Identity governance vs. SaaS management: the root cause gap

At a glance

What this is: This is an analysis of why identity governance and SaaS management solve different problems, with the key finding that spend visibility is not a substitute for access control.

Why it matters: It matters because IAM, NHI, and autonomous governance teams need to separate procurement visibility from security enforcement before confusing dashboards with controls.

👉 Read ConductorOne's analysis of identity governance vs. SaaS management

Context

Identity governance vs. SaaS management is a control problem, not a tooling preference. The article argues that one category helps organisations see app usage and cost, while the other enforces access policy, deprovisions accounts, and creates auditable entitlement records. For identity teams, the distinction matters because visibility without enforcement leaves excess access intact.

The broader issue is that buyers often treat dashboards as governance. That confusion is becoming more expensive as SaaS pricing shifts away from per-user licensing and toward usage-based or compute-based models, which reduces the value of cost-saving reports while increasing the need for actual access governance across human, non-human, and agentic identities.

Key questions

Q: How should teams decide between SaaS management and identity governance tools?

A: Choose SaaS management when the main problem is app inventory, usage, or cost. Choose identity governance when the problem is who can access what, whether access is still justified, and how quickly it can be removed. The two tools can complement each other, but only identity governance changes access state and supports audit-grade enforcement.

Q: Why do SaaS dashboards fail as a substitute for identity governance?

A: Because dashboards describe activity, but they do not enforce policy. They can show that access exists or that an app is underused, yet they cannot revoke entitlements, automate offboarding, or prevent excessive privilege. That makes them useful for visibility and budgeting, but insufficient for controlling security risk.

Q: What do security teams get wrong about SaaS spend visibility?

A: They often mistake visibility for control. Spend data can help find waste, but it does not prove access is appropriate or current. A team can reduce license cost and still leave orphaned accounts, unused privileged roles, or stale service access in place.

Q: How should organisations govern non-human identities if SaaS pricing changes?

A: They should stop tying governance maturity to per-user licence models and focus on entitlement lifecycle, access review, and revocation for every identity type. Service accounts, API keys, and AI agents still require policy enforcement even when billing is based on compute or usage rather than seats.

Technical breakdown

SaaS management platforms and application usage visibility

SaaS management platforms are built to discover applications, monitor usage, and surface spend patterns. They can tell teams which users are active, which apps are underused, and where license waste may exist. But that telemetry is descriptive, not controlling. It does not change entitlement state, enforce least privilege, or revoke access when a person, service account, or agent no longer needs it. In security terms, it is inventory and optimisation data, not governance enforcement.

Practical implication: Use SaaS management data for portfolio and finance decisions, but do not treat it as an access control layer.

Identity governance and access enforcement

Identity governance platforms sit on the control side of the line. They manage entitlements, automate deprovisioning, and maintain a clean record of who has access to what and why. That makes them materially different from tools that only observe activity. In practical terms, governance is about authorisation state, lifecycle changes, and evidence for audit, not just app discovery. The same distinction applies whether the subject is a human employee, an API key, or an AI agent account.

Practical implication: Anchor governance design on entitlement lifecycle, not on reporting alone.

Usage-based SaaS pricing and identity model drift

As software vendors move from per-user pricing to compute-based and usage-based models, licence optimisation becomes less predictive of security value. That shift weakens a common shortcut in identity programmes, where cost reports are mistaken for governance maturity. The identity problem remains, but the economic signal changes. Security teams still need control over who or what can access data and tools, even when seat count is no longer the main billing unit.

Practical implication: Recalibrate identity metrics so they measure access risk and lifecycle control, not only seat savings.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance and SaaS management are not adjacent categories, they solve different failure modes. SaaS management answers questions about application usage, spend, and portfolio hygiene. Identity governance answers whether access is appropriate, enforceable, and revocable. Conflating the two turns security into reporting, which leaves excessive privilege, orphaned access, and weak auditability untouched. Practitioners should treat this as a category boundary, not a packaging debate.

