SaaS access reviews and offboarding are breaking lean IT teams

At a glance

What this is: This case study shows how a small IT team reduced manual SaaS governance overhead by centralising access reviews, offboarding, and license visibility.

Why it matters: It matters because the same spreadsheet-driven failure mode affects NHI, autonomous, and human identity programmes whenever lifecycle control is fragmented.

By the numbers:

• During the very first demo, Josys uncovered $5,000 in unused licenses tied to GitHub and Adobe.

👉 Read Josys' case study on ebbo's SaaS governance and compliance gains

Context

Small IT teams often end up governing SaaS access with spreadsheets, admin portal checks, and manual review cycles. That model breaks down when a lean team has to track joiners, leavers, role changes, licenses, and audit evidence across dozens of applications.

This Josys case study focuses on ebbo’s effort to centralise SaaS visibility and reduce compliance overhead. The article is less about software features than about a familiar identity governance problem: lifecycle processes are too scattered to keep pace with operational change.

The pattern is typical for organisations that grow faster than their access governance processes. When no one has a live view of who can use what, orphaned access and wasted licenses become the default outcome rather than the exception.

Key questions

Q: How should security teams reduce SaaS access review overhead without losing audit evidence?

A: Centralise user, app, and ownership records in one governance workflow, then automate review requests and evidence capture. The goal is to remove spreadsheet reconciliation and replace it with continuous traceability from entitlement to reviewer confirmation. That shortens review cycles and gives auditors a defensible record of who approved what and why.

Q: Why do spreadsheets create so much risk in SaaS offboarding?

A: Spreadsheets separate access state from the system that actually enforces access, so leaver events are easy to miss. They also make it hard to prove that every app was checked, which leaves orphaned accounts and lingering licenses in place after employees exit or change role.

Q: What signals show that SaaS governance is not working?

A: Look for delayed offboarding, repeated manual exports, inconsistent access review responses, and inactive accounts that still carry paid licenses. Those signals indicate that entitlement ownership and usage data are not reconciled often enough to support reliable governance.

Q: Who should own SaaS access governance in a small IT team?

A: Ownership should sit with a named governance lead, but each application also needs a business owner and a technical owner. Small teams cannot rely on shared responsibility alone because offboarding, review, and license recovery all stall when accountability is implicit.

Technical breakdown

Why manual SaaS access governance fails at scale

Manual SaaS governance depends on people repeatedly logging into each application, exporting user lists, and reconciling them against separate license records. That creates delay, inconsistency, and blind spots, especially when joiner, mover, and leaver events happen faster than quarterly review cycles. The problem is not only effort, it is that the control plane is dispersed across many admin consoles instead of being unified around ownership, usage, and entitlement state.

Practical implication: teams need a single governance layer for SaaS access rather than relying on portal-by-portal checks.

How orphaned access and license waste emerge from weak lifecycle controls

Orphaned access appears when an employee leaves or changes role but the deprovisioning step does not happen cleanly across every app. License waste follows when inactive or duplicate accounts remain allocated even after users stop working in the service. In practice, the same lifecycle gap creates both security exposure and avoidable spend, because entitlement state and commercial ownership drift apart.

Practical implication: connect offboarding and license reclamation so revoked access also removes unused entitlement cost.

Why access review evidence becomes fragile in spreadsheet workflows

Quarterly access reviews require current, attributable records of who has access, why they have it, and whether it still matches role need. Spreadsheet workflows make that evidence brittle because they depend on manual exports, human comparison, and offline follow-up. In audit terms, the issue is not just slow review production. It is weak traceability from entitlement to reviewer confirmation.

Practical implication: automate review evidence capture so audit readiness is generated continuously, not reconstructed at quarter end.

NHI Mgmt Group analysis

Spreadsheet-based SaaS governance creates an access lifecycle gap, not just an efficiency problem. ebbo’s starting point shows how quickly a small IT team can lose control once access state, license state, and ownership live in separate files and portals. The result is delayed offboarding, stale entitlements, and weak audit evidence. For identity teams, the lesson is that lifecycle fragmentation is itself a control failure.

Orphaned SaaS access is the direct governance symptom of incomplete offboarding. The article ties the risk to former employees retaining access to tools such as GitHub or Adobe, which is exactly the kind of residual entitlement that access reviews are supposed to remove. If deprovisioning is not centralized, the review process becomes retrospective paperwork rather than active control.

