By NHI Mgmt Group Editorial TeamPublished 2025-11-13Domain: Governance & RiskSource: Efecte

TL;DR: AI-assisted software creation is increasing SaaS sprawl, shadow IT, duplicate tools, and unmanaged risk, while Gartner cited in the source warns that organisations without central SaaS lifecycle management will be five times more likely to suffer cyber incidents or data loss by 2027. The control problem is governance and visibility, not innovation speed.


At a glance

What this is: This is an analysis of how AI-assisted software creation is expanding SaaS sprawl and weakening visibility, accountability, and lifecycle control.

Why it matters: It matters because IAM, IGA, and security teams now have to govern not just users and apps, but rapidly multiplying business-built software and the access, data, and spend it creates.

By the numbers:

👉 Read Efecte's analysis of AI-driven SaaS sprawl and governance


Context

AI-assisted development is lowering the barrier to building internal software, which means business teams can now create and adopt tools faster than IT and procurement can track them. In practice, that turns software management into an identity and governance problem, because every new app brings new accounts, integrations, data paths, and ownership questions.

The source frames this as a shift from speed to resilience, and that is the right lens. The real issue is not whether employees can build more quickly, but whether organisations can maintain visibility, control, and lifecycle discipline across a SaaS stack that is expanding outside traditional change management.

For identity teams, this is a broader lifecycle signal: the same governance failures that affect service accounts and API keys now show up in shadow SaaS, duplicate subscriptions, and unmanaged access paths. That makes SaaS sprawl part of the identity perimeter, not a separate procurement nuisance.


Key questions

Q: How should organisations govern AI-driven SaaS sprawl?

A: They should govern it as an identity and lifecycle problem, not just a procurement issue. That means maintaining a single inventory of approved applications, tying each app to an accountable owner, reviewing user and integration access on a schedule, and removing apps that no longer have a clear business purpose. Without those controls, AI-assisted adoption quickly creates shadow IT and orphaned access.

Q: Why does SaaS sprawl increase identity risk?

A: Because every new app can introduce users, admins, API keys, OAuth grants, and service integrations that must be managed over time. If those relationships are not visible, the organisation cannot reliably recertify access, revoke stale entitlements, or offboard tools cleanly. The risk is not only more software. It is more ungoverned access paths.

Q: What breaks when SaaS ownership is unclear?

A: Recertification becomes unreliable, offboarding stalls, and duplicate spend grows unnoticed. Unclear ownership also makes it harder to decide who can approve changes, who is responsible for data handling, and which integrations should be retired when a project ends. In practice, lack of ownership turns routine lifecycle tasks into exceptions.

Q: Who should be accountable for SaaS governance in an AI-driven environment?

A: Accountability should sit with a cross-functional control model led by IT, security, and procurement, with business owners assigned to each application. If no one owns the app, no one owns the access paths, renewals, or offboarding steps either. That is how shadow SaaS becomes a persistent governance gap.


Technical breakdown

How AI-assisted software creation expands SaaS control gaps

AI-assisted tools let non-developers assemble working software and connect services without going through the normal design, security review, and procurement path. That changes SaaS from a centrally approved asset set into a distributed creation model, where business teams can introduce new applications, integrations, and data flows on demand. The governance issue is not the tool itself, but the loss of a stable inventory and approval chain. Once ownership is fragmented, access reviews, contract renewals, data classification, and vendor offboarding all become less reliable.

Practical implication: security and IAM teams need a single control point for SaaS discovery, ownership, and lifecycle state before sprawl becomes unrecoverable.

Why software sprawl behaves like an identity governance problem

SaaS sprawl creates identity risk because every unmanaged application typically comes with users, service accounts, OAuth grants, API keys, and admin roles. If the organisation cannot see those relationships, it cannot govern who or what can access data, who can approve renewals, or which integrations survive after a team changes direction. This is why software sprawl is not just an IT hygiene issue. It is a lifecycle and privilege issue that sits close to IGA, PAM, and NHI governance.

Practical implication: map every SaaS app to an owner, access path, and offboarding trigger so entitlement review is tied to application lifecycle.

What resilience means in a distributed SaaS estate

In this context, resilience means being able to answer three questions quickly: what tools exist, who is using them, and what happens when risk changes. That requires a system of record for contracts, usage, integrations, and compliance state, not just an inventory spreadsheet. Without that control layer, AI-driven adoption can accelerate duplication, weaken budget discipline, and leave sensitive data scattered across unreviewed services. The operational failure is delayed detection of change, followed by delayed removal of access or tooling.

Practical implication: build reporting that links usage, ownership, and renewal dates so unused tools and orphaned access are removed before they become standing risk.


NHI Mgmt Group analysis

AI-assisted SaaS creation has turned application sprawl into a governance problem. The source is right to treat the issue as more than software adoption. When employees can create or adopt tools outside formal review, the organisation loses control over ownership, access, and data flow. The practitioner conclusion is simple: SaaS governance now belongs in the same conversation as identity lifecycle and access management.

