Browse Shared Responsibility Model

SaaS, Third Parties, and Shadow Responsibility

SaaS, third-party platforms, and shadow responsibility expand the model beyond infrastructure-centric cloud discussions.

SaaS, third-party platforms, and shadow responsibility expand the model beyond infrastructure-centric cloud discussions. In SaaS, the provider operates far more of the technical stack, but the customer still owns user lifecycle, tenant configuration, sharing rules, integration risk, data governance, and the decision to accept the vendor’s control model in the first place. Those duties become even harder to see when unsanctioned tools and shadow IT enter the environment.

This chapter starts by framing the SaaS version of shared responsibility, then moves into configuration risk inside tenant settings, vendor review and procurement governance, and finally the visibility problem created by unmanaged cloud use. The lessons belong together because SaaS incidents rarely come from misunderstanding the provider’s data center operations. They come from misunderstanding the customer’s own choices in the tenant and around the vendor.

What To Pay Attention To

  • how customer ownership shifts from infrastructure operation toward identity, configuration, data-sharing, and vendor acceptance decisions
  • why integrations, marketplace add-ons, and delegated administration create shadow responsibility even in well-managed SaaS platforms
  • how shadow IT bypasses both provider controls and internal governance unless responsibility is made explicit

Read this chapter when a team assumes SaaS transfers security and governance almost entirely to the provider. The goal is to make SaaS-era ownership explicit enough that customer decisions around users, data, integrations, and unsanctioned services remain visible and governable.

In this section

Revised on Thursday, April 23, 2026
12. Resilience and Continuity
14. Multi-Cloud Complexity