TL;DR: SaaS sprawl makes application portfolio management a governance problem as much as a cost problem, with Zluri describing discovery, rationalisation, renewal control, and lifecycle automation for SaaS estates. The key issue is that application visibility, access revocation, and shadow IT control increasingly shape identity risk, license waste, and audit readiness.
At a glance
What this is: This is a SaaS application portfolio management roundup that argues discovery, rationalisation, renewals, and lifecycle automation are central to controlling SaaS sprawl.
Why it matters: It matters because application sprawl directly affects IAM, IGA, and NHI governance through unused licenses, shadow IT, and offboarding gaps.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
👉 Read Zluri's article on application portfolio management software for SaaS governance
Context
Application portfolio management is the discipline of deciding which applications to keep, retire, migrate, or consolidate. In a SaaS-heavy environment, that discipline becomes part of identity governance because every application also brings users, entitlements, integrations, and offboarding obligations.
Zluri frames the problem around SaaS sprawl, where IT teams lose track of what is in use, what is duplicated, and what has become shadow IT. That is not just an application inventory issue. It is an access, lifecycle, and control-plane problem that cuts across human users, service accounts, and connected workloads.
Key questions
Q: How should teams manage SaaS sprawl without losing control of access?
A: Start by linking application discovery to ownership, access, and lifecycle state. A SaaS inventory only becomes governable when each app has a named owner, known user population, and a clear path for renewal or retirement. That lets IAM and IT teams remove duplicate tools, revoke stale access, and keep shadow IT from becoming permanent.
Q: Why does application rationalisation matter for IAM and IGA programmes?
A: Because every application introduces users, entitlements, and offboarding work. If teams rationalise the portfolio, they reduce duplicate access paths, simplify reviews, and make it easier to enforce least privilege across the stack. Without rationalisation, access governance becomes fragmented across too many tools and business owners.
Q: How do organisations know if SaaS lifecycle automation is actually working?
A: Look for evidence that provisioning, approval, and revocation happen in the same workflow and that stale licenses disappear after role changes or departures. If users keep access after they no longer need it, automation is only partially implemented. Effective lifecycle automation shows up as faster offboarding, fewer abandoned licenses, and cleaner audit trails.
Q: Who should own SaaS governance when applications are spread across business units?
A: Ownership should sit with both the business and the identity function. Business leaders can justify why the app exists, while IAM or IT governance can control access, lifecycle, and retirement. If responsibility sits only with procurement or only with IT, apps tend to persist after their original purpose has faded.
Technical breakdown
SaaS discovery as the control plane for application governance
Modern application portfolio management starts with discovery. Without a reliable inventory, teams cannot rationalise duplicate tools, track renewal risk, or know which integrations still exist after a business change. Zluri’s model relies on multiple discovery sources such as identity systems, finance data, and browser activity because no single feed captures the full SaaS footprint. In practice, discovery is what turns unknown software into a governed asset set. It also creates the baseline for access review, license optimisation, and offboarding. Practical implication: treat discovery as an identity and governance input, not as a pure asset-management function.
Practical implication: treat discovery as an identity and governance input, not as a pure asset-management function.
Application rationalisation and renewal intelligence reduce entitlement drift
Application rationalisation is the process of deciding whether an application deserves to remain in the stack. Renewal intelligence adds timing, so teams can connect business usage, cost, and vendor commitment before auto-renewal locks in waste. These controls matter because SaaS portfolios tend to accumulate overlapping tools, underused licenses, and forgotten subscriptions that are still technically live. When renewal decisions are separated from usage evidence, entitlement drift follows. The result is a larger attack surface, higher spend, and weaker audit posture. Practical implication: align renewal decisions with usage, ownership, and business value before contracts renew.
Practical implication: align renewal decisions with usage, ownership, and business value before contracts renew.
Lifecycle automation closes onboarding and offboarding gaps
Lifecycle automation in application portfolio management links license requisition, approval, and revocation to user movement. That matters because application sprawl is not only about finding software, it is also about removing access when people leave or change roles. Zluri explicitly ties automation to onboarding and offboarding, which is where many organisations leak licenses and entitlements. In identity terms, this is a governance problem around joiner-mover-leaver processes, not just a workflow convenience. When revocation is delayed or inconsistent, abandoned access and dormant spend tend to coexist. Practical implication: connect application lifecycle workflows to access removal, not just procurement and provisioning.
Practical implication: connect application lifecycle workflows to access removal, not just procurement and provisioning.
NHI Mgmt Group analysis
Application portfolio management is becoming an identity governance discipline, not just an IT operations task. Zluri’s article shows that discovery, renewal management, and lifecycle automation are all control points for SaaS sprawl. Once each application is treated as a bundle of identities, entitlements, and integrations, the governance question changes from 'what software do we own?' to 'what access and accountability does each application create?'. Practitioners should treat application portfolio rationalisation as part of IAM and IGA design, not a separate finance exercise.
