do you see generative AI impacting cybersecurity, and what measures can be taken to manage those risks?

Lior Yaari:
AI isn’t fundamentally different from any other SaaS app—it’s just moving faster and is often even more user-driven. These tools market directly to employees. They’re encouraged to sign up, start collaborating, and input data. But there are two key challenges.

First, the pace of innovation is unprecedented. AI tools are building more AI tools, and they’re coming from tiny startups with no security team, no compliance oversight, and very little time spent hardening their systems.

Second, the tools are being adopted by the business before security even knows they exist. I was just having breakfast with a friend—a security director at a large company—and she showed me the AI tool she’s using to auto-generate PowerPoint decks. Those decks contain corporate data. She’ll present them to the board. That’s sensitive content being processed by a tool no one vetted.

Security teams can’t just hope for these tools to get better over time. They need visibility. They need identity governance. And they need to extend their control to these apps—even if the apps themselves don’t support basic security features like SSO.

Lior Yaari:
Take OpenAI, for example—it took them two years to add SSO. And they’re one of the biggest players in the space. Most of the AI startups popping up right now have a fraction of that budget and experience. They definitely don’t support enterprise-level identity controls out of the box.

So you need a virtual layer—a security layer on top—that helps you implement offboarding, enforce password hygiene, monitor accounts, and extend IGA policies into those tools. That’s where the real risk mitigation happens.

David Puner:
What is shadow AI, and how does it tie into the challenges you’re trying to solve?

Lior Yaari:
Shadow AI is basically AI tools adopted by the business that are unknown to security. The people who own the risk—security and IT—don’t even know these apps are being used. But of course, the users do—they’re using them daily.

It’s part of a broader trend. We’ve already been talking about “shadow IT” and “shadow SaaS”—apps adopted outside of IT’s control. Gartner has even renamed these terms. They now refer to “shadow IT” as business-led IT, and “shadow identities” as distributed identities. That’s a shift in thinking. It’s a recognition that the business isn’t trying to be risky or secretive. They’re just trying to get work done.

So shadow AI? It’s really business-led AI. It’s not something we eliminate—it’s something we have to support safely. These tools are useful. But security has to step in and provide the right visibility, governance, and controls—without blocking productivity.

David Puner:
Speaking of identities, how are you approaching the increasing complexity of identity management—especially with the rise of machine identities? How do those introduce new layers of risk?

Lior Yaari:
It’s a huge challenge. We often focus on how users interact with third-party apps, but many of those apps have their own marketplaces now—Salesforce, Slack, Notion, Monday, Zoom, and so on. These marketplaces let you enhance functionality by connecting third-party apps. But behind those integrations are machine identities—apps talking to other apps in the background.

Once those connections are made, they often operate independently of users. They’re persistent and can be hard to track. That’s where risk comes in.

A great example is the CircleCI breach from a few years ago. CircleCI is deeply integrated into many organizations’ CI/CD pipelines and cloud environments. When attackers compromised CircleCI, they gained programmatic access to tools like GitHub, AWS, and others. Suddenly, one app becomes the gateway to many more. That’s what we call application hopping—jumping between apps through machine-to-machine tokens.

And here’s the kicker: even if you secure user access to Salesforce with least privilege and identity controls, a single third-party integration—like a BI tool connected to Salesforce—can expose all of that data. That one small app can bypass all your hard work.

So machine identities need to be monitored, secured, and governed just like human ones. Otherwise, you’ve got serious gaps in your perimeter.

David Puner:
You make it sound so easy.

Lior Yaari:
I wish it were easy. But then again, if it were, we probably wouldn’t have a business.

David Puner:
Zooming out a bit—what do you see as the most significant cyberthreats today? And how do you think that may shift in the near future?

Lior Yaari:
Right now, there are a lot of great opportunities—for both attackers and defenders. That’s what makes cybersecurity so dynamic. But attackers are often the first to adopt new technologies. Not necessarily faster than startups, but definitely faster than enterprises trying to integrate those technologies into their existing security stacks.

With AI, for example, attackers are already finding ways to exploit it. Traditional phishing detection relies on things like spotting spelling errors. That doesn’t work anymore. Attackers can use AI to generate thousands of well-written phishing emails at once. They can run massive campaigns with just a script and an LLM.

The second big concern for me is trust—trust in voice, video, and even identity itself. With a few minutes of audio from this podcast, someone could generate a fake call that sounds just like me. Sure, maybe my accent might throw them off a little, but it’s possible. You could fake a conversation, make it sound legit. That’s going to require a whole new layer of verification and awareness inside companies.

