TL;DR: Stronger security, compliance, and efficiency are the focus of Netwrix’s customer webinar on Strongpoint for Salesforce 6.0, with user license analysis used to uncover cost-saving opportunities and automation used to free teams for more strategic work. The practical takeaway is that Salesforce governance now has to connect access oversight, compliance evidence, and spend control in one operating model.
At a glance
What this is: This on-demand webinar outlines new Netwrix Strongpoint for Salesforce 6.0 capabilities aimed at improving Salesforce security, compliance, efficiency, and user license analysis.
Why it matters: It matters because Salesforce data access, compliance controls, and license sprawl sit inside broader identity governance, so IAM teams need the same lifecycle discipline across human, NHI, and automated access paths.
👉 Watch Netwrix's on-demand webinar on Strongpoint for Salesforce 6.0
Context
Salesforce governance often fails when security, compliance, and license management are treated as separate workstreams. In practice, that creates blind spots around who has access, what they can do, and which entitlements are actually being used.
For identity teams, the issue is broader than one application. Access reviews, entitlement cleanup, and automation all sit inside lifecycle governance, so changes in Salesforce administration can affect human access governance and machine-mediated workflows in the same programme.
Top 10 NHI Issues remains the right reference point for understanding how access sprawl and governance debt accumulate when visibility is incomplete.
Key questions
Q: How should teams use Salesforce license analysis in governance decisions?
A: Treat licence analysis as an entitlement-control signal, not a finance-only report. When assigned licences do not match active usage or role need, the organisation should investigate stale access, over-provisioning, or weak offboarding. The strongest outcome is when the findings feed access certification, not just cost reduction reporting.
Q: Why does automation matter in Salesforce compliance workflows?
A: Automation matters because manual review processes do not scale well across evidence collection, exception handling, and recurring certification. But automation only improves governance when the policy logic, ownership, and audit trail are clear. Otherwise, it can accelerate inconsistent decisions and make weak controls appear efficient.
Q: What do security teams get wrong about Salesforce configuration management?
A: Teams often treat configuration management as an admin task instead of an identity and access control issue. In Salesforce, sharing rules, administrative settings, and access boundaries shape who can see and act on data. If those settings drift from policy, the control model is already failing.
Q: How can IAM and compliance teams work together on Salesforce governance?
A: They should use one governance view for licences, access reviews, configuration drift, and evidence collection. That allows cost, security, and compliance teams to work from the same entitlement reality rather than separate reports. The result is faster remediation and fewer blind spots in audit preparation.
Background and context
User license analysis in Salesforce governance
User license analysis is the process of comparing assigned Salesforce licences against actual usage and role need. The technical value is not just cost reduction. It is entitlement hygiene, because dormant or misaligned licences often indicate stale access paths, poor joiner-mover-leaver discipline, or over-provisioned administrative scope. In a governed environment, licence analysis becomes a control signal that helps separate business need from inherited access. That makes it useful to both compliance teams and IAM leads looking for excess privilege across application estates.
Practical implication: use licence usage data to drive entitlement cleanup and re-certification, not just finance reporting.
Automation for compliance and access governance
Automation in Salesforce governance usually means replacing manual checks with repeatable workflows for review, evidence collection, and rule enforcement. The technical risk is that automation can accelerate bad policy just as easily as good policy, so the control design matters more than the tool. When automation is tied to clear ownership, review triggers, and audit trails, it reduces operational drag and improves consistency. When it is not, it can hide exceptions behind a polished workflow while leaving governance gaps intact.
Practical implication: align automation with explicit control objectives, review owners, and audit evidence requirements before scaling it.
Security and compliance configuration management
Security and compliance configuration management is the discipline of keeping system settings aligned with policy, regulatory requirements, and internal control expectations. In Salesforce, that includes understanding which settings influence sharing, access boundaries, data exposure, and administrative control. The mechanism matters because many breaches and audit failures do not start with an exploit, they start with permissive configuration drift. Strong governance therefore depends on baseline enforcement, change tracking, and evidence that the live configuration still matches the approved control model.
Practical implication: treat configuration drift as an access-control problem, not only a platform administration problem.
