SaaS asset management is becoming an identity governance problem

At a glance

What this is: This is a practitioner guide on managing SaaS software assets, with the main finding that spreadsheets and traditional ITAM or SAM tools do not provide reliable visibility or lifecycle control for SaaS licences.

Why it matters: It matters because SaaS asset management now intersects with IAM, access reviews, and offboarding, so security and identity teams need shared governance over app access, renewals, and revocation.

By the numbers:

• Zluri says its app library covers 225000+ apps across nine discovery methods.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's article on managing SaaS software assets

Context

SaaS asset management is no longer just a procurement or cost-control exercise. In practice, it is an identity governance problem because every app licence, renewal, and revocation decision creates an access entitlement that must be visible, reviewed, and removed on time.

The article shows why spreadsheets, hardware-centred ITAM, and legacy SAM tooling break down once software buying moves outside central IT. When users can acquire SaaS directly, the governance gap is not the tool count, it is the absence of reliable lifecycle control across human users, vendor accounts, and other non-human identities.

Key questions

Q: How should teams govern SaaS licences as part of identity management?

A: Teams should treat SaaS licences as entitlements, not just assets. That means keeping an authoritative inventory, linking approvals to joiner-mover-leaver workflows, and removing access when the business need ends. Governance works best when renewal, assignment, and revocation sit inside the identity programme rather than a separate spreadsheet or procurement process.

Q: Why do spreadsheets break down for SaaS asset management?

A: Spreadsheets break down because they rely on manual updates and periodic reconciliation, while SaaS access changes continuously. They miss dormant licences, duplicate assignments, and offboarding delays. As the estate grows, the gap between recorded inventory and actual access becomes large enough to create both cost waste and governance risk.

Q: What should organisations prioritise before SaaS contract renewals?

A: Organisations should prioritise usage review, entitlement ownership, and offboarding validation before renewal. If an app is lightly used or no longer tied to active work, the licence should be reclaimed or downgraded. Renewal is the right time to reset access assumptions and remove spend that no longer delivers value.

Q: Who should own SaaS licence revocation when employees leave or change roles?

A: Identity and access teams should own the control, with HR or workflow signals triggering the action. SaaS revocation needs to happen as part of the leaver or mover process, not as an afterthought in procurement. That ensures access is removed when business need ends, which limits waste and reduces residual exposure.

Technical breakdown

Why spreadsheets fail for SaaS licence governance

Spreadsheets depend on manual entry, periodic updates, and human reconciliation, which makes them a poor control plane for SaaS estates that change continuously. They can record purchases, but they do not reliably capture live usage, dormant licences, or offboarding events. That creates blind spots in renewal planning and duplicate spending. In identity terms, the problem is that a spreadsheet is a record-keeping aid, not an authoritative entitlement system.

Practical implication: treat spreadsheets as a stopgap only and move SaaS inventory into a system that can observe usage and revocation in near real time.

Why ITAM and traditional SAM miss SaaS access

ITAM is built around hardware-centric asset tracking, while traditional SAM is still rooted in on-prem licence management. SaaS changes the control problem because access is tied to subscriptions, identity context, and third-party administration rather than a locally installed licence key. That means the same asset can have multiple identity-adjacent states: purchased, assigned, dormant, and externally shared. Without SaaS-aware discovery, these states remain invisible and governance becomes partial.

Practical implication: map SaaS applications into the identity programme, not only the asset register, so assignment and revocation are governed alongside inventory.

Software asset management and lifecycle control for SaaS

SaaS governance becomes effective when provisioning, renewal, and deprovisioning are tied to joiner-mover-leaver processes. The article’s workflow examples show the right direction: automate requisition, approval, and revocation so licences do not survive role changes or offboarding. This is where software asset management intersects with access governance, because every licence is also an entitlement with a lifecycle. For broader NHI lifecycle framing, see the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide.

Practical implication: align SaaS licence workflows to JML and access review processes so app access is removed when business need ends.

NHI Mgmt Group analysis

SaaS asset management is now an entitlement governance discipline, not just an inventory exercise. Once software buying happens outside IT, each licence becomes an access decision that must be controlled through lifecycle, review, and revocation. The article is useful because it shows how cost leakage and governance failure share the same root condition: uncontrolled assignment. Practitioners should treat SaaS asset management as part of identity governance, not a separate procurement workflow.

