← Back to research

Research Live · v1.1 Emerging Risk · 2026 Updated 04/26/2026

SaaSpocalypse 2026

Generic seat-based SaaS (Software-as-a-Service) is structurally collapsing. AI agents drove it. By Q2 2026 the panic has stabilized but the economics are permanently changed — enterprises are not abandoning software, they're internalizing the execution layer. This briefing leads with the latest Q2 update and preserves the original January 2026 thesis below.

Download the Q2 source addendum (PDF) Download the original briefing (PDF)

The downloadable Q2 PDF is the original AI-synthesized draft. The on-page rendering above reflects additional source verification and calibration — where they diverge, the on-page version is authoritative.

Q2 2026 update · 04/26/2026

From panic to permanent realignment.

The February 2026 SaaSpocalypse erased hundreds of billions of dollars in market capitalization in days. By late April the most acute selling has stabilized — but the underlying economics have irrevocably changed. Per-seat SaaS revenue tied to human headcount is structurally impaired. Enterprises are internalizing execution layers, building custom agents, and demanding outcome-based pricing. AI infrastructure providers continue to thrive; application-layer incumbents are adapting or consolidating.

AI-enhanced ERM advantage

~ 73 days

Material risks identified earlier, on average, by organizations running AI-augmented Enterprise Risk Management vs. legacy reporting.1

Shadow AI proliferation

> 60

AI tools now in use at the typical mid-market firm — with 91% lacking any formal inventory or governance.2

JPMorgan LLM Suite scale

230k+

Employees enabled on JPMorgan's internal LLM platform — the largest publicly disclosed in-house AI rollout in the financial sector.3

The build revolt has accelerated.

Retool's February 2026 enterprise survey found 35%+ of organizations have already replaced SaaS functionality with internal builds, and 78% are accelerating internal-build initiatives.4 "Vibe coding" — natural-language-driven development — has compressed cycles from weeks to days. Shadow IT now exceeds 60% of new tooling adoption, creating acute governance blind spots. High-profile cases are validating the economics: Klarna's internal knowledge graph has reportedly displaced parallel use of Salesforce and Zendesk for core customer-service workflows.5

Financial sector spotlight

Banks lead the internalization wave — but mostly at the productivity layer.

The addendum's most-cited story is that banks are racing to deploy agentic AI inside their own perimeter. The reality is more honest: most major banks have rolled out AI broadly at the productivity and knowledge-retrieval layer, with select inroads into risk-adjacent work (advisor supervision, portfolio risk extension). The deepest deployments inside core regulated workflows — anti-money-laundering (AML), know-your-customer (KYC) — are mostly older Google Cloud / IBM partnerships, not new in-house LLM platforms.

Stage of AI internalization, by major financial institution. ● = publicly disclosed deployment. Higher tiers represent deeper integration into regulated workflows.
Productivity helper Knowledge retrieval Risk-adjacent Core regulated
JPMorgan LLM Suite3
Goldman Sachs GS AI Platform6
Citigroup Citi Assist + Stylus7
Morgan Stanley Assistant + Debrief8
BNY Mellon Eliza9
BlackRock Aladdin Copilot10
HSBC Google Cloud DRA11

Pattern: every major institution sits at the productivity / knowledge layer. Morgan Stanley pushes into risk-adjacent territory through advisor-supervision recordkeeping. BlackRock's Aladdin Copilot is the closest thing to a real risk-engine deployment — a natural-language interface over an existing portfolio-risk platform. HSBC is the rare confirmed core-regulated case, but via an older Google Cloud Dynamic Risk Assessment (DRA) AML partnership — not a new agentic GRC tool. The "banks lead" headline is true; the depth varies more than the addendum's framing suggests.

The regulatory pressure list driving in-house deployment is real and broad: DORA (Digital Operational Resilience Act, EU), EU AI Act, NIS2 (Network and Information Security Directive 2), CSRD (Corporate Sustainability Reporting Directive), and SEC cyber disclosure rules. Multi-tenant SaaS is increasingly untenable for core processes under these regimes — pushing the "assembly approach" of raw foundation models plus proprietary guardrails and data fabric into the mainstream.

The risk side of the ledger

A new agentic-GRC risk surface.