Lior Yaari:
If phishing messages can trick people through text, imagine how effective they’ll be when delivered through a convincing voice or video. Most people aren’t trained to question what sounds real. That’s going to make social engineering even more dangerous.

Then there’s the broader shift: we’ve moved infrastructure from on-prem to the cloud. We’ve moved identity from being something contained within a local network to something that lives across the internet. That fundamentally changes the nature of the security perimeter.

David Puner:
Is there really even such a thing as a perimeter anymore? How do you define it now?

Lior Yaari:
It’s all about identity. Gartner calls it the cybersecurity mesh architecture. In a world where access can come from anywhere and data is everywhere, identity and context become your ultimate control points. So yes, there is a perimeter—but it’s identity-centric. And everything needs to move in that direction.

David Puner:
How can organizations stay ahead of evolving threats like ransomware, zero-day attacks, and supply chain vulnerabilities?

Lior Yaari:
There’s no one-size-fits-all solution. But the first step is knowing what the problems are. I feel for CISOs. Their threat list is long—and it keeps growing. It’s tough for smaller organizations with lean teams. And even for large organizations, the variety of threats they face is overwhelming.

Cybersecurity is one of the few spaces where there’s an active adversary. If we slow down, they’ll get ahead. So we need to keep evolving—how we think, how we plan, and how we prioritize.

Lior Yaari:
We sometimes assume cybersecurity used to be easier, but that’s just because we didn’t have the tools or understanding we do now. Attackers have become more sophisticated. So we need to stay informed about new problems, but also be open to new solutions.

Yes, it can be tiring. There are a lot of new companies out there solving specific problems, and it’s hard to evaluate them all. But the only way to address complex and evolving threats is to partner with people who are dedicating their entire day to solving that one thing you haven’t had time to fully explore yet.

David Puner:
In such a rapidly changing landscape, how do you personally stay on top of it all?

Lior Yaari:
I’m lucky that I get to focus deeply on a problem I care about. I go to a lot of conferences. I talk to a lot of people. And I spend time with early-stage founders. They’re on the ground, building the next wave of cybersecurity tools. They have insights into problems that aren’t even mainstream yet. Talking with them—and VCs, and staying active on platforms like LinkedIn—is how I stay current.

David Puner:
I’d read somewhere that you had a focus on automotive at one point. What about that industry stood out to you as relevant to the broader cybersecurity landscape?

Lior Yaari:
Yeah, back in the day, one of my parents’ old friends asked what I did for a living, and I told him I was breaking into cars. He looked pretty disappointed—thought I’d end up doing something more respectable. But it was all virtual. I was working in automotive security, helping major car manufacturers secure their vehicles.

Cars today are essentially rolling networks of IoT devices. There’s a great quote I love: “The ‘S’ in IoT stands for security.” Of course, there’s no “S” in IoT—because security is often missing.

That work taught me a lot. Cars are incredibly complex systems. And when you’re building something that intricate, security often takes a backseat. It’s the same with corporate networks. Even in something like a marketing org, the systems are layered and sophisticated. People don’t think someone will exploit what they’re building. They’re just trying to do their jobs.

Professionals—from engineers to CFOs—don’t ignore security because they’re malicious. They ignore it because they don’t think about the bad things that can happen. That means it’s on us, the security professionals, to be proactive—not just in stopping breaches, but in helping people understand risk before they make decisions.

David Puner:
That ties into what you’re doing now—supporting safer SaaS adoption.

Lior Yaari:
Exactly. Whether it’s phishing education or identity governance, the goal is the same: support people before mistakes happen—not after.

David Puner:
One last thing—our research team came across a story about you doing NYU students’ homework when you were 16. True?

Lior Yaari:
Can’t believe that made it into the notes! Yeah, when I was in high school, I got connected with a NYU student who didn’t want to do his intro to computer science homework. He’d message me a couple days before a deadline and offer $70 an hour to finish it. For a 16-year-old, that was incredible money.

I started doing Java assignments, then got into security coursework. I was learning Linux and writing reports on securing operating systems before I even really knew what cybersecurity was. It wasn’t what launched my career, but it was definitely the first step in that direction.

David Puner:
And how did he do on those assignments?

Lior Yaari:
He did very well. We haven’t stayed in touch, and I don’t think he’d pass the Grip interview process today.

David Puner:
Lior Yaari, thank you so much for joining us on Security Matters. This was fantastic.

Lior Yaari:
Thank you, David. I had a lot of fun.

David Puner:
There you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you get your podcasts so you don’t miss future episodes. And if you’re feeling generous, leave us a review—it helps more than you’d think.

Have a question, a comment, or an idea for an episode? Reach out to us at [email protected].

We’ll see you next time.