TL;DR: Google Workspace license waste, duplicate SaaS apps, abandoned subscriptions, and auto-renewal drift increase cost and create compliance risk when ownership and offboarding are weak, according to Zluri. The governance issue is broader than spend control: unowned software and stale access patterns blur identity accountability across human and non-human programmes.
At a glance
What this is: This is an operational guide on optimising Google Workspace and wider SaaS licenses by removing redundancy, rightsizing usage, terminating abandoned apps, and tightening renewals.
Why it matters: It matters because SaaS license sprawl is also identity sprawl, and the same ownership gaps that waste budget can leave accounts, app access, and offboarding controls exposed across IAM and NHI programmes.
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read Zluri's guide on optimising Google Workspace licenses and SaaS sprawl
Context
Google Workspace license optimisation is really a governance exercise: organisations are trying to match entitlement, usage, and ownership so they are not paying for dormant access or unmanaged software. In practice, that same discipline sits next to IAM and lifecycle management, because the problem is not just spend leakage but incomplete control over who or what still has access.
When SaaS apps are bought outside central oversight, the environment accumulates duplicate tools, forgotten subscriptions, and orphaned access paths. That creates a familiar identity pattern for security and IGA teams: access exists without a current business owner, renewal happens without a meaningful review, and offboarding does not fully close the loop. The article’s value is in showing how licensing hygiene and identity governance intersect.
For teams looking at this through an NHI lens, the lesson is that lifecycle governance does not stop at human users. Service accounts, integrations, and workload connections are often treated as infrastructure details, yet the same accountability gaps appear when access is left active after the business need has changed.
Key questions
Q: How should security teams govern SaaS licenses as part of identity management?
A: Security teams should treat SaaS licensing as a lifecycle issue, not a pure finance task. Every application should have a named owner, a usage signal, and an offboarding path so renewal decisions can be tied to actual access need. That approach helps remove dormant subscriptions, expose orphaned entitlements, and keep identity records aligned with real business use.
Q: Why do abandoned SaaS apps create security risk?
A: Abandoned apps create risk because access, data, and renewal obligations can outlive the original business purpose. If no one terminates the app, linked accounts or integrations may remain reachable, and the organisation loses visibility into who can still use it. The result is residual access that behaves like an unmanaged identity.
Q: What breaks when renewal decisions are made without usage data?
A: Renewals made without usage data usually preserve waste and hide entitlement drift. Teams keep paying for higher tiers or inactive software because no one can prove whether the access still supports a live business need. Over time, that weakens both budget control and lifecycle governance because stale access becomes normalised.
Q: Who should own the termination of SaaS access and subscriptions?
A: Ownership should sit with the application owner, but it must be enforced through the offboarding process, not informal handoffs. Finance, IT, and security each see part of the problem, yet no single team can safely close the loop without a recorded owner and a verified termination step.
Technical breakdown
Why SaaS sprawl becomes an identity governance problem
SaaS sprawl is not only a procurement issue. Each duplicate app, parallel subscription, or shadow purchase creates another place where entitlement, ownership, and usage can drift apart. In identity terms, that means a control can exist on paper without a clear lifecycle owner to validate whether access is still needed. For IAM and IGA teams, this is where license management and access governance converge: renewals, recertification, and offboarding all depend on accurate ownership and clean inventory data.
Practical implication: connect app discovery to identity ownership so unused access is removed before the next renewal cycle.
How license right-sizing works in practice
Right-sizing compares purchased entitlement to actual use so organisations can move from forecast-based buying to evidence-based allocation. The control issue is not merely overbuying, but buying at a tier that no longer matches real business need. In mature programmes, usage telemetry informs tier selection, recertification, and budget planning together. That makes the process a lifecycle control, not a finance-only exercise, because rightsizing should be tied to account ownership, business justification, and renewal approval.
Practical implication: use usage data and ownership review together before renewal decisions are approved.
Why abandoned apps and auto-renewals create hidden access risk
An abandoned app often persists because no one owns the termination step. Auto-renewals make that worse by converting one missed action into another period of unused access, with the added risk that data, tokens, or linked accounts remain active beyond the intended business need. This is the same lifecycle failure that affects service accounts and API keys: access outlives accountability. If offboarding is not enforced, the organisation keeps paying for, and potentially exposing, access that no longer has a legitimate purpose.
Practical implication: tie app termination to offboarding and renewal controls so stale access cannot persist by default.
NHI Mgmt Group analysis
License sprawl is an identity problem before it is a cost problem. The article focuses on wasted spend, but the deeper issue is that duplicate apps and unused licenses often indicate broken entitlement ownership. Once a SaaS estate is large enough, the security risk is not just that the organisation overpays, but that no one can reliably answer who still has access, why, or under whose authority. That is an IGA failure mode as much as a procurement one, and it should be treated as such.
