A condition where a cloud application becomes difficult to replace because cost, contract terms, data formats, or technical dependencies make exit impractical. In identity governance, this matters when access, audit evidence, or workflow continuity are tied to a single provider.
Expanded Definition
SaaS vendor lock-in is the practical inability to move an application, workflow, or identity-dependent process away from one provider without major disruption. In NHI security, the issue is rarely just subscription pricing. It often includes proprietary APIs, export limits, authentication dependencies, and audit evidence that only exist inside the vendor’s platform.
Definitions vary across vendors, but the core governance problem is consistent: the service becomes the control plane for access, logging, and automation. That makes exit planning a security requirement, not only a procurement concern. In a Zero Trust Architecture, this matters because trust decisions should not depend on a single SaaS boundary. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need for resilience, recovery, and governance when critical services are concentrated in one provider.
The most common misapplication is treating lock-in as a licensing issue only, which occurs when teams ignore data portability, identity federation, and operational exit paths until renewal or a security incident forces change.
Examples and Use Cases
Implementing SaaS controls rigorously often introduces integration overhead, requiring organisations to weigh operational convenience against the cost of future migration and independent verification.
- A security team stores API keys, approvals, and alert routing inside one SaaS platform, then discovers the workflows cannot be replicated elsewhere without rebuilding the identity logic.
- An organisation uses a vendor-only log format, so forensic review and audit retention become dependent on continued access to that platform.
- A third-party SaaS supports privileged automation, but the tenant configuration cannot be exported cleanly, limiting the organisation’s ability to rehost the process.
- After a breach in a supplier ecosystem, the company must review whether service-account access and tokens can be rotated outside the original vendor environment, as seen in the BeyondTrust API key breach and the Snowflake breach.
- Identity teams using SaaS-native governance features compare exportability against external patterns such as NIST Cybersecurity Framework 2.0 and the exit lessons highlighted in the Ultimate Guide to NHIs — The NHI Market.
Why It Matters in NHI Security
Vendor lock-in becomes an NHI risk when service accounts, OAuth grants, rotation workflows, and audit trails are all tied to one SaaS provider. If that platform is compromised, changes pricing, or discontinues a feature, identity governance can fail at the same time as business continuity. NHIMG research shows that 92% of organisations expose NHIs to third parties, raising the likelihood that SaaS dependency becomes part of the attack surface, not just the operating model. The same report also notes that only 5.7% of organisations have full visibility into their service accounts, which makes lock-in harder to detect before it is exploited.
Practitioners should treat portability, offboarding, and evidence export as baseline controls for any identity-critical SaaS. The risk is amplified when secrets, tokens, and approval logic are embedded in platform-specific automation, because replacement then requires both technical migration and trust revalidation. The Salesloft OAuth token breach shows how quickly a SaaS dependency can turn into downstream identity exposure, while the Ultimate Guide to NHIs documents the broader prevalence of secret and privilege mismanagement.
Organisations typically encounter the true cost of lock-in only after a breach, contract dispute, or service sunset, at which point vendor exit becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Vendor lock-in is a resilience and risk-management issue under governance and recovery planning. |
| NIST Zero Trust (SP 800-207) | Zero Trust discourages implicit trust in a single provider boundary for identity and access decisions. | |
| OWASP Non-Human Identity Top 10 | NHI-04 | NHI governance includes lifecycle control, portability, and reducing dependence on vendor-specific identity features. |
Assess SaaS dependency risk, document exit options, and verify recovery paths before critical workflows depend on one vendor.
