Josys recognition in Gartner’s SaaS management quadrant

At a glance

What this is: Josys's Gartner recognition spotlights how SaaS management platforms are being positioned around visibility, provisioning, and lifecycle control as SaaS and AI usage expand.

Why it matters: For IAM, NHI, and human access teams, the signal is that SaaS sprawl is becoming an identity governance problem, not just a procurement or IT operations issue.

By the numbers:

• Gartner now predicts that through 2028, over 70% of organizations will centralize SaaS application management using a SaaS management platform, an increase from less than 30% in 2025.
• Josys maintained an overall 4.6/5 rating with 78 Reviews on Gartner Peer Insights for SaaS Management Platforms as of 30 August 2025.

👉 Read Josys's Gartner Magic Quadrant recognition for SaaS management platforms

Context

SaaS management is now an identity governance problem because application sprawl, shadow procurement, and delegated access all expand the number of accounts, licences, and entitlements that IT must account for. As SaaS and generative AI usage spread across business units, the control gap is no longer just visibility into software spend, but visibility into who has access, who still needs it, and what can be removed safely.

Josys's recognition in Gartner's SaaS Management Platforms quadrant is a signal about category maturity, not a verdict on any single product. For IAM and governance teams, the more useful question is whether SaaS management data is being connected to joiner-mover-leaver processes, access reviews, and entitlement hygiene across human users and the non-human workflows that support them.

Key questions

Q: How should organisations govern SaaS sprawl across identity and access processes?

A: Treat SaaS management as part of identity governance, not just software inventory. Connect discovery, licence ownership, access assignment, and offboarding so unused apps and stale entitlements can be removed through normal IAM and IGA workflows. The key is to make application visibility actionable, so every app has an owner, a business purpose, and a removal path.

Q: When does SaaS licence sprawl become a security problem?

A: It becomes a security problem when unused subscriptions, shared accounts, and stale administrators remain active after the business need has passed. At that point, the organisation is not only overspending, it is preserving access paths that were never revalidated. The risk is highest when procurement, identity, and access reviews are disconnected.

Q: What do teams get wrong about SaaS management platforms?

A: Teams often treat them as reporting tools when they are more valuable as governance inputs. Inventory alone does not reduce risk unless the data drives removal, recertification, and ownership correction. The mistake is assuming visibility equals control, when real control comes from acting on the visibility.

Q: How can security teams assess whether SaaS governance is actually working?

A: Look for measurable outcomes such as reduced inactive licences, fewer orphaned app owners, faster offboarding, and cleaner entitlement recertification results. If the programme only produces dashboards and reports, governance has not been operationalised. A working programme changes access state, not just awareness.

Technical breakdown

Why SaaS management has become an identity control plane issue

A SaaS management platform sits between discovery, governance, and operational control. It aggregates app inventory, licence usage, access assignments, and provisioning actions so IT can see which systems are active and whether entitlements are still justified. In practice, that makes it adjacent to IGA rather than a separate admin tool. When the business adopts apps faster than IT can catalogue them, the platform becomes the control point for deciding what exists, who uses it, and whether licences or accounts should be removed.

Practical implication: map SaaS management outputs into access review and offboarding workflows instead of treating them as inventory only.

How licence sprawl turns into entitlement drift

SaaS sprawl rarely shows up as a single breach event. It accumulates through unused subscriptions, duplicate accounts, stale administrators, and partially automated provisioning that outlives the business need. Entitlement drift happens when access changes faster than governance records, so the organisation pays for software it no longer controls cleanly. In this model, financial waste and security exposure are the same underlying problem because every unmanaged licence can mask an unmanaged identity path.

Practical implication: use utilisation, ownership, and removal workflows together so licence optimisation also reduces excess access.

What generative AI changes in SaaS governance

Generative AI expands SaaS governance because many teams now consume AI features inside standard business applications rather than through a single controlled platform. That creates a new discovery challenge: IT must understand which apps expose AI-assisted functions, what data they can reach, and whether those features are approved for enterprise use. The governance issue is not AI hype, but the fact that app capability is changing faster than most procurement and review processes can track.

