TL;DR: SaaS budget planning improves cost control by discovering app sprawl, tracking usage, and enforcing renewal discipline, according to Zluri. The identity lesson is broader: software budgets become governance problems when shadow IT, abandoned access, and unused entitlements are left unmanaged.
At a glance
What this is: This is a SaaS budget planning guide that links financial control to application discovery, licence usage, renewals, and employee offboarding.
Why it matters: It matters because unowned SaaS spend usually signals unowned access, which creates governance risk across human identities, service accounts, and the systems that connect them.
👉 Read Zluri's guide to SaaS budget planning and licence optimisation
Context
SaaS budget planning is not only a finance exercise. In practice, it is a visibility problem: if an organisation cannot see which SaaS applications, licences, and renewals are active, it cannot reliably govern who or what still has access to them.
For IAM and IGA teams, that creates overlap between cost control and identity control. Unused subscriptions, shadow IT, and departed users with active accounts all point to the same gap, which is lifecycle governance rather than simple expense management.
Key questions
Q: How should security teams govern SaaS sprawl without losing access control?
A: Start with a single inventory that joins finance, identity, and app-discovery data. Then require owners for every application, review entitlements at renewal, and remove access when the business no longer needs the tool. SaaS sprawl becomes manageable only when budgeting and IAM use the same source of truth.
Q: Why do unused SaaS licences matter to IAM teams?
A: Unused licences often indicate more than wasted spend. They can signal abandoned accounts, missing ownership, or access that was never revisited after a role change or departure. IAM teams should treat dormant subscriptions as evidence that lifecycle controls are incomplete, especially where offboarding and renewal reviews are disconnected.
Q: How can organisations tell whether SaaS budget controls are working?
A: Look for fewer orphaned subscriptions, lower duplicate app counts, and clean ownership records tied to each renewal. If finance can explain spend but IAM cannot explain who still has access, the control set is incomplete. Effective governance shows up as aligned inventory, ownership, and access removal.
Q: Who should own SaaS offboarding decisions when a user leaves?
A: Ownership should be shared, but accountability should be explicit. HR triggers the event, IAM removes access, and the business owner confirms whether the app still has a valid purpose. The goal is to prevent a gap where the licence is cancelled but the account remains active, or vice versa.
Technical breakdown
SaaS application discovery and shadow IT
SaaS discovery is the process of identifying every cloud application in use, including tools purchased outside central IT. The article leans on multiple discovery methods, which reflects a real governance issue: finance cannot budget accurately if the application inventory is incomplete, and IAM cannot govern access if the system of record is missing users and apps. Shadow IT is therefore not just a procurement problem. It is an identity visibility problem because every undiscovered app may carry unmanaged authentication paths, residual accounts, and unreviewed permissions.
Practical implication: reconcile SaaS discovery sources with identity and finance records before you build renewal or offboarding controls.
Licence utilisation, renewal calendars, and entitlement drift
Licence optimisation depends on comparing purchased entitlements with actual use. The article describes usage analytics, renewal alerts, and budget tracking as the mechanism for reducing waste. From an identity perspective, this is entitlement drift: access is granted faster than it is removed, so organisations keep paying for both software and standing privileges long after business need has changed. Renewal timing matters because it is often the only operational checkpoint where finance, IT, and identity teams can challenge stale allocation patterns before they harden into another annual cycle.
Practical implication: tie renewal review to entitlement review so licence spend and access ownership are assessed together.
Employee offboarding and abandoned SaaS accounts
Offboarding is the process of closing accounts and removing access when a worker leaves. The article correctly treats abandoned licences as a cost issue, but the governance risk is broader: an unused SaaS account can remain a live authentication path, especially when ownership has not been reassigned. In identity terms, this is lifecycle failure. The account outlives the business relationship, which means the organisation retains cost, exposure, and audit burden at the same time. This is where finance data becomes an IAM control signal rather than a reporting artifact.
Practical implication: make offboarding close both the licence and the account, and require an owner for every remaining SaaS entitlement.
