Gartner’s SaaS management recognition spotlights identity sprawl risk

At a glance

What this is: This is a vendor commentary on Gartner’s SaaS management recognition that also frames SaaS sprawl as an identity and governance problem.

Why it matters: It matters because SaaS sprawl creates access, review, and offboarding gaps that cut across human IAM, NHI governance, and broader lifecycle controls.

👉 Read Zluri’s commentary on Gartner’s SaaS Management Platforms recognition

Context

SaaS management is increasingly an identity governance problem, not just a software inventory problem. Once shadow apps, unmanaged access requests, and over-privileged users accumulate, the organisation loses reliable control over who or what can access business systems, which is why visibility and lifecycle management matter as much as discovery.

That matters for human IAM, NHI governance, and the growing overlap between the two. SaaS estates now carry service accounts, API connections, delegated OAuth access, and human entitlements in the same control plane, so gaps in one area quickly become gaps in the others.

For teams trying to mature their identity programme, the SaaS layer is often where policy, access, and audit evidence first diverge. A platform that centralises control may help, but the underlying governance questions remain the same.

Key questions

Q: How should security teams govern SaaS access across many business apps?

A: They should treat SaaS access as a lifecycle control problem. Every application needs an owner, a review cadence, and a reliable link back to HR and directory events. Without that, access reviews become paperwork, not governance, and privileged accounts can outlive the business need that created them.

Q: Why do SaaS environments create so much access review friction?

A: Because entitlement data is often fragmented across app consoles, directories, and shadow tools. Reviewers cannot make good decisions when they lack a single view of who has access, why it exists, and whether it is still used. The friction is a sign that governance is incomplete, not that reviews are too frequent.

Q: What breaks when over-privileged SaaS accounts are left in place?

A: Standing privileges widen the blast radius of account misuse and make audit evidence harder to defend. If broad access is never reduced after role changes or project completion, the organisation accumulates privilege creep and loses the ability to prove least privilege in practice.

Q: What frameworks should IAM teams use for SaaS governance and access control?

A: NIST Cybersecurity Framework 2.0 is useful for governance and control mapping, while NIST Zero Trust Architecture helps teams think about continuous verification and least privilege. For SaaS-heavy environments, the practical test is whether the programme can prove access ownership, review decisions, and timely removal of excess rights.

Technical breakdown

Why SaaS sprawl breaks identity governance

SaaS sprawl creates a fragmented identity surface because access is no longer mediated through a small number of core systems. Instead, identity data lives across HR systems, app directories, CASBs, and app-native permissions, which makes it harder to know who has access, why they have it, and whether the access is still needed. The governance problem is not only discovery. It is the loss of a single, trustworthy entitlement record across managed and shadow applications.

Practical implication: centralise entitlement inventory before you try to automate reviews or revoke access.

Access reviews and lifecycle control in SaaS environments

Access reviews only work when the organisation can see the application, the user, the entitlement, and the business owner in the same record. In SaaS-heavy environments, lifecycle events such as joiner, mover, and leaver changes often lag behind app-specific permissions, which leaves stale access in place long after employment or role changes. The result is not just privilege creep. It is a weak audit trail that makes remediation slow and inconsistent.

Practical implication: tie SaaS reviews to joiner-mover-leaver events and app ownership, not to calendar-only recertification.

Over-privileged users and audit failure modes

Over-privileged users are a control failure because the entitlement model is broader than the business need. In SaaS platforms, this often happens when admins are granted broad rights for speed, then those rights remain in place because no one has the telemetry to challenge them. Audit problems follow naturally: if you cannot show why access was granted, when it was last used, and who approved it, compliance becomes a documentation exercise rather than a control exercise.

Practical implication: enforce role scoping, usage evidence, and owner attestation for every privileged SaaS entitlement.

Threat narrative

Attacker objective: The objective is to exploit weak SaaS governance to preserve unauthorised access long enough to expose data, evade review, or bypass control evidence.

