IT team KPIs expose the governance gaps behind SaaS sprawl

At a glance

What this is: This is a KPI guide for modern IT teams that highlights how availability, maintenance, compliance, and deployment metrics are used to judge operational performance.

Why it matters: It matters because the same metrics that expose IT efficiency also reveal where identity, access, and software governance are drifting out of control across human, NHI, and lifecycle programmes.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Zluri's KPI guide for modern IT teams and operational performance

Context

IT KPI programmes often focus on uptime, cost, and deployment speed, but those measures only tell part of the story when software sprawl, shadow IT, and access friction are growing underneath them. In identity terms, the issue is not just whether systems are available, but whether the organisation can see, govern, and retire the access paths attached to those systems.

For IAM, IGA, and PAM teams, this is really a governance question about lifecycle control. When onboarding, offboarding, renewals, and license usage are not measured cleanly, the business can appear operationally healthy while identity risk expands across employees, service accounts, and SaaS access.

Key questions

Q: How should IT teams measure whether SaaS maintenance is actually improving governance?

A: Measure whether maintenance outcomes include access removal, license right-sizing, and application discovery, not just ticket closure. If users and vendors can still access retired systems or unused licenses remain active, maintenance is only reducing surface symptoms. A useful KPI proves that the lifecycle closed as well as the system did.

Q: Why do availability KPIs miss identity risk?

A: Availability tells you whether a system works, not whether access to it is still appropriate. A platform can be highly available while carrying stale users, over-assigned roles, or unmanaged SaaS connections. Identity risk appears in the gap between operational uptime and who still holds access when business need has changed.

Q: What do security and compliance KPIs often get wrong about access governance?

A: They often prove that a policy exists rather than that the control is working. If access reviews are incomplete, offboarding is delayed, or duplicate applications remain outside governance, the compliance number can look healthy while the environment is still exposed. The measure should reflect control operation, not documentation volume.

Q: How can organisations use IT KPIs to reduce shadow IT risk?

A: Use KPIs to connect discovery, approval, and deprovisioning. When a new app appears without review, it should trigger visibility work, not just a procurement discussion. Shadow IT becomes governable when the metric shows who uses the app, who approved it, and whether access was later removed.

Technical breakdown

System availability does not equal access governance

Availability measures whether systems are reachable and performing, but it does not tell you whether access is properly scoped, reviewed, or retired. A high-availability environment can still carry excessive entitlements, stale accounts, and untracked SaaS connections. In identity operations, that means uptime can coexist with privilege creep. IT teams often treat service continuity as proof of control, but governance is about who can use the system, under what conditions, and for how long. If those questions are not answered, availability metrics can mask access debt rather than reduce it.

Practical implication: pair uptime reporting with access review evidence and entitlement reconciliation.

SaaS maintenance efficiency is an identity lifecycle problem

The article’s maintenance metric covers onboarding, offboarding, renewals, and license tier management, which are all lifecycle activities with identity consequences. When a user leaves or a vendor relationship changes, the real risk is not only wasted spend but lingering access to applications, tokens, and linked workflows. SaaS environments also hide shadow IT, where apps are adopted without central governance. That creates a split between what IT believes is live and what the business is actually using. Maintenance efficiency only becomes meaningful when it includes access revocation and application discovery together.

Practical implication: tie SaaS renewals to offboarding completion and app discovery records.

Security and compliance KPIs need identity evidence

Security and compliance cannot be judged by policy presence alone. They require proof that controls are operating across human access, machine credentials, and administrative privilege. A KPI that only checks whether standards exist will miss whether licenses are over-assigned, whether duplicate apps are creating unmanaged data paths, or whether third parties retain access after business need ends. For identity leaders, the useful measure is not simply whether the organisation is compliant at audit time, but whether the operational evidence shows continuous control across the full lifecycle of access.

Practical implication: use identity evidence, not policy statements, as the basis for compliance reporting.

