By NHI Mgmt Group Editorial TeamPublished 2025-11-17Domain: Governance & RiskSource: Lumos

TL;DR: Real-time visibility into app usage, shadow IT, and license optimisation lets IT translate access data into finance decisions, while also strengthening governance over who can reach which SaaS tools, according to Lumos. The deeper lesson is that access visibility is no longer just an IAM control, but a shared operating layer for spend, risk, and accountability.


At a glance

What this is: A Lumos case study shows how internal visibility into app usage, shadow IT, and license optimisation can connect access governance to finance decisions.

Why it matters: For IAM teams, this matters because identity visibility now shapes not just security posture but SaaS governance, cost control, and cross-functional accountability across NHI, autonomous, and human access programmes.

👉 Read Lumos's post on how visibility strengthens CIO-CFO alignment


Context

Access governance only helps when teams can see which accounts, apps, and permissions are actually in use. In this case, the core issue is not a lack of policy, but a lack of continuously current visibility into SaaS adoption, unused licenses, and unapproved access paths. That is why the topic sits squarely in human IAM and NHI governance, especially where OAuth-connected apps and SaaS identities blur the boundary between sanctioned and shadow usage.

The practical challenge is that finance and security often measure the same environment differently. IT sees access, usage, and entitlement drift; finance sees spend, renewal pressure, and vendor overlap. A shared view of identity-connected application usage turns that split into an operating model rather than a quarterly reconciliation exercise.


Key questions

Q: How should teams govern shadow IT discovered through OAuth-connected apps?

A: Treat it as an access governance issue, not only a software inventory issue. Identify which users connected the app, what data or permissions it can reach, who owns the business need, and whether the app is already covered by approved lifecycle and review processes. Then decide whether to sanction, restrict, or remove it.

Q: Why do unused SaaS licenses matter to identity governance?

A: Unused licenses often indicate that access was granted without being continuously validated against current need. That makes them a useful signal for entitlement drift, duplicate tooling, and weak ownership. Teams that monitor utilisation can use the same evidence to reduce spend and tighten access control.

Q: How can security teams connect access visibility to business decisions?

A: Build reporting that combines application usage, access assignments, and vendor spend in one view. That lets CIOs, CFOs, and security leaders discuss the same facts in different terms, which improves budget planning and makes access cleanup easier to defend.

Q: What should organisations review first when SaaS sprawl is getting out of control?

A: Start with the applications that have active logins but unclear ownership or low utilisation. Those are usually the fastest path to risk reduction because they often expose unmanaged access, redundant contracts, and stale entitlements at the same time.


Technical breakdown

OAuth-connected SaaS discovery and shadow IT visibility

Modern SaaS discovery works by correlating authentication sources, app logins, and license telemetry to build a fuller picture of what employees are actually using. When a platform integrates with sources such as Google OAuth and Okta, it can surface both approved applications and informal adoption that never went through procurement. The technical value is not just enumeration. It is the ability to distinguish sanctioned access from unmanaged access paths, which is essential when app usage can expand without corresponding governance records.

Practical implication: tie SaaS discovery to authentication logs so unapproved apps and unmanaged access paths are visible before renewal and review cycles.

License optimisation as an identity governance signal

Unused licenses are not only a finance problem. They are often an identity signal that access was granted but never revalidated, or that application ownership has drifted away from current need. By comparing issued entitlements to actual usage, teams can identify redundant tools, dormant accounts, and overprovisioned access tiers. In governance terms, this is a lightweight entitlement quality check that complements access reviews without replacing them.

Practical implication: use license utilisation data to trigger entitlement review, vendor consolidation, and access correction work.

Shared visibility for CIO, CFO, and security decisions

The architecture problem in many organisations is not the absence of data, but the absence of a shared operational language. Access telemetry becomes more useful when it is tied to spend, risk, and usage in the same reporting loop. That makes budget discussions evidence-based and gives security teams a way to explain why app rationalisation and access cleanup are part of the same control surface. In effect, governance becomes measurable across two domains at once: control and cost.

Practical implication: build reporting that joins access, usage, and spend so finance decisions can also reduce identity risk.


NHI Mgmt Group analysis

Visibility is now the control plane for both spend and access governance. When organisations cannot see which SaaS apps are in use, they lose the ability to govern shadow IT, validate entitlement scope, or justify vendor rationalisation with evidence. That is not just an operational gap, it is a governance failure across human identities and the NHI-like app access paths they create. The implication is that access visibility has become a prerequisite for credible IAM decision-making.

