PagerDuty app integrations expose the SaaS identity gap

At a glance

What this is: This is a Zluri analysis of PagerDuty’s app ecosystem and the operational value of its 400-plus integrations for incident management and SaaS control.

Why it matters: It matters because incident platforms increasingly sit inside identity workflows, where SaaS access, lifecycle automation, and security controls affect response speed and containment across NHI, autonomous, and human programmes.

By the numbers:

• The PagerDuty App Store offers over 400 apps and integrations that IT teams can use to extend incident management capabilities.
• Zluri says organisations purchased 1,000 Google Workspace licenses but needed usage clarity before the next renewal.
• Zluri notes that contract alerts arrive 30 days, 15 days, and one day before renewal dates.

👉 Read Zluri's analysis of the top 10 PagerDuty app integrations

Context

PagerDuty’s App Store is a large integration layer for incident management, not just a catalog of add-ons. In identity terms, the article is about how IT teams use connected tools to detect, diagnose, and resolve incidents while keeping SaaS access, user lifecycle, and renewal control in view.

The governance gap is that incident response often depends on the same SaaS estate that organisations struggle to inventory, secure, and deprovision. When the app layer expands faster than lifecycle discipline, operational speed can hide identity sprawl rather than fix it.

Key questions

Q: How should security teams govern SaaS integrations used for incident response?

A: Security teams should treat incident-response integrations as governed access paths, not simple connectors. Each integration needs an owner, a permission boundary, and a review cadence tied to business use. The safest model combines application discovery, entitlement review, and offboarding so abandoned integrations do not retain access after the need has passed.

Q: Why do SaaS apps create identity risk even when they improve operations?

A: SaaS apps create identity risk because every new connection adds users, tokens, permissions, and renewal obligations. Operational efficiency can mask the fact that access is spreading faster than governance. When discovery and lifecycle control lag behind adoption, organisations inherit shadow IT, stale accounts, and hidden trust relationships.

Q: What breaks when app discovery is disconnected from access governance?

A: When discovery is disconnected from access governance, teams may know an app exists without knowing who owns it, who uses it, or whether its access is still justified. That gap leads to redundant licenses, orphaned applications, and delayed revocation. In incident environments, it can also slow containment because ownership is unclear.

Q: Who should approve SaaS renewal decisions in identity programmes?

A: Renewal decisions should involve the application owner, the identity or IAM team, and the security function when the app carries sensitive access. That makes renewals a control point rather than a procurement formality. If an application still has active identities but no clear ownership, renewal should trigger a governance review before approval.

Technical breakdown

App-store integrations as an incident-response control plane

PagerDuty’s integration model turns incident handling into a connected workflow across monitoring, collaboration, automation, and service tools. That architecture reduces swivel-chair operations, but it also means incident context, approvals, and remediation steps are distributed across multiple systems. For IAM and IGA teams, the important point is that the control plane is no longer just PagerDuty. It is the surrounding identity and entitlement fabric that determines who can see, route, and act on alerts. If those identities are stale or over-privileged, the response layer itself becomes a risk surface.

Practical implication: Treat incident-platform integrations as governed access pathways, not convenience features.

SaaS discovery, license usage, and renewal control

The article’s Zluri example shows how discovery and usage analytics sit alongside renewal management and access governance. That matters because SaaS sprawl is rarely just a procurement issue. It is an identity problem that includes dormant accounts, redundant licenses, and unclear application ownership. In practice, organisations need a current view of which applications are active, who can access them, and which renewals are about to lock in waste or exposure. Without that, incident tooling may see the alert but not the underlying access condition that made the alert possible.

Practical implication: Align application discovery and renewal reviews with access ownership before contracts auto-renew.

Lifecycle automation for SaaS users and service access

The article links user lifecycle management to immediate provisioning and deprovisioning of the right apps for the right users. That is the core governance issue for SaaS and NHI programmes alike: identities outlive need unless lifecycle events are tied to entitlements. In a mature model, onboarding, mover changes, and offboarding are not separate admin tasks. They are the mechanism that keeps incident response from being forced to compensate for unmanaged access. Where lifecycle automation is weak, incident response becomes reactive cleanup instead of control enforcement.

Practical implication: Tie joiner, mover, and leaver events to app entitlements so access does not persist past business need.

Threat narrative

Attacker objective: The objective is to exploit unmanaged SaaS access and integration sprawl so operational control weakens and response or remediation can be delayed or diverted.

