TL;DR: Clearer governance over shadow users, offboarding, and app sprawl is the practical shift as Josys’ March 2026 release unifies SaaS reporting, device visibility, action prioritisation, and workflow automation across discovered apps, MDM sources, and lifecycle triggers, with new RBAC controls and exportable reports for IT teams, rather than just more automation.
At a glance
What this is: Josys’ March 2026 product update adds unified SaaS reporting, multi-MDM device visibility, prioritised action handling, and more flexible workflow automation.
Why it matters: It matters because identity, device, and SaaS governance teams need the same operational picture to manage shadow access, lifecycle actions, and policy enforcement across human and non-human accounts.
👉 Read Josys' March 2026 product release on SaaS governance and automation
Context
SaaS governance breaks down when app usage, license data, device inventory, and account status live in separate tools. In practice, that fragmentation makes it harder to spot shadow users, understand who or what owns an app, and act consistently when access should be removed or reviewed.
For IAM and IT operations teams, the problem is not only visibility but timing. When onboarding, offboarding, and access changes depend on manual coordination across systems, lifecycle controls become slower than the environment they are meant to govern.
Key questions
Q: How should teams reduce shadow users in SaaS environments?
A: Start by treating shadow users as lifecycle exceptions, not just discovery findings. Connect detection to an owner, a revocation path, and a review cadence so every unmanaged account can be resolved, not merely reported. The strongest programmes also tie remediation to an authoritative source such as HR, ITSM, or access governance records.
Q: Why does unified SaaS and device visibility matter for identity governance?
A: Because access decisions are only as reliable as the context behind them. If device ownership, compliance state, and application usage are split across tools, teams cannot confidently judge whether a user or account should retain access. Unified visibility improves audit evidence, remediation speed, and trust in lifecycle decisions.
Q: When should organisations automate SaaS offboarding workflows?
A: Automate offboarding when the approval source is authoritative and the revocation path is well understood. If the trigger is ambiguous or the downstream systems do not consistently remove access, automation only makes the failure faster. Offboarding should be event-driven, verified, and tied to accountable ownership.
Q: What is the difference between reporting and governance in SaaS management?
A: Reporting tells you what exists, while governance determines what should happen next. A report can show shadow accounts or unused licences, but governance assigns ownership, applies policy, and drives remediation. Without that second layer, visibility increases while risk remains unchanged.
How it works in practice
Unified reporting across SaaS, licenses, and devices
A reporting layer that merges app usage, license data, security signals, and device inventory reduces the need to reconcile the same identity and asset facts in multiple consoles. The governance value is in correlation: teams can see whether an application is active, whether a device is compliant, and whether the account behind it is unmanaged. Exportable formats such as CSV, XLS, and PDF matter because reporting is often consumed outside the admin tool, especially in audit and review cycles.
Practical implication: standardise a single reporting view for access, licence, and device review rather than building separate evidence packs.
Action centres turn governance findings into operational queues
A prioritised action centre is essentially a triage layer over governance findings. Instead of leaving teams to interpret reports and manually create follow-up work, the system surfaces items such as shadow accounts, underused licences, and newly discovered apps with severity and context. That shifts the control model from passive visibility to queued execution. The key technical distinction is that findings remain linked to the underlying app or identity state, so remediation is not detached from the evidence that triggered it.
Practical implication: map each action type to an owner and SLA before relying on automated prioritisation.
Webhook-triggered workflows and scheduled offboarding
Workflow automation becomes more useful when it can trigger on external events such as background checks, ITSM approvals, or detected security issues. In governance terms, that means onboarding and offboarding are no longer limited to calendar dates or static triggers. The March update also lets admins run workflows before, on, or after key dates, which matters when the actual control objective is timely access removal or licence optimisation. This is especially relevant where workflow timing and approval state are part of the control itself.
Practical implication: align automation triggers with authoritative business events, then test whether offboarding really closes access before exposure persists.
NHI Mgmt Group analysis
Unified SaaS governance is now an identity problem, not just an IT inventory problem. Once app discovery, licence usage, device state, and workflow actioning sit in the same operational plane, the security question changes from “what do we own?” to “what access is still live and who can act on it?” That is the more durable model for modern SaaS estates because unmanaged users, redundant tools, and stale device context all change entitlement risk. Practitioners should treat SaaS governance as a control plane for identity and access decisions, not a reporting afterthought.