Shadow IT is really unmanaged identity reach. Unapproved apps become a risk because they introduce access pathways outside the sanctioned stack, often through OAuth or other delegated authentication flows. That means the problem is not only procurement sprawl, but also identity sprawl. Teams should treat every unknown app connection as a governance event, not just a software inventory issue.

License waste is a proxy for entitlement drift. If a tool is underused, the access behind it is often over-retained, under-reviewed, or no longer aligned to business need. That makes spend optimisation a useful byproduct of access governance, not a separate exercise. The most effective programmes use utilisation data to expose where access decisions have outlived the work they were meant to support.

Identity visibility creates a finance-language bridge that most security teams still lack. CIOs and CFOs respond differently to the same data, but both can act on usage, renewal, and overlap when it is packaged clearly. This is where identity governance becomes more strategic: it can influence budget decisions without losing control discipline. Practitioners should treat reporting design as part of governance maturity, not as an afterthought.

Shared app telemetry reveals the hidden cost of weak lifecycle discipline. When access is granted faster than it is reviewed, organisations accumulate dormant entitlements, duplicate tools, and ambiguous ownership. That pattern is as relevant to NHI-style application access as it is to human users. The practitioner takeaway is to connect lifecycle governance to utilisation data so cleanup happens before waste hardens into policy.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why delegated app access often escapes governance review.
  • For a wider governance lens, see NHI Lifecycle Management Guide for how visibility, review, and offboarding fit together.

What this signals

Shadow IT discovery is becoming an identity governance input rather than a side effect of SaaS management. When access telemetry and usage data are joined, teams can turn renewal season into a control checkpoint instead of a budget scramble.

Access-spend convergence: the organisations that mature fastest will treat licence utilisation, entitlement review, and vendor rationalisation as one operating loop. That approach is especially useful where app access is created through delegated authentication and never revisited.

For teams formalising this model, the NIST Cybersecurity Framework 2.0 remains a useful way to anchor governance, detection, and recovery around measurable access and asset visibility.


For practitioners

  • Correlate authentication sources with SaaS usage Join Google OAuth, Okta, and app telemetry so the team can see which applications are actually active, not just approved on paper.
  • Classify shadow IT as an access-governance issue Track unapproved apps as unmanaged identity reach, then route them into review, ownership assignment, and risk triage instead of treating them only as procurement exceptions.
  • Use license utilisation to trigger entitlement review Flag underused tools, duplicate vendors, and dormant access tiers during renewal and access review cycles so spend optimisation also reduces governance drift.
  • Build a shared CIO-CFO reporting view Package access, usage, and spend metrics into one report so finance decisions can support vendor rationalisation and security can defend access cleanup with the same evidence.

Key takeaways

  • Identity visibility is no longer only a security control, because it now shapes both SaaS governance and budget decisions.
  • Shadow IT and idle licenses often point to the same underlying issue, which is entitlement drift without active ownership.
  • The strongest programmes join access, usage, and spend data so finance optimisation also tightens governance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.AM-1Asset visibility is central to identifying shadow SaaS and unmanaged access.
OWASP Non-Human Identity Top 10NHI-01OAuth-connected app access can create unmanaged non-human-style access paths.
NIST Zero Trust (SP 800-207)PR.AC-4Least-privilege access depends on knowing which apps and entitlements are actually active.

Inventory delegated app access and review unmanaged OAuth connections on a recurring basis.


Key terms

  • Shadow IT: Software or services used inside an organisation without formal approval or central governance. In identity terms, it often appears as unauthorised access paths, unmanaged OAuth connections, or applications that never entered the normal review and ownership process.
  • Entitlement Drift: The gap that forms when access permissions, app licences, or account ownership no longer match current business need. It usually shows up as stale access, duplicate tools, or underused licenses that remain active long after the original justification has disappeared.
  • Access Telemetry: Data that shows which identities, users, or systems are connecting to applications and when. Used well, it becomes a governance signal that links identity activity to usage, risk, and cost, rather than leaving teams to infer behaviour from static inventories.

What's in the full article

Lumos's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Lumos maps app usage across Google OAuth, Okta, and other authentication sources to reveal shadow IT
  • The internal workflow used to identify underutilised licenses and consolidate redundant vendors
  • Examples of how the IT team uses usage evidence in conversations with finance and app owners
  • The platform workflow Lumos uses to turn visibility into action across governance and spend decisions

👉 Lumos's full post shows how app visibility supports vendor rationalisation and access governance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-11-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org