TL;DR: IT risk management software can centralise risk registers, automate monitoring, and surface SaaS and access risk, but the practical problem is that many tools still treat identity exposure as a reporting issue rather than a governance boundary, according to Zluri. That gap matters because NHI, human access, and delegated app permissions all expand the same attack surface.
At a glance
What this is: This is a vendor blog roundup on IT risk management software, with the main finding that identity-linked SaaS risk is central to how organisations assess exposure.
Why it matters: It matters because IAM teams need to understand where risk platforms help with visibility and where they stop short of governing non-human identities, delegated access, and privilege sprawl.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
👉 Read Zluri's guide to IT risk management software for SaaS and identity exposure
Context
IT risk management software is a control and reporting layer for identifying, scoring, and tracking business and technology risk. In practice, the article is really about how organisations try to consolidate risk signals across SaaS, access, and compliance data while keeping pace with a growing identity surface.
For IAM teams, the important question is not whether a risk dashboard exists but whether it can surface the identity mechanics that create exposure: over-privileged app access, weak monitoring, and unmanaged non-human identities. That distinction matters because many programmes still separate risk, IAM, and SaaS governance when the attack surface does not.
Zluri frames the category around discovery, alerts, risk scoring, and compliance insight. That is a typical starting point for organisations trying to move from spreadsheet-based oversight to a more operational model of IT risk management.
Key questions
Q: How should security teams manage SaaS risk when applications are tied to identity and access data?
A: Security teams should treat each SaaS application as an identity surface, not just a business tool. That means mapping who can act through the app, what data it can reach, and whether its permissions are owned, reviewed, and revocable. Discovery and scoring help, but governance begins when access decisions are tied to named accountable owners.
Q: Why do non-human identities complicate IT risk management?
A: NHIs complicate IT risk management because they create access paths that often sit outside traditional user governance. Service accounts, tokens, and OAuth grants can persist, overreach, or be forgotten, which makes them difficult to recertify through human-centric processes. Risk teams need identity-aware visibility, or they will miss the real control boundary.
Q: What breaks when risk software tracks apps but not the identities behind them?
A: When risk software tracks applications without the identities behind them, teams can rank exposure but not reduce it. The missing layer is ownership of service accounts, delegated permissions, and tokens. Without that layer, the organisation ends up with a cleaner dashboard and the same underlying privilege problem.
Q: How do organisations know whether IT risk scoring is actually improving governance?
A: A useful score should change a decision. If a high-risk rating leads to recertification, access reduction, app removal, or tighter approval rules, the programme is maturing. If nothing changes after the score appears, the tool is measuring risk without governing it.
Technical breakdown
Risk registers and identity-linked exposure
A risk register is only useful when it captures the real control object, not just the business system name. For SaaS-heavy environments, that means risk entries need to reflect access paths, delegated permissions, service accounts, OAuth grants, and the scope of data each app can touch. The article’s emphasis on consolidated risk scoring reflects a common pattern: teams can rank applications, but they still need to translate that ranking into identity-aware ownership and remediation. Without that translation, risk software becomes a reporting layer instead of a governance mechanism.
Practical implication: map each high-risk application to the identity objects and permissions that create the exposure.
Automated monitoring is not the same as access control
Real-time monitoring and alerting can shorten detection time, but they do not change whether an identity is over-privileged in the first place. In risk management software, alerts often identify unusual behaviour, compliance drift, or a change in application risk level. That is useful, but it is downstream of access design. If the underlying permissions are broad, long-lived, or poorly governed, the platform can only warn you after exposure already exists.
Practical implication: pair monitoring with entitlement reduction so alerts do not become the only compensating control.
SaaS discovery, SSO, and third-party visibility
The article points to discovery methods, SSO data, and shared-data analysis as inputs to risk scoring. That is the right technical shape for modern risk tooling because SaaS exposure often sits outside the core network perimeter and inside delegated identity relationships. The hard part is that discovery does not equal governance. You can know an app exists, know that it connects through SSO, and still not know whether the access lifecycle is controlled, reviewed, or revoked when the relationship changes.
Practical implication: use discovery to find shadow access paths, then close the lifecycle gap with ownership and offboarding controls.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity-linked SaaS risk is the real control boundary, not the dashboard. Risk software is useful when it exposes how access is granted, shared, and left to persist across SaaS estates. The article’s focus on discovery methods, threat levels, and risk scores reflects a broader problem: many programmes can list risky apps, but cannot yet govern the identities inside them. The practitioner conclusion is that risk tooling only becomes meaningful when it is tied to identity ownership and entitlement action.