Spend visibility is a symptom, not a control. The market likes dashboards because they are easy to consume and easy to sell, but a dashboard does not remove entitlement risk. If a platform can show that a user has not used an app, that is not the same as proving the user should no longer have access. The operational implication is clear: finance signals and security controls must stay separate.

Per-user license savings are becoming a weaker proxy for security value. As SaaS pricing shifts toward usage-based and compute-based models, the old identity story loses force. A programme optimised around seat reduction can miss the real issue, which is whether access exists at all and whether it is still valid. Practitioners should stop using billing mechanics as a substitute for governance design.

Identity blast radius: the true measure of governance maturity is how quickly access can be reduced when role, app, or workload context changes. That concept matters because the article's central claim is not about software procurement, but about how fast an identity programme can respond when access becomes excessive or stale. The practical conclusion is that identity teams should evaluate tools by their ability to shrink exposure, not by their reporting polish.

The future identity stack must govern human, non-human, and agentic access on the same control plane. The article is right to point toward mixed identity populations, even if its immediate comparison is SaaS management versus governance. As organisations adopt more machine and agent identities, the distinction between visibility and enforcement becomes more consequential. Practitioners should design for lifecycle control across all actor types, not just employees.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why visibility metrics alone rarely indicate real governance maturity.
• For a broader control baseline, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding discipline that SaaS dashboards cannot replace.

What this signals

Identity blast radius: programmes that optimise around app visibility rather than entitlement reduction will keep carrying stale access forward, especially as SaaS vendors move away from per-seat pricing and the commercial signal becomes less useful as a security proxy.

Security leaders should expect more mixed identity estates, not fewer. Human users, service accounts, API keys, and AI agents will all sit inside the same access fabric, which makes lifecycle governance and revocation speed more important than spend dashboards.

The control question is shifting from how many apps a team can see to how quickly it can prove access is no longer justified. That is where the overlap with the Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 becomes operational, not theoretical.

For practitioners

• Separate reporting from enforcement Use SaaS management outputs for app inventory, usage, and spend analysis, but keep entitlement approval, revocation, and certification in the identity governance workflow.
• Map every access signal to a control owner For each visibility metric, identify who can actually change access state, who reviews it, and which system records the decision for audit.
• Re-evaluate licence optimisation metrics Replace seat-saving reports with measures of stale access, orphaned accounts, and time to revoke access after role or relationship change.
• Extend governance to non-human identities Apply the same lifecycle logic to service accounts, API keys, and AI agent identities so access decisions do not depend on billing model assumptions.

Key takeaways

• SaaS management and identity governance are complementary only when teams keep visibility and enforcement separate.
• Cost and usage reporting can reveal waste, but they do not remove entitlement risk, orphaned access, or audit gaps.
• As pricing models change, IAM teams should measure access control outcomes across human and non-human identities, not just licence savings.

Key terms

• Identity Governance: Identity governance is the discipline of deciding who or what should have access, approving that access, and removing it when it is no longer needed. It covers policy enforcement, entitlement review, deprovisioning, and audit evidence across human, non-human, and autonomous identities.
• SaaS Management Platform: A SaaS management platform is a visibility and optimisation layer for cloud software use. It helps teams discover applications, track utilisation, and understand spend patterns, but it does not by itself enforce access policy, revoke permissions, or manage identity lifecycle state.
• Identity Blast Radius: Identity blast radius is the amount of exposure left behind when access is broader or longer-lived than it should be. In practice, it measures how much risk remains after a role changes, an account goes stale, or an identity is no longer justified.
• Non-Human Identity: A non-human identity is any machine-assigned identity used by software, infrastructure, or automation, including service accounts, API keys, tokens, certificates, and workload identities. These identities need lifecycle governance because they can persist, spread, and be abused even when no person is actively logged in.

Deepen your knowledge

Identity governance, lifecycle control, and NHI access discipline are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme that must cover humans, workloads, and agents, it is worth exploring.

This post draws on content published by ConductorOne: Identity Governance vs. SaaS Management Solutions. Read the original.