Software sprawl is the visible symptom of a deeper accountability gap. Duplicate contracts, unused licences, and unmanaged apps all point to the same failure mode: no authoritative owner for the application, its users, or its integrations. That gap undermines recertification, offboarding, and budget control at the same time. The practitioner conclusion is that governance must attach to each application instance, not just to the department that requested it.

Shadow IT created by AI tools is a control-plane issue, not a tooling issue. The article correctly signals that central visibility is now a prerequisite for resilience. Without a reliable inventory, leaders cannot prove who approved an app, who can access its data, or whether the service still belongs in the environment. The practitioner conclusion is that discovery, ownership, and lifecycle enforcement must be treated as one programme.

Identity programmes should treat SaaS apps as governed actors, not passive assets. Each application can hold credentials, move data, and outlive the team that introduced it. That makes it a lifecycle object with access implications, not just a spend line. The practitioner conclusion is to align SaaS review with the same governance discipline used for high-risk non-human identities.

Software sprawl blast radius: AI-driven adoption increases the number of unmanaged access paths faster than traditional controls can enumerate them. That expands the blast radius of a single bad procurement decision, a forgotten admin role, or an orphaned integration. The practitioner conclusion is that the size of the unmanaged estate becomes the real risk multiplier.

From our research:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • For the lifecycle angle, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that translate well to SaaS governance.

What this signals

The practical signal for identity teams is that SaaS governance and NHI governance are converging. Once an organisation lets employees assemble tools with AI assistance, every unmanaged app behaves like a long-lived access surface that needs ownership, review, and retirement discipline.

Software sprawl blast radius: the unmanaged application estate becomes a multiplier for access risk, spend waste, and compliance drift. With 79% of organisations already having experienced secrets leaks in our research, the underlying lesson is that visibility failures tend to surface only after damage has already begun.

Programme leaders should treat discovery, entitlement review, and offboarding as one operational loop rather than three separate processes. If the organisation cannot answer what exists, who uses it, and how it is retired, the SaaS stack will keep expanding faster than governance can catch up.


For practitioners

  • Create a SaaS authoritative inventory Establish a single record for every business-approved application, including owner, business purpose, data sensitivity, renewal date, and integration list. Use it as the control point for reviews, not as a passive spreadsheet.
  • Tie SaaS access to lifecycle events Connect onboarding, role changes, and offboarding to application entitlements so access removal happens when ownership changes, not after a quarterly review cycle.
  • Review OAuth grants and API integrations routinely Treat application-to-application permissions as governed access paths. Remove stale integrations, verify admin grants, and document which services can create downstream access.
  • Measure SaaS waste and control drift together Track unused licences, duplicate tools, and unknown owners in one report so finance, procurement, and security see the same risk picture.
  • Embed app offboarding into procurement exit criteria Do not close a contract or project without revoking access, deleting integrations, and confirming data retention obligations across the service.

Key takeaways

  • AI-assisted software creation is turning SaaS sprawl into an identity governance issue because every new app introduces access, ownership, and offboarding risk.
  • The scale problem is not theoretical. Gartner cited in the source expects organisations without central lifecycle management to be five times more likely to suffer cyber incidents or data loss by 2027.
  • Security teams should connect SaaS discovery, access review, and retirement into one lifecycle process before shadow IT becomes permanent shadow governance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4SaaS sprawl creates unmanaged access paths and weak entitlement control.
NIST SP 800-53 Rev 5AC-2Application ownership and account lifecycle map to account management control.
ISO/IEC 27001:2022A.5.15Access control policy is central to governing application sprawl and unknown access paths.
GDPRArt.32Unmanaged SaaS can expose personal data and weaken security of processing.

Assess SaaS tools that process personal data under Art.32 and verify access, retention, and offboarding controls.


Key terms

  • SaaS Sprawl: The uncontrolled growth of software-as-a-service tools across business units, often outside formal approval and inventory processes. In identity terms, sprawl is dangerous because every app brings its own users, administrators, integrations, and offboarding burden, creating a distributed access surface that becomes difficult to govern.
  • Software Lifecycle Management: The process of governing an application from approval through use and retirement. For SaaS estates, lifecycle management includes ownership, access review, renewal tracking, integration control, and secure offboarding, so the organisation can remove tools and entitlements before they become permanent risk.
  • Shadow IT: Technology adopted or created outside official governance channels. In modern SaaS environments, shadow IT often appears when business teams use AI-assisted tools to build or connect applications without security review, leaving the organisation with unmanaged access paths and unclear accountability.
  • Application Entitlement: A permission that allows a user, administrator, or system to use or manage a software application. Entitlements matter because unmanaged SaaS often creates excessive or forgotten access, and those permissions can persist long after the business reason for them has disappeared.

What's in the full article

Efecte's full article covers the operational detail this post intentionally leaves for the source:

  • How the source frames AI-assisted software creation as a SaaS governance problem for business leaders.
  • The article's specific examples of software sprawl, duplicate contracts, and unmanaged applications.
  • The source's explanation of why Europe and GDPR are positioned as a governance advantage in this model.
  • Efecte's view of how its own SaaS management platform is positioned for visibility, renewals, and compliance.

👉 Efecte's full article covers the shift from SaaS speed to resilience and the control gaps behind it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-11-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org