Practical implication: extend SaaS reviews to include AI-enabled app features, not just vendor names and licence counts.

NHI Mgmt Group analysis

SaaS management is now a lifecycle governance discipline, not a reporting layer. The value of centralised visibility is not the dashboard itself but the ability to connect discovery, provisioning, review, and offboarding across the application estate. That makes SMP data relevant to IAM, IGA, and compliance teams that need a single view of who should have access and who still does. Practitioners should treat SaaS management as part of entitlement governance, not a sidecar operational tool.

Contract sprawl is increasingly entitlement sprawl. When business units buy software independently, the organisation inherits hidden access paths, duplicated licences, and dormant accounts that remain active long after the need has passed. That is not just waste, it is a control failure because ungoverned subscriptions often carry privileged or shared access. The implication for practitioners is that procurement data and identity data need to be reconciled continuously.

AI features inside SaaS applications create a new governance boundary problem. Teams no longer only need to know which applications are in use, but which applications expose generative AI functions, what data those functions can ingest, and whether the resulting access pattern fits policy. This is where classic software inventory breaks down and where SaaS governance starts to overlap with data protection and identity assurance. Practitioners should assume that app classification now includes capability classification.

Visibility without lifecycle action is not governance. Many programmes can enumerate applications, but far fewer can prove that dormant licences are removed, stale access is revoked, and ownership is revalidated on a repeatable cadence. Gartner's forecast suggests centralisation is becoming the default operating model, which raises the bar for how quickly organisations can turn discovery into enforcement. Practitioners should measure whether SaaS governance actually changes access outcomes.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how weak visibility often precedes weak control, according to the Ultimate Guide to NHIs.
• For a broader operating model, see NHI Lifecycle Management Guide for how discovery, rotation, and offboarding fit together across identity governance.

What this signals

Contract sprawl is becoming control sprawl. As more business units buy and configure SaaS outside central oversight, IAM and IT teams need a stronger join between procurement data and identity records. The practical shift is toward continuous entitlement reconciliation rather than periodic clean-up, especially where SaaS apps now expose embedded AI features.

The most useful SaaS governance programmes will measure what gets removed, not just what gets discovered. If offboarding, recertification, and licence reclamation do not change the state of access, then the organisation still lacks operational control even if it has a complete app list.

For practitioners

• Reconcile SaaS inventory with identity records Join app discovery, user assignment, and ownership data so every active SaaS app maps to a responsible business owner and an identity source of truth.
• Tie licence reviews to joiner-mover-leaver workflows Use offboarding, role changes, and periodic recertification to remove unused subscriptions and stale entitlements at the same cadence as access governance.
• Track AI-enabled SaaS features separately Classify applications that expose generative AI functions, then review their data exposure, ownership, and approval status as a distinct governance category.
• Measure governance with removal outcomes Report on how many inactive licences, duplicate accounts, and orphaned app owners were actually removed, not just how many were discovered.

Key takeaways

• SaaS management is increasingly an identity governance problem because app sprawl, licence sprawl, and access sprawl are converging.
• Gartner's forecast points to centralised SaaS management becoming the default operating model, which raises the standard for visibility and enforcement.
• The decisive control is not discovery alone but whether discovery feeds ownership correction, entitlement removal, and lifecycle action.

Key terms

• SaaS Management Platform: A SaaS management platform is a system used to discover, govern, and operationalise software-as-a-service use across an organisation. It typically tracks applications, users, licences, and provisioning status so IT can reduce sprawl and connect inventory data to access and lifecycle controls.
• Entitlement Drift: Entitlement drift is the gradual misalignment between who should have access and who actually retains it. In SaaS environments, it usually appears as stale accounts, unused licences, duplicate access paths, or approvals that outlive the underlying business need.
• Lifecycle Governance: Lifecycle governance is the discipline of controlling identities and access from creation through change to removal. For SaaS programmes, it means discovery, provisioning, review, and offboarding are connected so access states change when the business relationship changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Josys: Josys recognized in the 2025 Gartner Magic Quadrant for SaaS Management Platforms. Read the original.