NHI Mgmt Group analysis
Salesforce governance is now an identity problem, not just an application admin problem. When security, compliance, and licence optimisation are managed together, the organisation gets a clearer view of entitlement sprawl and stale access. That is the real governance boundary here, because the same workflow that trims cost can also reveal over-assignment and weak review discipline. Practitioners should treat application governance as part of the identity control plane.
License analysis becomes a proxy for control quality when usage and assignment diverge. A licence that exists on paper but is unused in practice often points to inherited access, delayed offboarding, or roles that no longer match business need. That is why licence reporting should feed access certification and recertification, not sit in a finance silo. The implication is that governance teams need one view of entitlement value across security and cost.
Automation only reduces risk when the control model is explicit. If automation is used to streamline reviews or evidence collection without clear policy inputs, it simply speeds up weak governance. The deeper issue is not whether automation exists, but whether it enforces named owners, defined exceptions, and auditable outcomes. Practitioners should evaluate whether their automation is removing effort or merely masking variance.
Configuration management and identity governance are converging in SaaS control planes. Salesforce settings influence who can see, change, or extract data, which means platform configuration now sits inside identity risk management. This is especially relevant for organisations that rely on access reviews but do not continuously test whether the live configuration still supports the approved policy. The practical conclusion is that SaaS governance must be measured against identity outcomes, not just admin settings.
From our research:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
- For a broader governance lens, see Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that make sprawl and over-privilege persistent.
What this signals
Salesforce governance programmes are increasingly judged by whether they can connect entitlement sprawl, cost pressure, and audit evidence in one workflow. That is the same governance pattern now expected across NHI and human access programmes: identify unused access, prove control effectiveness, and keep the exception queue visible.
Governance convergence: when licence analysis, compliance evidence, and configuration drift are reviewed together, teams can spot control decay earlier and reduce the gap between policy and live access state. The practical signal is that SaaS administration is becoming an identity governance workload, not a separate support function.
For practitioners
- Map licence analysis to access certification Use user license analysis to identify dormant, misaligned, or excess Salesforce entitlements and push those findings into the next access review cycle.
- Tie automation to explicit control owners Define who approves exceptions, who reviews evidence, and which workflow outputs satisfy audit requirements before expanding automation across Salesforce governance tasks.
- Baseline Salesforce configuration against policy Track sharing, access, and administrative settings as governed controls so configuration drift is detected before it becomes a compliance or exposure issue.
- Unify security and cost signals Review cost optimisation, access risk, and compliance evidence together so licence savings do not create hidden privilege or accountability gaps.
Key takeaways
- Salesforce governance now sits at the intersection of access control, compliance evidence, and licence waste.
- Licence analysis is valuable when it feeds certification and entitlement cleanup, not when it stops at cost reporting.
- Automation and configuration management only improve security when they are tied to explicit policy, ownership, and auditability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Salesforce licences and access settings directly affect least-privilege access management. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Configuration drift and over-assigned access are common identity control failures in SaaS. |
| NIST Zero Trust (SP 800-207) | AC-4 | Access boundaries and continuous verification align with SaaS governance and entitlement control. |
Align Salesforce sharing and access rules to zero-trust policy boundaries and verify them continuously.
Key terms
- User License Analysis: User license analysis is the review of assigned software licences against actual usage, business need, and role fit. In identity governance, it is a control signal that helps teams identify stale access, over-provisioning, and waste before those conditions become audit or security problems.
- Configuration Drift: Configuration drift is the gap between approved security settings and the live system state. In SaaS governance, it matters because access boundaries, sharing rules, and administrative permissions can change over time and quietly erode the intended control model.
- Access Certification: Access certification is the formal review of existing entitlements to confirm they are still justified. It is a governance mechanism used across human, NHI, and automated access, and its value depends on clean evidence, named ownership, and a clear remediation path.
- Entitlement Sprawl: Entitlement sprawl is the accumulation of excess, duplicate, or outdated access rights across a system. It usually appears when provisioning, offboarding, and review processes do not keep pace with change, leaving security teams with more access than they can reasonably govern.
Deepen your knowledge
Salesforce governance, access review, and entitlement cleanup are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a similar control model across SaaS and identity operations, it is worth exploring.
This post draws on content published by Netwrix: What's New in Netwrix Strongpoint for Salesforce 6.0. Read the original.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