Abandoned subscriptions are orphaned identities in disguise. When users leave and applications are not terminated, the residual risk is not limited to unused software. The same account, token, or integration may remain reachable even after the business relationship has ended, which is why offboarding must be measured by closure, not by notification. Lifecycle governance fails when termination depends on human memory rather than enforced process.
Google Workspace is a useful lens for the broader SaaS governance gap. The article shows that app discovery, ownership tracking, renewal calendars, and downgrade decisions all depend on the same underlying dataset: accurate identity and entitlement records. Without that record, security, finance, and operations all act on partial truth. Practitioners should read this as evidence that SaaS optimisation is a control plane for identity hygiene, not a separate administrative task.
Identity blast radius grows when commercial and access decisions are separated. If renewals, plan changes, and offboarding sit in different workflows, stale access can survive even when usage has dropped to zero. That creates a wider blast radius across auditability, privilege visibility, and vendor exposure. The practical conclusion is that lifecycle control has to span procurement, IAM, and application ownership together.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why entitlement inventory and ownership mapping remain foundational controls.
- That visibility gap is why teams should also review NHI Lifecycle Management Guide when their SaaS estate includes integrations, service accounts, and offboarding dependencies.
What this signals
License optimisation will keep converging with lifecycle governance. As SaaS estates expand, teams will need one operational view that covers ownership, usage, renewal, and termination rather than separate processes for each. The organisations that do this well will reduce both cost waste and access drift, while those that do not will keep discovering the same problem through audits and renewals.
Residual access is becoming the real hidden cost of SaaS sprawl. The finance impact is easy to see, but the more durable risk is that stale subscriptions often correspond to stale identities, stale integrations, or undocumented access paths. That makes renewal governance a control point for IAM and NHI hygiene, not just a budgeting checkpoint.
If your programme already tracks software usage, the next step is to connect that telemetry to privileged access reviews and offboarding workflows. The goal is to make sure every renewal reflects a current business need and every termination actually removes the access that no longer should exist.
For practitioners
- Link SaaS discovery to access ownership Build a single inventory that ties each application to a named owner, an alternate owner, and the identities that can still access it. Review that inventory before renewals so dormant apps and stale entitlements are removed rather than carried forward.
- Use usage telemetry to drive rightsizing Compare active usage against purchased tier by department, not just at the company level, then downgrade when the higher tier is no longer justified. Require business justification for exceptions so tier selection stays tied to real need.
- Make offboarding close the loop Require termination checks for users, integrations, and linked accounts as part of every offboarding workflow. If the app cannot prove closure of access and renewal status, it should remain open only under explicit exception handling.
- Review auto-renewals as access decisions Treat renewal calendars as governance controls, not reminders. Approve renewals only after verifying current usage, business owner approval, and any downstream accounts or tokens that would otherwise continue to exist.
Key takeaways
- SaaS license waste is also a governance signal because unused subscriptions often reveal weak ownership and incomplete lifecycle control.
- License rightsizing works best when usage data, owner approval, and renewal decisions are handled together rather than in separate processes.
- Offboarding should close subscriptions, linked accounts, and renewal paths, or the organisation keeps paying for access that no longer has a purpose.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access rights drift appears when SaaS licenses outlive business need. |
| NIST Zero Trust (SP 800-207) | AC-4 | Least-privilege access and continuous verification fit SaaS renewal and offboarding control. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle gaps for app accounts and integrations mirror NHI governance failures. |
Apply NHI lifecycle controls so application accounts are terminated when business use ends.
Key terms
- SaaS Sprawl: The growth of overlapping software subscriptions and tools across departments without central ownership. In identity terms, sprawl increases the number of places where access, renewal, and termination can drift out of sync with business need, making governance harder to enforce consistently.
- License Rightsizing: The process of matching purchased software entitlement to real usage so organisations avoid overprovisioning. In mature identity programmes, rightsizing is tied to ownership review, access need, and renewal approval so budget decisions do not preserve dormant access by default.
- App Offboarding: The controlled process of closing an application relationship, including access removal, subscription termination, and data handoff. It is more than disabling a user account because integrations, tokens, and vendor renewals can continue to create exposure if they are not explicitly ended.
- Identity Inventory: A current record of who and what has access to applications, systems, and services. For SaaS governance, it should include human users, service accounts, and linked integrations so lifecycle decisions can be made from a complete view rather than from partial records.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management How to Optimize your Google Workspace Licenses. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
