Access management at scale is becoming the SaaS governance bottleneck

At a glance

What this is: This is a Zluri event recap arguing that SaaS access management has become a scale problem, with manual reviews, shadow IT, and compliance demands driving interest in automation.

Why it matters: It matters because SaaS governance now touches IAM, IGA, and access review workflows at a volume that can overwhelm human-led processes across both employee and non-human access.

By the numbers:

• Oktane 2024 brought together over 3,000 technology and security professionals.

👉 Read Zluri's recap of Oktane 2024 on access management and SaaS governance

Context

Access management becomes a governance problem when the number of applications, entitlements, and review decisions grows faster than the team can verify them. In SaaS-heavy environments, the failure mode is usually not a single broken control but a review model that cannot keep pace with how quickly permissions change across dozens or hundreds of apps.

That is why the conversation at Oktane 2024 centered on automation, shadow IT visibility, and app-level control rather than just SSO administration. For IAM and IGA teams, the practical question is no longer whether access reviews exist, but whether they can still produce trustworthy decisions across a rapidly expanding SaaS estate.

Key questions

Q: How should security teams run access reviews across large SaaS estates?

A: Security teams should base SaaS access reviews on live entitlement data, not spreadsheets or stale exports. The review process should identify application ownership, last-used access, and exception handling so that certification decisions reflect current reality. Automation helps, but only if the organisation keeps governance ownership, evidence retention, and remediation responsibilities clearly assigned.

Q: Why does shadow IT make access governance harder?

A: Shadow IT makes access governance harder because teams cannot certify, revoke, or audit access to applications they do not know exist. That creates an identity blind spot where permissions live outside the normal review cycle. The practical response is discovery first, then certification, because unknown applications always weaken the completeness of the control set.

Q: What breaks when access reviews stay manual in SaaS environments?

A: Manual access reviews break when the number of applications and entitlements grows faster than the team can validate them. Reviews become slow, inconsistent, and prone to stale decisions, especially when ownership is fragmented across departments. Over time, that leads to excess access, weak audit trails, and a governance process that cannot keep pace with change.

Q: Who should own remediation after SaaS access review findings?

A: Remediation should be owned by the application or business owner who can actually revoke or adjust the access, with identity teams overseeing the process. The key is to avoid vague accountability, because unresolved findings tend to survive the review cycle. Clear ownership, deadlines, and evidence capture are what make the control operational rather than ceremonial.

Technical breakdown

Why manual access reviews break down across SaaS estates

Manual access reviews depend on humans comparing lists of users, apps, and permissions against a moving environment. In a SaaS estate, that breaks quickly because application sprawl, frequent role changes, and distributed ownership make the review surface too large for periodic certification alone. The result is stale entitlement decisions, missed orphaned access, and inconsistent evidence for auditors. Automation changes the mechanics by pulling entitlement data directly from applications and surfacing what has changed since the last review, but the core technical challenge remains identity-to-application mapping across many systems.

Practical implication: move from spreadsheet-based certification to continuously refreshed entitlement inventories tied to the actual SaaS applications in use.

Shadow IT and application-level visibility in identity governance

Shadow IT matters because access governance cannot cover what the organisation cannot see. When employees adopt unsanctioned SaaS tools, identity teams lose the ability to trace who has access, how it was granted, and whether it is still needed. Application-level visibility goes beyond login telemetry and shows the permissions attached to each app, which is where governance and audit failures usually appear. For regulated environments, this visibility is the difference between a policy on paper and an enforceable control in practice. The technical issue is discovery, not just enforcement.

Practical implication: establish discovery processes that map sanctioned and unsanctioned SaaS apps before trying to certify or revoke access.

How automated access reviews support compliance evidence

Automated access reviews are a control-evidence mechanism as much as an efficiency improvement. They reduce the time between identifying excessive access and acting on it, while producing a more defensible audit trail of who reviewed what, when, and why. In regulated industries, the value is not only speed but repeatability, because compliance teams need to show that access decisions were based on current data rather than outdated exports. Automation also helps standardise review criteria across business units, which is critical when access ownership is fragmented.

Practical implication: define approval criteria, evidence retention, and review cadence together so the control can satisfy both operations and audit.

