You can remove unused licences and still leave access risk untouched. Spend tools may tell you where money is wasted, but they usually do not explain whether app access is still valid, whether third-party sharing is active, or whether offboarding has been completed across the full SaaS estate.
Why This Matters for Security Teams
Spend optimisation treats SaaS as a procurement problem, but access risk is an identity problem. That distinction matters because a deprovisioned licence is not the same thing as revoked access, and a dormant app subscription can still hide valid OAuth grants, shared mailboxes, service accounts, and third-party integrations. Current guidance from the NIST Cybersecurity Framework 2.0 emphasizes governance and continuous risk management, not just asset rationalisation. In SaaS estates, the costly failure mode is assuming finance data tells the full security story.
That blind spot shows up in incidents like the Salesloft OAuth token breach and the BeyondTrust API key breach, where the problem was not licence spend but retained machine access. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is exactly why cost-cutting alone can leave the highest-risk identities untouched. In practice, many security teams encounter SaaS exposure only after an offboarding miss or token leak has already become a data access issue, rather than through intentional control review.
How It Works in Practice
Effective SaaS governance separates cost, access, and accountability into different control loops. Spend tools can identify unused licences, but security teams need a parallel process that asks whether the account, token, connector, or delegated permission is still valid. For that reason, licence reclamation should trigger identity review, not replace it. In a mature workflow, every SaaS application is mapped to owners, data sensitivity, connected integrations, and offboarding steps, then validated against live access telemetry.
Practitioners usually need to check four things at the same time:
- Does the user or workload still need access, or only the subscription need renewal?
- Are there active OAuth grants, API keys, app passwords, or service accounts that outlive the licence record?
- Has offboarding removed third-party sharing, delegated admin rights, and session tokens?
- Is the app tied to regulated data, where delayed revocation creates compliance exposure?
This is where identity governance and SaaS discovery intersect. The issue is not just human users. Machine identities often continue running after the visible licence is reclaimed, which is why the NHI data in the Ultimate Guide to NHIs is relevant to SaaS operations as well. Teams should align reviews to identity, not invoice lines, and use continuous validation against access logs, admin changes, and integration inventories. These controls tend to break down when SaaS is heavily federated across business units because no single system owns the full offboarding path.
Common Variations and Edge Cases
Tighter SaaS governance often increases administrative overhead, requiring organisations to balance licence recovery against clean access revocation and business continuity. That tradeoff becomes most visible in shared admin accounts, embedded apps, and partner-managed tenants, where aggressive cost cutting can interrupt legitimate workflows if ownership is unclear. Best practice is evolving here, and there is no universal standard for how often every SaaS permission type should be revalidated.
Edge cases matter most when spend data is incomplete. A platform may look inactive from a finance perspective while still carrying external sharing, long-lived refresh tokens, or privileged connectors into production systems. Likewise, a “low-use” application may be the only approved path for a critical business process, so reclaiming it without control review creates operational risk. The right question is not simply whether the app is used, but whether its access path is still justified, monitored, and revocable.
For broader governance, the Snowflake breach shows how retained access can persist well beyond the original business need, while the NIST framework reinforces that security decisions should be tied to ongoing risk assessment rather than one-time procurement cleanup. Spend optimisation is useful, but it becomes dangerous when it is mistaken for identity hygiene.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers rotation and revocation gaps that spend tools miss. |
| NIST CSF 2.0 | PR.AA-1 | Identity verification and access validity are central to this SaaS risk gap. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege review is needed when SaaS spend is optimised without access review. |
| NIST AI RMF | Risk governance applies to identity, access, and lifecycle decisions across SaaS. |
Tie licence reclamation to credential revocation and token rotation checks before closing the SaaS ticket.
Related resources from NHI Mgmt Group
- When should organisations prioritise access governance over software spend optimisation?
- What breaks when SaaS app rationalisation is not tied to identity reviews?
- What breaks when third-party SaaS access is never reviewed?
- How should security teams classify SaaS management platforms in the identity stack?