1. Entry begins with shadow SaaS adoption, unmanaged OAuth connections, or excessive admin access that sits outside core governance workflows.
2. Escalation follows when identities, entitlements, and app-level permissions are not reconciled, allowing over-privileged users or stale accounts to persist.
3. Impact arrives as audit failure, data exposure, or operational disruption because the organisation cannot prove or enforce least privilege across the SaaS estate.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity visibility is now the control plane, not a reporting layer. When SaaS discovery, access data, and lifecycle state are split across tools, governance becomes reactive instead of authoritative. That is why SaaS management is increasingly part of identity architecture rather than adjacent IT administration. Practitioners should treat entitlement visibility as a prerequisite for every downstream control.

Access review processes fail when the application owner and the entitlement owner are different people. SaaS environments often separate operational administration from business accountability, which makes recertification ceremonial unless ownership is explicit. The failure is not the absence of review. The failure is the inability to produce a trustworthy decision basis. Practitioners should align reviews to app ownership and actual usage evidence.

Over-privileged SaaS accounts are a lifecycle problem disguised as a permissions problem. Broad roles remain in place because offboarding, role change, and access reduction are slower than app adoption. That creates privilege creep across both human and machine access paths. Practitioners should recognise that the remedy starts with lifecycle discipline, not only with better permissions models.

Unified SaaS management is best understood as identity governance for a distributed application layer. The category is maturing because enterprise identity no longer ends at the directory. SaaS permissions, delegated access, and usage telemetry now shape auditability and security outcomes as much as core IAM systems do. Practitioners should evaluate SaaS management through governance outcomes, not just inventory coverage.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For broader lifecycle context, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding reduce identity exposure.

What this signals

Identity sprawl is becoming an operating condition, not an edge case. As SaaS adoption grows, the control question shifts from whether teams can discover applications to whether they can continuously prove who has access and why. The programme implication is simple: if identity data is not authoritative, every downstream governance process inherits that weakness.

The next maturity step is not more inventory alone. Teams need review workflows that join application ownership, access evidence, and offboarding state so recertification becomes a real decision process rather than a calendar event.

With 72% of organisations already reporting or suspecting NHI breaches in our research, the governance lesson extends beyond SaaS into service accounts, tokens, and delegated access paths. The boundary between application sprawl and identity sprawl is already gone.

For practitioners

• Map every SaaS application to a named owner and access policy Require a business owner, technical owner, and review cadence for each high-value application so entitlement decisions can be challenged and remediated.
• Reconcile SaaS entitlements against HR and directory events Link joiner, mover, and leaver workflows to SaaS access so role changes and terminations trigger entitlement checks instead of waiting for a periodic review.
• Separate admin convenience from standing privilege Inventory all privileged SaaS accounts, reduce broad roles, and require documented justification for any persistent administrative access.
• Use usage evidence in every access decision Combine last-login, last-action, and entitlement data so reviewers can see whether access is actually exercised before they recertify it.

Key takeaways

• SaaS sprawl is an identity governance problem because access, ownership, and lifecycle state are often fragmented across tools.
• When reviewers lack a single entitlement record, access reviews, audits, and offboarding all lose precision and produce weaker control evidence.
• The practical fix is to connect SaaS governance to ownership, lifecycle events, and usage evidence so privilege can be challenged and removed on time.

Key terms

• SaaS Governance: The set of policies and controls used to manage access, ownership, compliance, and lifecycle state across software-as-a-service applications. In practice, it links application inventory, entitlement review, and offboarding so the organisation can prove who has access and why.
• Standing Privilege: Persistent access that remains in place after the original need has passed. In SaaS environments, standing privilege increases audit risk and expands the impact of account misuse because the entitlement is not time-bound to a specific task or change event.
• Shadow Application: A software service used inside the organisation without full governance visibility, approval, or monitoring. Shadow applications matter because they create identity and access paths that bypass normal review, making entitlement sprawl harder to detect and remediate.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zluri: Gartner recognition for SaaS Management Platforms and its identity governance implications. Read the original.