Non-human identity sprawl is the hidden driver behind many IT risk findings. SaaS risk rarely appears as a pure application issue once you inspect the control plane. It is usually a mix of service accounts, OAuth grants, API access, and stale permissions that make the risk durable. That is why the NHI lens matters here: the risk register should capture the identities that can act, not just the systems they touch. The practitioner conclusion is to treat NHIs as first-class risk objects.
Dynamic risk scoring creates value only when it changes governance decisions. A score is not a control. It becomes useful only when it drives recertification, app removal, privilege reduction, or tighter approval thresholds. This is where many IT risk programmes stall, because they measure exposure without forcing ownership. The practitioner conclusion is to connect scoring outputs to a defined action path, or the score will remain informational noise.
Top 10 NHI Issues thinking applies directly to SaaS risk management. The same recurring themes appear here: discovery gaps, weak lifecycle governance, over-privilege, and limited visibility into third-party access. Those are not separate problems. They are the operational form of identity sprawl across business applications. The practitioner conclusion is to use SaaS risk reviews as a trigger to examine whether NHI governance is mature enough to support the tool.
Risk management platforms are becoming identity governance adjacencies. The article shows how categories once described as IT risk are moving closer to IAM and SaaS governance. That shift is useful if teams use the platform to enforce decisions, not just report them. It is less useful when the tool becomes a parallel inventory with no lifecycle authority. The practitioner conclusion is to decide where risk tooling ends and identity governance begins.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Another finding from The 2024 ESG Report: Managing Non-Human Identities shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- For practitioners, the next question is whether discovery, lifecycle control, and access review are linked, which is why the NHI Lifecycle Management Guide remains the practical next step.
What this signals
Identity risk will continue to move closer to SaaS governance. As organisations add more applications, the gap between discovering risk and governing access becomes the deciding factor. Risk platforms will be useful only where they drive lifecycle action, not where they simply enrich a report.
Delegated access is becoming the hidden control plane. The strongest programmes will stop treating OAuth grants, service accounts, and automation tokens as background plumbing. They will map those identities into recertification, ownership, and offboarding so that risk scoring reflects real control state.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the immediate signal is clear: teams need better discovery before they can claim stronger governance.
For practitioners
- Inventory identity-bearing SaaS exposures Create a register that links each high-risk application to the users, service accounts, OAuth grants, and API tokens that can act inside it. Prioritise apps that can touch sensitive data or modify files, and assign a named owner for each access path.
- Convert risk scores into entitlement action Define what happens when an application crosses a risk threshold: recertify access, reduce scopes, revoke tokens, or remove the app entirely. Without a forced decision path, the score only informs reporting and does not change exposure.
- Close the discovery-to-offboarding gap Use SaaS discovery to find unmanaged apps and then verify that access is revoked when vendors, teams, or business use cases change. Offboarding should be tied to a lifecycle owner, not left to periodic clean-up.
- Review third-party access through an NHI lens Treat OAuth-connected vendors, integrations, and automation accounts as non-human identities that need ownership, scope review, and periodic revalidation. That prevents third-party access from being mistaken for low-risk convenience.
Key takeaways
- IT risk management software is only effective when it reflects the identities and permissions that create exposure, not just the applications on the shelf.
- Visibility gaps remain a major issue, especially when third-party access and delegated SaaS permissions are not fully mapped.
- The practical test is whether a risk score triggers ownership, recertification, or revocation, because measurement without action does not reduce risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale or excessive non-human access is a core exposure in SaaS risk. |
| NIST CSF 2.0 | PR.AC-4 | Risk scoring only helps if access is managed and reviewed. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust requires continuous evaluation of identity and app access. |
Review NHI credentials and scopes on a fixed cadence, and revoke access that no longer has a business owner.
Key terms
- Risk Register: A risk register is a structured record of identified risks, their likelihood, impact, owners, and response plans. In identity-heavy environments, it should include the identities and access paths that create the risk, not just the business system name, so the register can drive real remediation.
- SaaS Discovery: SaaS discovery is the process of finding cloud applications, integrations, and access paths that may not be visible in the core IT inventory. It is the starting point for identity governance in software-as-a-service estates because unmanaged apps often hide the permissions that matter most.
- Delegated Access: Delegated access is permission granted through an intermediary identity such as an OAuth app, service account, or automation token. It is often more durable than direct user access, which makes ownership, review, and revocation critical when the underlying business relationship changes.
- Identity Surface: The identity surface is the total set of identities, credentials, tokens, and delegated permissions that can act inside an environment. For SaaS and NHI governance, it is the real boundary practitioners must measure because that is where access, privilege, and accountability intersect.
Deepen your knowledge
IT risk management software and identity-linked SaaS exposure are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to connect risk scoring with governance action, this is a relevant place to start.
This post draws on content published by Zluri: Security & Compliance Top 11 IT Risk Management Software in 2026. Read the original.
Published by the NHIMG editorial team on 2026-02-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
