Comment by Silhouette

But as far as using unapproved SaaS, they won't officially allow you to. But it does change the power dynamics at play considerably, since it's a matter of compliance rather than capability.

Well, yes, in the sense that someone might manage to access such a system despite any corporate security barriers if, as you mentioned, they initially managed to fly under the radar.

Of course, if caught doing that without the appropriate authority in the kind of environment I was talking about, that person would mostly likely be fired immediately at best. Potentially they could be sued for more money than they would ever earn if they wilfully caused compliance violations that resulted in big financial penalties. Potentially they could even face criminal charges that could see them imprisoned, depending on the nature of the violation and the jurisdiction in which it occurred.

Personally, I wouldn't consider it ethical to try to attract additional business in that way. As a practical matter, it's also highly unlikely to succeed with customers in sensitive sectors like finance, healthcare or defence/security work, though of course those are organisations towards one end of a spectrum and the IT departments in less security-sensitive organisations wouldn't necessarily be deploying the same level of countermeasures.