1. Entry occurs when poorly governed SaaS access or shadow IT creates an unmanaged application foothold inside the incident-response environment.
2. Escalation happens when over-broad app integrations or stale permissions allow alerts, tickets, or automation to touch systems beyond their intended scope.
3. Impact is operational delay, unauthorized access, or missed remediation because the organisation cannot confidently map who owns each app, account, or renewal path.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Integration depth has become an identity-governance problem, not just an operations problem. The article frames PagerDuty’s App Store as a way to accelerate incident response, but every additional integration also expands the access graph that IAM and IGA teams must understand. The more systems an incident platform can touch, the more important entitlement review, connector ownership, and change control become. Practitioners should treat integration sprawl as a governance input, not a technical convenience.

Lifecycle control is the real hidden dependency behind SaaS resilience. Zluri’s examples around discovery, renewals, and immediate deprovisioning show that resilience depends on whether identity events are tied to software control. If access is not removed when users, vendors, or roles change, the organisation can keep paying for software it no longer trusts while still leaving active access in place. The practitioner conclusion is simple: lifecycle discipline is part of uptime.

App-store breadth creates an identity blast radius that many teams still under-estimate. A platform with hundreds of integrations can speed up diagnosis, but it also multiplies the number of identities, tokens, and trust relationships that may need review after an incident. That blast radius is not abstract. It shows up in permissions, renewal ownership, and the speed with which abandoned apps are rediscovered. Security teams should measure integration sprawl as part of SaaS governance.

Shadow IT and incident tooling now overlap in ways that traditional IAM models did not anticipate. The article connects app discovery, usage analytics, and compliance in the same operational story because those controls are now inseparable. If the organisation cannot see its SaaS estate, it cannot confidently secure the incident-management workflows built on top of it. Practitioners should assume that hidden apps will also hide hidden access paths.

Identity governance for SaaS is shifting from periodic review to continuous operational control. The article’s emphasis on alerts, discovery, and automation reflects a wider market shift: static access reviews are too slow for always-on application ecosystems. That does not mean every control must be real-time, but it does mean ownership, offboarding, and renewal decisions need tighter cadence. Teams should modernise governance around the rate of software change, not the pace of committee cycles.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For a broader governance lens, see NHI Lifecycle Management Guide for the lifecycle controls that keep access from lingering after use.

What this signals

Integration sprawl is becoming the new SaaS governance debt. When incident tools sit at the centre of operations, every connector adds another place where ownership, entitlement, and offboarding can fail. Teams should expect their next audit issue to look less like a single misconfiguration and more like a chain of unmanaged app relationships.

The practical signal is that renewal, discovery, and access review can no longer live in separate workstreams. Organisations that treat them as one control loop will be better positioned to reduce shadow IT, limit standing access, and keep incident tooling aligned with current business need.

With only 5.7% of organisations having full visibility into their service accounts, the broader message is that identity visibility remains too weak to support modern app ecosystems. That visibility gap will also affect how confidently teams govern SaaS integrations around incident response and lifecycle events.

For practitioners

• Map incident-platform integrations to identity owners Inventory every PagerDuty-connected app, assign a business and technical owner, and review the permissions each integration can exercise during alerting, ticketing, and remediation workflows.
• Link SaaS discovery to access reviews Use discovery and usage analytics to identify inactive applications, then feed those findings into access review and deprovisioning workflows before the next renewal cycle.
• Tighten renewal governance around dormant apps Require renewal approvals to include application activity, security ownership, and entitlement status so auto-renewals do not preserve unused or risky software.
• Automate joiner, mover, and leaver actions Connect HR or directory events to app provisioning and deprovisioning so SaaS access is removed as soon as role changes or offboarding occur.

Key takeaways

• PagerDuty-style integration ecosystems improve incident response, but they also expand the identity surface that IAM teams must govern.
• SaaS discovery, renewal control, and lifecycle automation are now part of operational resilience, not separate admin tasks.
• Organisations that cannot map app ownership and access paths will struggle to contain risk when incidents, renewals, or offboarding collide.

Key terms

• SaaS Lifecycle Management: SaaS lifecycle management is the discipline of governing applications from discovery through provisioning, renewal, and offboarding. In identity programmes, it ensures software access matches business need throughout the full life of the application and its users, rather than only at procurement or renewal time.
• Integration Sprawl: Integration sprawl is the accumulation of connected tools, permissions, and trust relationships across a platform ecosystem. It matters because every new connector adds operational convenience and a new identity path that must be owned, reviewed, and retired when no longer needed.
• Identity Surface: Identity surface is the total set of accounts, tokens, permissions, and delegated access paths an organisation must govern. For SaaS and incident platforms, the identity surface expands when applications, automation, and lifecycle workflows are tightly connected.
• Lifecycle Automation: Lifecycle automation is the use of event-driven workflows to provision, update, and revoke access as roles and business needs change. It reduces manual lag, but only when ownership, approval, and offboarding rules are explicit and continuously maintained.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: IT Teams Top 10 Apps in PagerDuty App Store. Read the original.