License visibility and access governance are the same operational problem viewed from different angles. ebbo’s $5,000 in unused licenses is not only a procurement finding. It is evidence that entitlement ownership was not being continuously reconciled with actual use. Teams that separate cost optimisation from identity governance miss the fact that both rely on the same source of truth.

Centralised lifecycle control is the named concept this case study reinforces. When provisioning, offboarding, and review are handled as a single governance loop, access decisions become traceable and auditable. When they are split across spreadsheets and manual logins, no one can reliably prove who should still have access. Practitioners should treat the absence of centralised lifecycle control as a first-order risk.

Lean teams do not fail because they lack diligence, they fail because the process design exceeds human capacity. ebbo’s two-person IT function had to support more than twenty SaaS applications, which is enough to turn every review cycle into a bottleneck. That pattern is common in growing organisations, so the governance model must assume constrained staffing from the start.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
• For lifecycle-heavy environments, see NHI Lifecycle Management Guide for the access, rotation, and offboarding patterns that help prevent the same kind of control drift.

What this signals

Centralised lifecycle control is becoming the minimum viable governance model for lean IT teams. When a two-person team is trying to manage more than twenty SaaS applications, manual review cycles stop being sustainable and start becoming a structural control gap. The same pattern will show up wherever ownership, entitlement, and usage are not reconciled in one workflow, including NHI and machine identity programmes.

License cleanup is also identity control, not just cost recovery. The $5,000 recovered from unused GitHub and Adobe licenses shows that spend leakage and access leakage often share the same root cause. Teams that want better governance outcomes should connect entitlement visibility to renewal decisions, offboarding triggers, and review evidence, not treat them as separate processes.

Access review programmes fail when they depend on humans to reconstruct state from artifacts instead of systems to preserve it. Our research on secrets management shows that the average estimated time to remediate a leaked secret is 27 days, while 75% of organisations still report strong confidence in their controls. That gap is a warning sign for any programme that expects manual diligence to compensate for fragmented governance.

For practitioners

• Map every SaaS application to an owner and offboarding trigger Create a live inventory that ties each app to a business owner, an IT owner, and the event that should revoke access. Without those links, leavers stay active because nobody is accountable for the final deprovisioning step.
• Reconcile active users against actual usage before each review cycle Use usage data to identify dormant or duplicate accounts before access certification begins. That makes the review about current risk, not about confirming stale spreadsheet entries.
• Automate license reclamation when accounts are disabled Link offboarding to entitlement removal so the same workflow that ends access also frees the license for reuse or cancellation. This reduces both orphaned access and avoidable spend.
• Capture reviewer evidence inside the governance workflow Store confirmations, exceptions, and remediation notes in the same system that initiated the review so auditors can trace the decision path without reconstructing it from emails and spreadsheets.

Key takeaways

• The core problem in this case study is fragmented identity governance across SaaS apps, not simply time pressure on a small IT team.
• The evidence is concrete: ebbo recovered $5,000 in unused licenses, saved six hours a month, and cut two hours from onboarding per new hire.
• Teams should centralise ownership, offboarding, and review evidence so access control and license control operate as one lifecycle process.

Key terms

• SaaS Access Governance: SaaS access governance is the discipline of controlling who can use cloud applications, why they have access, and when that access should end. In practice it combines entitlement visibility, owner accountability, review evidence, and offboarding execution across many apps and user states.
• Orphaned Account: An orphaned account is a user account that remains active after the person or process that should have owned it has left, changed role, or stopped needing access. These accounts create both security exposure and unnecessary license cost because they persist outside normal lifecycle control.
• Access Review Evidence: Access review evidence is the record that shows who reviewed an entitlement, what they confirmed, and what remediation followed. Strong evidence is current, attributable, and linked to the system of record, while weak evidence is reconstructed later from spreadsheets or email chains.
• Lifecycle Control Loop: A lifecycle control loop is the closed process that ties provisioning, review, offboarding, and reclamation together so access state stays aligned with business need. When the loop is broken, entitlement drift appears as stale access, audit friction, and wasted licenses.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Josys: How ebbo™ Reduced Compliance Overhead and Reclaimed Hours of IT Time with Josys. Read the original.