Legacy GRC — static reporting, manual attestations, siloed point solutions — is obsolete in an agentic world. The risks that demand continuous, intelligent oversight are themselves novel:

⚠ AI hallucinations executing transactions

An agent acting on an LLM-generated misreading of a contract, ledger, or trade instruction now produces a real-world financial exposure rather than a flagged anomaly.

⚠ Shadow AI proliferation

>60 AI tools per mid-market firm with 91% lacking inventory2. CISOs and CCOs are accountable for systems they cannot enumerate.

⚠ Prompt injection

Adversarial inputs hidden in documents, emails, or ticketing fields can hijack an agent's instructions — a vector with no clean analog in pre-agentic systems.

⚠ Cascading agent failures

Multi-agent chains amplify one bad output across downstream agents. A failure mode that's bounded in a single-agent system becomes systemic in a chain.

The flip side is concrete: organizations running AI-enhanced ERM identify material risks ~73 days earlier than legacy reporting cadences allow.1 Boards have started demanding risk expressed in dollars rather than heatmap colors — a maturity shift legacy GRC architectures struggle to support.

GRC vendor dynamics

The GRC pivot, vendor by vendor.

The most analytically useful read of the GRC vendor pivot is what each platform actually markets as agentic capability today. The matrix below tracks five capabilities the addendum identified as table-stakes for Q2 2026 against six leading vendors. Filled cells indicate the capability is publicly marketed by the vendor; the right-most column flags whether the platform was architected AI-native or is being retrofitted.

Agentic GRC capability coverage by vendor, Q2 2026. ● = publicly marketed capability. Architecture column captures how the platform was originally built.
Multi-agent triage Regulatory change mapping Continuous controls monitoring Financial risk quantification Architecture
MetricStream Connected GRC12 retrofit + AI
Diligent Diligent AI13 retrofit + AI
Archer Evolv14 legacy retrofit
LogicGate Risk Cloud15 AI-native
Optro (formerly AuditBoard)16 AI-native
ServiceNow Now Assist for IRM17 retrofit + AI

The pattern: AI-native platforms (LogicGate, Optro) are gaining on agility and architecture coherence. Established players (MetricStream, Diligent, ServiceNow) are layering agentic capability on existing platforms — broader coverage, but architectural friction. Archer is the cautionary case — strong incumbent footprint, slowest to absorb the shift, with legacy UI and technical debt visibly slowing the Evolv transition. Diligent has expanded its agentic GRC offerings under the "Diligent AI" line; MetricStream's multi-agent triage and regulatory mapping appear in product marketing but specific feature naming should be verified directly with the vendor.

Forward view

Downstream impacts, 2026 – 2028.

  1. Revenue model evolution. Per-seat ARR (Annual Recurring Revenue) gives way to consumption, outcome-based, and API/programmatic pricing. Surviving SaaS vendors thrive as "capability layers" for AI agents rather than human-interface-centric apps.
  2. Enterprise sovereignty. Internalization of core workflows accelerates. Proprietary data plus AI execution becomes the new moat. The mid-market "build revolt" spreads upward into the enterprise.
  3. Talent and organizational shifts. Demand for rote operational roles compresses. Surge in AI orchestration, prompt engineering, and governance talent. Headcount compression is partially offset by productivity gains in the 3–6 hours per week range, per multiple internal surveys.
  4. GRC/ERM maturation. Continuous, agentic, financially quantified risk management becomes table stakes. Personal liability for CISOs (Chief Information Security Officers), CROs (Chief Risk Officers), and CCOs (Chief Compliance Officers) rises as shadow AI introduces novel compliance vectors. Regulators tighten AI governance frameworks in response.
  5. Broader systemic effects. AI-native entrants face lower barriers to entry. Vertical/specialized software with deep data moats and regulated workflows proves resilient. Financial services set the standard for secure, governed AI deployment. The overall productivity boom comes with heightened concentration risks in foundation-model providers and new cyber/operational exposures from autonomous agents.

Archive · v1.0 · Published 01/2026

The original January 2026 briefing.

Preserved as published. The Q2 update above builds on this foundation — the original thesis is unchanged, the data is the snapshot it always was.

