SaaS governance, AI risk and cost — written from the product
Opinionated pieces on shadow AI, offboarding gaps, OAuth-consent risk, KVKK compliance and ghost subscriptions. Each post is grounded in how CenseCloud is actually built.
Your vendor questionnaire is stale the day you finish it — running TPRM as a continuous loop
Annual vendor assessment is true at the moment of answering and invalid three months later. The four steps of continuous TPRM — assess, evidence, monitor, notify — and why criticality and risk are separate axes.
Shadow AI: what's actually happening inside the firm
Banning ChatGPT doesn't work — employees already reach AI through personal accounts, IDE extensions and CLI tools. The four invisible layers and a manageable control ladder.
What stays open in a departed employee's SaaS — the hidden cost of offboarding
An employee left, you closed the AD account. They're still active in Salesforce, Notion, GitHub. The cause is fragmented: SSO blind spots, lastLogon lies, only two JML categories instead of five.
OAuth permissions: who can silently open a door to your SaaS?
Attackers don't break SSO; a user grants an app full Drive access in one click. Why OAuth-consent attacks are 2026's quietest open door, and the weekly review list to run against it.
KVKK + SaaS: there is no compliance without inventory
The first question in a KVKK audit is 'where is the data?' — in a modern firm, the answer is ten different SaaS tools. Practical guide for RoPA, KVKK risk layer and KVKK + ISO 27001 + NIST alignment.
Ghost subscriptions: the SaaS budget growing without IT's knowledge
The IT-maintained SaaS list is only 40–60% of the real number. The rest hides in anonymous payments, free tiers, personal accounts. Invisible on bills — but eating 20–30% of the budget.
Want to see what you just read in practice?
The essays describe architectural choices. See how they're implemented on the platform — or browse the solution map.