Legacy SAM and hardware-first ITAM break on the identity dimension of SaaS. Those models were designed for discrete assets and stable ownership, while SaaS includes shared accounts, vendor-managed tenancy, external users, and rapid role-based changes. That mismatch leaves organisations with partial visibility into who can use what and when. The result is a governance blind spot that affects spend, compliance, and access risk at the same time.

Vendor-managed app usage data can improve control, but it does not replace authoritative identity governance. Usage monitoring, renewal alerts, and app discovery are valuable signals, yet they still need a policy owner who can decide whether access should remain, shrink, or disappear. In other words, telemetry supports governance, but it cannot substitute for entitlement decisions. Practitioners should keep the control authority inside IAM and IGA.

Automating requisition and revocation is the right pattern because manual lifecycle handling fails at SaaS scale. The article’s focus on onboarding and offboarding workflows aligns with the broader lifecycle problem across human and non-human access. When access is tied to employment state, project scope, or vendor relationship, delay creates waste and exposure. The operational conclusion is straightforward: lifecycle enforcement must be built into the software asset process from the start.

Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs remains the more complete governance lens when SaaS licences also involve service accounts, API keys, or other non-human access paths. SaaS programmes rarely stay human-only in practice. Once app administration, integrations, and delegated access enter the picture, the identity surface expands beyond user licences. Practitioners should therefore govern the application, the entitlement, and the machine access path together.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
• For the lifecycle angle behind this governance gap, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding reduce residual access.

What this signals

SaaS governance is converging with identity lifecycle management. As application buying decentralises, the control question shifts from who owns the licence budget to who can prove access is current, justified, and removable. Programmes that keep SaaS in procurement alone will keep finding offboarding gaps and unused spend. The practical move is to route SaaS approvals, renewals, and removals through identity-owned workflows, not ad hoc admin.

App discovery is useful only when paired with entitlement decisions. Visibility into installed, purchased, or connected apps is not the same as control over who should still have access. The stronger model is to combine discovery with access review, renewal governance, and external-user tracking so the programme can act on what it sees. For broader control framing, the NIST Cybersecurity Framework 2.0 is still a useful way to align identify, protect, detect, respond, and recover functions around SaaS access.

For practitioners

• Centralise SaaS entitlement inventory Replace spreadsheet-based tracking with an authoritative inventory that records app ownership, assignment, renewal date, and revocation status for every licence.
• Tie SaaS approval to joiner-mover-leaver workflows Require provisioning and deprovisioning to trigger from HR or identity workflow events so licences are added, changed, or removed with role movement.
• Review dormant and underused licences before renewal Use usage data to identify apps with low activity, then downgrade, reclaim, or terminate licences before the renewal date to cut unnecessary spend.
• Extend app governance to external users Track vendors, freelancers, and consultants separately so their access can be reviewed and removed when contracts end or business need changes.
• Treat SaaS access as an audit control Document who approved each app, why it was needed, and when it should be removed so licensing decisions remain defensible during audits and renewals.

Key takeaways

• SaaS asset management becomes an identity problem when licences are assigned, renewed, and revoked as access entitlements.
• Spreadsheets and hardware-first tools fail because they cannot keep pace with continuous SaaS change, usage drift, and offboarding delay.
• Practitioners should centralise entitlement ownership and tie SaaS lifecycle actions to identity workflows, not procurement after the fact.

Key terms

• SaaS entitlement: A SaaS entitlement is the access right attached to a software subscription or licence. It determines who can use an application, what level of access they receive, and when that access should be removed. In governance terms, it must be managed like any other identity permission.
• Joiner-mover-leaver workflow: A joiner-mover-leaver workflow is the lifecycle process that grants, changes, and removes access as people enter, change roles, or leave the organisation. For SaaS, it should also drive licence assignment and revocation so app access does not outlive business need.
• Software asset management: Software asset management is the discipline of tracking software usage, licences, and renewals to control cost and compliance. In SaaS environments, it must also account for identity state, because an assigned subscription is an access decision as much as an asset record.
• Offboarding: Offboarding is the process of removing access, licences, and related privileges when a user, contractor, or vendor relationship ends. In SaaS governance, offboarding is only effective when it is timely, verifiable, and linked to identity workflows that actually revoke the entitlement.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management How to Manage Software Assets. Read the original.