Executive summary

The shape of the shift, in three numbers.

Generic workflow and CRM (Customer Relationship Management) vendors have lost hundreds of billions in market capitalization since January 2025. Enterprises are cutting per-user licenses and routing that spend into internal build budgets. One category — GRC — is running the other direction.

Generic SaaS value destruction

↘ $340B

Market capitalization lost among the top 50 generic workflow and CRM providers since January 2025.

Avg. seat-reduction intent

− 62%

Enterprise intent to reduce per-user software licenses in the upcoming renewal cycles.

GRC SaaS growth

+ 14%

Counter-trend growth in specialized Governance, Risk, and Compliance platforms.

Impact analysis

Highest-impacted vendor categories.

Projected 12-month change in recurring revenue, by vendor category. Platforms that act primarily as database front-ends or basic text routers are being displaced fastest. Categories with real-world integration, legal-liability transfer, or proprietary closed data remain insulated.

⚠ The vulnerable zone

Platforms acting primarily as database GUIs (Graphical User Interfaces) or basic text routers — helpdesks, simple CRMs, light project management — are being rapidly replaced by custom-prompted AI agents connecting directly to internal data lakes.

✓ The moat

Categories involving physical-world integration, strict legal liability transfer, or proprietary closed-source data networks remain highly insulated from the SaaSpocalypse.

The paradigm inversion

The "Build vs. Buy" preference has flipped.

Historically, companies bought SaaS because software engineering was expensive and slow. As of late 2025, AI coding agents collapsed the cost of producing functional software to near zero. The chart below tracks CIO (Chief Information Officer) preference when facing a new business requirement — and we have officially crossed the threshold where companies prefer to build proprietary, AI-maintained micro-apps over buying rigid SaaS subscriptions.

Why companies are turning away from vendors

  • The integration tax. Third-party SaaS creates data silos. Custom-built AI tools operate directly on a company's internal unified data fabric — no connector maintenance, no vendor-owned schema.
  • Feature bloat. Enterprises pay for 100% of a SaaS platform's features but use around 10%. AI coding agents let them generate exactly the 10% they actually need.
  • Seat-cost disconnect. Paying $150 per user per month for a CRM makes no sense when an internal AI agent can read and write the same database for pennies in compute cost.

Sector deep dive

Financial industry and ERM / GRC.

The Financial industry is a paradox inside the SaaSpocalypse. Banks and financial institutions are aggressively adopting the "build" posture using private, on-premise AI models to replace generic SaaS — yet at the same time they are increasing spend on Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC) vendors. The two tools below unpack both halves.

Financial IT budget allocation

2024 baseline — heavy reliance on generic multi-tenant cloud SaaS.

The exodus from public-cloud SaaS

Financial institutions are turning away from generic vendors — CRMs like Salesforce, helpdesks like Zendesk, basic reporting tools — to build proprietary internal systems. Two drivers do most of the work:

  • Data sovereignty and privacy. Instead of routing Personally Identifiable Information (PII) and financial data through a third-party SaaS, banks run AI agents inside their own Virtual Private Clouds (VPCs). The data never leaves the perimeter.
  • Bespoke reconciliation. Legacy mainframes and modern APIs (Application Programming Interfaces) are being bridged by AI coding agents that write custom, one-off ETL (Extract, Transform, Load) pipelines overnight — replacing expensive middleware SaaS.

Methodology

What this briefing is — and isn't.

What it is. A synthesized, conceptual model of the 2026 market shift — vendor-category impact, CIO preference data, and financial-sector budget allocation — built to explain an emerging risk to a non-technical audience of risk, finance, and technology leaders. The charts are illustrative of directional trends, not a specific vendor scorecard.

What it isn't. A procurement recommendation, a financial forecast, or an endorsement of any named vendor. Numbers are composite estimates, not audited figures. Do not use this as the single input to a renewal or build-versus-buy decision.

How to use it. As a conversation-starter for your next ERM committee, vendor risk review, or IT budget planning cycle. Pair it with the Build vs. Buy calculator to pressure-test the economics on your own inputs.