Shadow IT is the symptom, but unmanaged access is the failure mode. SaaS sprawl becomes risky when teams do not know which applications are live, who owns them, and what connected identities remain active. That is why inventory alone is insufficient. The real control gap is the gap between discovery and deprovisioning, especially when business units buy tools outside central review. Practitioners need to evaluate whether their application governance model can prove ownership, access scope, and retirement state for every app.
Lifecycle automation matters because offboarding is where SaaS portfolios often become identity liabilities. Zluri’s emphasis on requisition, approval, and revocation reflects a broader truth: an application that was once justified can still become a governance problem if its licenses and access are never removed. The discipline here is not simply reducing spend. It is preventing residual access from surviving past business need. Practitioners should connect app retirement with entitlement removal and accountability handoff.
Renewal intelligence is a governance signal, not just a procurement feature. When renewal timing is linked to usage data, organisations gain a practical checkpoint for deciding whether an app still deserves to exist. That decision point is especially useful in environments with duplicated SaaS tools and unclear business ownership. The implication for IAM leads is straightforward: if renewal decisions happen without access evidence, the organisation is paying to preserve dormant entitlements.
Named concept: SaaS entitlement drift. This is the accumulation of licenses, app accounts, and integrations that remain active after their original business justification has weakened or disappeared. It emerges when discovery, ownership, and revocation are not connected in one governance loop. Practitioners should recognise it as a portfolio-level version of privilege creep, with similar operational and audit consequences.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- For lifecycle context, read NHI Lifecycle Management Guide for the offboarding and revocation practices that keep access from lingering.
What this signals
Application portfolio governance is converging with identity governance because SaaS ownership, access, and retirement now move together. Teams that still treat portfolio rationalisation as a pure cost exercise will miss the access-risk layer hiding underneath.
SaaS entitlement drift: this is the point at which redundant apps, forgotten licenses, and stale access outlive the business need that created them. The practical signal is simple: if you cannot show who owns an app and who loses access when it is retired, you do not have governance, only inventory.
The next maturity step is to connect discovery feeds with lifecycle controls and policy review. For teams already using discovery tools, the question is no longer how many apps exist, but how many of them still have justified access and active accountability.
For practitioners
- Map applications to identity owners and lifecycle states Require every SaaS application to have a business owner, technical owner, and offboarding path recorded in the same governance system. Use that record to decide whether the app is active, duplicate, retired, or waiting for review.
- Tie renewal approval to actual usage evidence Before any contract renewal, compare active licenses, login activity, and business-critical usage against the renewal date. If the app is lightly used or duplicated, force a rationalisation decision instead of default renewal.
- Automate revocation when users leave or change roles Connect HR, IAM, and SaaS management workflows so departing users lose access and licenses at the same time. That reduces abandoned entitlements and makes offboarding a control, not an afterthought.
- Build a shadow IT review loop for unmanaged SaaS Use discovery data from identity systems, finance feeds, and browser activity to surface apps that bypassed central approval. Review those apps on a fixed governance cadence and decide whether to sanction, integrate, or remove them.
Key takeaways
- SaaS sprawl is an identity governance problem because every application creates access, ownership, and offboarding obligations.
- Discovery, renewal intelligence, and lifecycle automation are the controls that separate governed portfolios from unmanaged app growth.
- If renewal and revocation are not linked to actual usage, application portfolios accumulate entitlement drift, shadow IT, and audit risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Application sprawl affects access governance and entitlement control. |
| NIST Zero Trust (SP 800-207) | PA | Discovery and continuous verification support zero-trust control over SaaS access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Unmanaged SaaS integrations and stale access mirror NHI lifecycle weaknesses. |
Use zero-trust principles to continuously validate SaaS access and retire unused app pathways.
Key terms
- Application Portfolio Management: Application portfolio management is the process of deciding which applications to keep, retire, migrate, or consolidate based on value, risk, and operational fit. In identity-heavy environments, it also governs who owns each app, who can access it, and what happens when that access should end.
- SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software-as-a-service applications across teams and business units. It usually leads to duplicate tools, unclear ownership, shadow IT, and fragmented access control, making both cost management and identity governance harder to maintain.
- Lifecycle Automation: Lifecycle automation is the use of workflow and policy to handle provisioning, approval, renewal, and revocation without manual handoffs. For SaaS governance, it reduces the chance that licenses and access remain active after a user leaves, changes role, or no longer needs the application.
- Shadow IT: Shadow IT is software or services adopted outside central governance or approval channels. It becomes an identity issue when the organisation cannot reliably track who uses the app, what data it touches, or how access will be removed if the tool is retired.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: Miscellaneous Top 9 Application Portfolio Management Software in 2026. Read the original.
Published by the NHIMG editorial team on 2025-12-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