NHI Mgmt Group analysis

IT KPIs are only useful when they expose identity control failure, not just service performance. The article treats availability, maintenance, and deployment success as operational measures, but each one also signals whether access is governed or merely tolerated. In modern environments, the strongest KPI programmes are the ones that surface lifecycle gaps in access, licensing, and shadow IT before they become audit findings. Practitioners should treat KPI design as a governance instrument, not a reporting exercise.

SaaS sprawl is an identity governance problem disguised as an IT efficiency problem. Duplicate apps, unused licenses, and unmanaged renewals all point to weak visibility over who has access to what and why. That creates a broader control gap across employees, vendors, and non-human credentials attached to business software. The practical conclusion is that SaaS metrics must be read as access-control signals, not just spend-management data.

Lifecycle metrics matter because offboarding failure is where cost waste and security exposure converge. The article’s emphasis on onboarding and offboarding is directionally correct, but the deeper issue is that many programmes measure activation more reliably than deprovisioning. When accounts, subscriptions, or linked tokens outlive their business purpose, the organisation pays twice: once in cost and again in residual access risk. Teams should make offboarding completion a first-class KPI, not a downstream cleanup task.

Security and compliance KPIs should be tied to evidence of control operation, not to policy existence. A policy can exist while access remains excessive, duplicate applications persist, or vendor accounts remain active long after need has ended. That gap is why identity governance programmes need evidence-based metrics that connect entitlements, lifecycle events, and audit readiness. Practitioners should measure whether controls changed behaviour, not whether they were written down.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For lifecycle governance context, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be measured.

What this signals

IT performance metrics are converging with identity governance metrics. As organisations try to prove operational efficiency, they are also being forced to prove that access is being removed, rightsized, and reviewed. With NHIs outnumbering human identities by 25x to 50x in modern enterprises, the governance burden is no longer marginal and KPI frameworks need to reflect that scale.

The next maturity step is to stop treating SaaS renewals and license use as finance-only signals. They should be read alongside access review outcomes and lifecycle completion evidence, because that is where the real control failures surface.

SaaS sprawl should be treated as a named control gap, not a generic efficiency issue. Once teams frame it that way, the metric set becomes more useful for IAM, IGA, and PAM planning because it shows whether governance is keeping pace with adoption. For broader lifecycle framing, the NHI Lifecycle Management Guide is the right reference point.

For practitioners

• Audit KPI definitions for identity blind spots Review each IT metric and ask whether it captures access scope, lifecycle status, or only service performance. Add identity-specific indicators where the current KPI can be met even when entitlement drift or shadow IT is rising.
• Link SaaS maintenance to offboarding proof Require completion evidence for deprovisioning, license removal, and linked token revocation before a subscription is considered maintained or closed. This closes the gap between cost control and access control.
• Measure compliance with operational evidence Use recertification results, application discovery records, and entitlement reconciliation as the evidence base for security and compliance KPIs. Do not rely on policy documents or annual audit statements alone.
• Track shadow IT as an access governance signal Treat unsanctioned applications as a discovery and lifecycle problem, not only an asset inventory issue. Include them in review cycles so hidden access paths do not remain outside governance.

Key takeaways

• IT KPIs are only valuable for identity teams when they reveal whether access, licensing, and lifecycle controls are actually operating.
• SaaS sprawl and shadow IT turn operational efficiency metrics into governance signals, because unmanaged software often means unmanaged access.
• The strongest programme move is to tie maintenance, compliance, and deployment KPIs to evidence of offboarding, entitlement reconciliation, and review completion.

Key terms

• SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software-as-a-service applications across teams, departments, and vendors. It creates fragmented visibility, duplicated spend, and hidden access paths that are difficult to govern through standard IT inventory alone.
• Identity Lifecycle: Identity lifecycle is the end-to-end management of an identity from creation through change, review, and removal. In practice, it covers onboarding, role changes, access reviews, renewal, and offboarding for human, non-human, and autonomous identities.
• Entitlement Reconciliation: Entitlement reconciliation is the process of comparing expected access with the access that actually exists in systems. It helps teams find stale accounts, duplicate permissions, and unmanaged access drift before those issues become audit failures or security exposures.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: IT Teams KPIs for Modern IT Teams - 2026. Read the original.