NHI Mgmt Group analysis

SaaS access governance is now a scale problem, not a policy problem. The article shows that organisations already understand the importance of access reviews, but struggle to execute them consistently across expanding application portfolios. That is a control design issue, because periodic review models degrade once the number of apps and entitlements exceeds what humans can reliably certify. Practitioners should treat SaaS review capacity as a governance constraint, not an administrative task.

Shadow IT creates an identity blind spot that makes certification incomplete by default. If the organisation cannot see an application, it cannot reliably certify, revoke, or explain access to it. That blind spot is especially damaging in SaaS estates where business teams can adopt tools outside central approval paths. The implication is that access governance must begin with discovery, because undiscovered applications produce unverifiable entitlements.

Automation changes the economics of access review, but it does not remove governance ownership. Automated review workflows can reduce manual burden and improve auditability, yet the approval logic, ownership model, and exception handling still belong to the enterprise. This is why automation should be framed as an execution layer for IGA, not as a substitute for it. Teams need to decide which decisions can be standardised and which still require human accountability.

Application-level control is becoming the real boundary of SaaS IAM. SSO establishes entry control, but the article points to a deeper issue, which is what users can do inside each application once authenticated. That gap is where most governance failures accumulate, particularly when regulatory obligations require evidence of least privilege. Practitioners should align access governance to application entitlements, not just authentication events.

SaaS governance now connects human access reviews and non-human access patterns through the same oversight model. The same operational weaknesses that create review fatigue for employees also leave service accounts, integrations, and delegated access harder to govern at scale. That is why access programmes increasingly need a shared lifecycle view across human and non-human access. Teams should design review, discovery, and revocation processes to handle both without separate control assumptions.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance still starts from incomplete data.
• That visibility gap is why practitioners should also use the NHI Lifecycle Management Guide to harden discovery, rotation, and offboarding workflows.

What this signals

Access governance is moving from periodic review to continuous verification. As SaaS estates expand, teams will need entitlement data that updates with the application rather than the audit calendar. That shift will reshape IGA tooling selection, because review workflows must now support operational decision-making, not just compliance sign-off.

Shadow IT will keep pulling identity teams into discovery-led governance. When unknown applications sit outside the approved stack, access reviews cannot be trusted to cover the full estate. Practitioners should expect tighter linkage between SaaS discovery, access certification, and remediation ownership, especially in regulated environments.

The broader signal is that access management is becoming a shared control plane for human users and non-human access alike. Teams that still separate employee governance from service access, delegated access, and application entitlements will continue to miss the real source of review fatigue and residual privilege.

For practitioners

• Replace spreadsheet-based certifications with live entitlement inventories Pull access data directly from SaaS applications so reviews are based on current permissions rather than exported snapshots. Use the inventory to compare active access, last-used signals, and application ownership before any certification round.
• Build a discovery process for shadow IT before running reviews Identify unsanctioned SaaS tools through procurement, SSO logs, browser telemetry, and employee reporting, then fold them into the governance workflow. Use the discovery output to prioritise the applications that create the largest blind spot.
• Define access ownership and exception handling up front Assign a named approver for each application, establish what counts as an acceptable exception, and decide how unresolved access is handled when an owner does not respond. Keep the rules consistent across business units so reviews remain auditable.
• Tie review automation to compliance evidence retention Store who approved each entitlement, what data was reviewed, and what remediation action followed. Retain the records long enough to support internal audit, regulatory review, and post-incident investigation.

Key takeaways

• Manual access reviews no longer scale cleanly in SaaS-heavy environments because the control surface changes faster than human certification cycles.
• Shadow IT turns access governance into a discovery problem first, since unknown applications cannot be reviewed, revoked, or audited with confidence.
• Automation helps only when ownership, evidence retention, and remediation rules are explicit, otherwise the process simply produces faster paperwork.

Key terms

• Access Review: An access review is a governance process that checks whether users still need the permissions they hold. In SaaS environments, the review must use current entitlement data and clear ownership, otherwise it becomes a paperwork exercise that misses excessive or stale access.
• Shadow IT: Shadow IT is software or services adopted outside approved governance channels. It weakens identity control because teams cannot reliably discover, certify, or revoke access to applications they do not manage, leaving a blind spot in the access model.
• Application-Level Control: Application-level control is visibility and governance over what users can do inside a SaaS application after authentication. It matters because single sign-on only governs entry, while permissions, sharing, and role assignments determine the real access risk.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: How Access Management Took Center Stage at Oktane 2025. Read the original.