This study explored the security challenges associated with consuming SaaS services by regulated enterprises in the United States. Although cloud computing provides numerous business advantages, it introduces significant security risks, such as exposure of information assets to the internet and the complexities of multitenant environments. Expert analysis of recent cybersecurity incidents highlighted the over-reliance on cloud service providers, cloud consumers' underestimated risks, and the need for more effective security practices. Security incidents resulted in impacted business operations, reputation, and regulatory compliance. This qualitative study draws on the Integrated System Theory of Information Security Management and 'Zero Trust' architecture principles to establish a connection between organizational security governance and SaaS-specific security controls, addressing a critical gap in current cloud computing literature and industry practices. The practical implications of this study met the SaaS consumer needs for comprehensive security; these included a SaaS-specific threat modeling approach combining OWASP and HITRUST elements with risk management frameworks such as NIST 800-37 and associated security controls' baseline. This model will guide SaaS consumers on identifying threats for the specific workload context, classifying information assets, selecting controls guided by Zero Trust practices, and responding to emerging threats. Additionally, the study emphasized the importance of thorough risk analyses of cloud providers' security maturity, focusing on factors such as transparency, SLAs, infrastructure scalability, and regulatory compliance. Finally, it stresses the need for integrating Organizational Security Governance (OSG) with security controls, highlighting the pivotal role of the C-suite and board in overseeing risk management, compliance, and ongoing security monitoring, ensuring a robust and accountable security framework within SaaS environments.