Shadow users are the clearest sign that governance has drifted from ownership to observation. If an organisation can discover unmanaged users but cannot reliably link them to onboarding, offboarding, or approval logic, the control failure is lifecycle continuity. The operational implication is that access can exist without a stable governance path, which is exactly where recertification, deprovisioning, and audit evidence become unreliable. Teams should regard shadow-user detection as a signal of governance debt, not a standalone fix.
Multi-MDM visibility exposes the limits of device-only security models. When Windows and Apple fleets are split across separate management planes, identity decisions are forced to rely on partial context. That weakens compliance checks, ownership assertions, and downstream enforcement because the account, device, and app story no longer line up cleanly. The practical conclusion is that governance teams need cross-platform correlation before they can trust device-driven access decisions.
Automation now has to be judged by control integrity, not by task volume. Workflow engines that trigger on webhooks, dates, and discovered app states can reduce manual delay, but they can also multiply the impact of a bad signal if approvals or classification logic are weak. The governance test is whether the automation is anchored to authoritative events and bounded by reviewable policy. Practitioners should measure automation by control accuracy and remediation quality, not by how many tasks it closes.
From our research:
- From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
- For a broader view of how governance gaps show up in practice, see 52 NHI Breaches Analysis and its root-cause patterns.
What this signals
Governance teams should expect more identity work to move into operational queues. As SaaS discovery, device correlation, and workflow automation converge, the next maturity step is not more dashboards but faster, better-governed action. Teams that still separate visibility from remediation will find that their review cycles lag the pace of the environment.
Shadow-user management is becoming a lifecycle discipline. The practical test is whether every discovered account can be linked to an owner, a business purpose, and a revocation path. In NHI and SaaS programmes, unmanaged identities often persist because they were discovered outside the normal offboarding flow, not because they were invisible.
The more organisations consolidate SaaS and device control, the more they will need to align those controls with identity evidence and audit expectations. That is where the operational detail in the source article matters, while the independent governance question is whether the control plane can prove who had access, on what device, and why.
For practitioners
- Define one governance record for each SaaS application Tie app discovery, licence ownership, security status, and business owner into a single record so review and remediation do not depend on separate spreadsheets or teams.
- Separate shadow-user detection from remediation ownership Assign a named owner, SLA, and escalation path for every unmanaged account so discovery does not become a passive dashboard exercise.
- Correlate device context before approving access decisions Use combined Intune, Jamf, or other MDM visibility to confirm device ownership and compliance before treating an access state as trustworthy.
- Bind workflow triggers to authoritative business events Trigger onboarding, offboarding, or access changes from approved HR, ITSM, or security events rather than from manual ticket chasing or date-only schedules.
Key takeaways
- The release is best read as a governance update, not a simple reporting enhancement.
- Its main value is better correlation between applications, devices, licences, and remediation work.
- Practitioners should use the added visibility to harden ownership, offboarding, and policy enforcement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control and authorisation decisions depend on current identity and device context. |
| NIST Zero Trust (SP 800-207) | Unified visibility supports continuous verification across apps and managed devices. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle actions like deprovisioning and revocation are central to reducing standing access. |
Map SaaS and device governance to PR.AC-4 and verify access decisions against current ownership data.
Key terms
- Shadow User: An account that exists in a SaaS or identity environment but is not clearly owned, governed, or linked to an approved lifecycle process. Shadow users create accountability gaps because teams can see the account, but cannot reliably explain why it exists or who should remove it.
- Lifecycle Governance: The set of controls that govern how identities are created, changed, reviewed, and removed across their usable life. In SaaS environments this includes onboarding, offboarding, recertification, and revocation, all of which must remain tied to ownership and business purpose.
- Control Plane Correlation: The practice of combining identity, device, application, and policy signals into one operational view. It matters because isolated data sources make it harder to prove whether access is valid, whether a device is trustworthy, and whether remediation has actually happened.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Josys: Product Release Newsletter: March 2026. Read the original.
Published by the NHIMG editorial team on 2026-03-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