About the Q2 2026 update. Specific platform names, scale figures, and vendor capabilities cited in the Q2 section reflect public disclosures and product marketing through April 2026 — verify directly with the vendor or institution before using any single figure in a procurement or audit decision. The "~73 days earlier" risk-identification figure and the ">60 tools per firm / 91% lacking inventory" shadow-AI figure are composite directional estimates synthesized from multiple industry surveys, in keeping with the original briefing's methodology.

Why the PDF and the page differ. The downloadable Q2 PDF is the original AI-synthesized draft addendum. The on-page Q2 update above is the calibrated reading — same thesis, but with bank deployments, vendor specifics, and product names verified against (or softened to match) public reporting. Where the two diverge, the on-page version is authoritative. Both are published openly so a reader can see exactly where AI-generated synthesis benefited from human verification — itself a SaaSpocalypse-relevant lesson.

Q2 2026 update — sources

  1. "~73 days earlier" — composite directional estimate drawn from industry survey reporting on AI-augmented continuous controls monitoring vs. legacy quarterly attestation cycles. Treat as illustrative, not audited.
  2. ">60 AI tools per firm / 91% lacking inventory" — composite estimate aligned with reporting on shadow AI proliferation in mid-market firms. See coverage in Forbes Tech Council and analyst commentary on agentic AI governance gaps.
  3. JPMorgan LLM Suite — internal generative AI platform, deployed via Microsoft Azure on OpenAI models. Initial rollout to ~60,000 employees, scaling toward firmwide ~230,000. Reuters (08/2024); Financial Times. Verify current employee-enabled count against the most recent JPMorgan annual report.
  4. Retool, "State of Engineering Time" / enterprise survey series (2024–2026). See retool.com/reports for the most recent edition.
  5. Klarna — public statements on internal AI assistant displacing parallel use of customer-service SaaS. Klarna press; Bloomberg coverage.
  6. Goldman Sachs GS AI Platform / GS AI Assistant — firmwide rollout announced early 2025; ~10,000 in initial wave, plan to scale to ~46,000. CNBC (01/2025); Reuters.
  7. Citigroup Citi Assist + Citi Stylus — rolled to ~140,000 employees across 8 countries. Reuters (06/2024); Citi press releases.
  8. Morgan Stanley AI @ Morgan Stanley Assistant (launched 09/2023) and Debrief (launched 06/2024); ~16,000 financial advisors enabled, retrieval over ~100,000 internal research documents. Morgan Stanley press; CNBC (06/2024); Wall Street Journal.
  9. BNY Mellon Eliza — internal AI platform disclosed in 2024 with firmwide rollout. BNY Mellon press; Bloomberg coverage.
  10. BlackRock Aladdin Copilot — generative AI layer integrated into the Aladdin portfolio and risk platform, announced 2024. BlackRock Aladdin overview.
  11. HSBC + Google Cloud "Dynamic Risk Assessment" (DRA) — AI-powered AML / financial-crime detection partnership, originally announced pre-current-AI-wave and actively expanded through 2024–2025. Google Cloud + HSBC announcement; HSBC newsroom.
  12. MetricStream Connected GRC — vendor-marketed AI-First positioning with multi-agent triage and regulatory change management. metricstream.com. Specific feature wording should be verified directly on vendor product pages.
  13. Diligent AI — agentic governance and risk offerings under the Diligent product line, including governance, audit, and ESG modules acquired via the HighBond/Galvanize transaction. diligent.com. Specific 2026 product-launch claims should be verified directly with Diligent press.
  14. Archer (Archer IRM) Evolv — modernization track for the Archer GRC suite. archerirm.com. "Legacy debt" framing reflects analyst commentary in Forrester Wave and Gartner Magic Quadrant reports for IT Risk Management.
  15. LogicGate Risk Cloud — challenger GRC platform with native AI capabilities ("AI Cluster," risk insights). logicgate.com.
  16. Optro — rebrand of AuditBoard (acquired by Hg in 2024). AI-native compliance and audit operations platform. optro.ai.
  17. ServiceNow Now Assist for IRM — generative AI capabilities embedded in the ServiceNow Integrated Risk Management product, part of the broader Now Assist generative-AI rollout. ServiceNow GRC product page.
Download the Q2 source addendum (PDF) Download the original briefing (PDF) See other research