NHI Mgmt Group analysis
SaaS spend sprawl is often identity sprawl in disguise. When organisations lose track of applications, they usually lose track of the access paths attached to those applications as well. That means finance overspend and identity governance failure are often the same condition viewed from different teams. The practitioner conclusion is that budget planning needs identity inventory discipline, not just procurement discipline.
Renewal management is a lifecycle control, not a finance convenience. The article’s emphasis on alerts and contract timing points to a broader truth: renewal dates are one of the few moments when stale access can be challenged before it becomes routine. If IAM and finance are not aligned at renewal, access and spend both drift. The practitioner conclusion is to treat renewals as entitlement review checkpoints.
Abandoned licences expose a weak offboarding assumption. The article assumes that terminating a subscription is enough, but in real environments the account, the entitlement, and the ownership record must all be closed together. If any of those remain open, the organisation keeps paying for dormant access and leaves an audit gap behind. The practitioner conclusion is that offboarding must be measured as a complete lifecycle event, not a billing action.
Shadow IT creates a hidden governance surface that spans human and machine identities. SaaS discovery does not only uncover employee use. It also reveals connected service accounts, admin tokens, and delegated integrations that finance teams rarely see directly. That makes cross-domain inventory essential because the same unmanaged application can carry human login risk and non-human access risk at once. The practitioner conclusion is that SaaS governance must map both users and integrations.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For a broader governance frame, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which connects access lifecycle controls to operational cleanup.
What this signals
Identity and spend are converging control planes. Finance teams that only optimise SaaS cost will keep missing the access problem underneath it. The next maturity step is to align procurement, renewal, and offboarding with the same entitlement record so SaaS waste and access drift are removed together.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to The State of Secrets in AppSec, application sprawl should be treated as a security exposure surface, not just a cost category. The practical shift is to treat every renewal as a control checkpoint.
Lifecycle visibility will matter more than discount hunting. As SaaS estates expand, the organisations that can prove ownership, usage, and removal will control both risk and spend. The teams that cannot will keep paying for tools and access that no longer serve the business.
For practitioners
- Build a reconciled SaaS inventory Merge finance records, SSO logs, HR data, and application discovery feeds into one inventory so hidden subscriptions and unmanaged access paths surface together.
- Convert renewals into access reviews Require the business owner, IT, and IAM to review licences, users, and application necessity before every major renewal window.
- Close accounts and licences together During offboarding, verify that the subscription is removed, the account is disabled, and ownership is reassigned for any shared or critical SaaS application.
- Track unused entitlements as governance debt Report dormant licences, orphaned apps, and duplicate subscriptions as a combined control issue, not only as a cost-saving opportunity.
Key takeaways
- SaaS budget planning becomes an identity governance problem once shadow IT, duplicate tools, and abandoned accounts are part of the spend picture.
- Usage analytics and renewal alerts help only when they are paired with ownership checks, offboarding, and entitlement cleanup.
- The strongest control model treats every SaaS renewal as a lifecycle review of access, purpose, and accountability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SaaS entitlement drift is an access management issue under CSF Protect. |
| NIST Zero Trust (SP 800-207) | SaaS discovery and renewal controls support continuous verification in zero trust. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Orphaned SaaS accounts and stale entitlements reflect NHI lifecycle weaknesses. |
Audit non-human and delegated SaaS accounts for stale access and remove unowned entitlements.
Key terms
- SaaS sprawl: SaaS sprawl is the uncontrolled growth of cloud applications across an organisation, often outside central procurement or IAM oversight. It creates duplicated spend, fragmented access control, and a larger surface for orphaned accounts, shadow IT, and inconsistent lifecycle management.
- Entitlement drift: Entitlement drift is the gap between the access an identity was originally granted and the access it still retains after roles, needs, or ownership change. In SaaS environments, it shows up as stale licences, over-assigned accounts, and permissions that no longer match business purpose.
- Lifecycle governance: Lifecycle governance is the discipline of managing identities and access from onboarding through change and offboarding. In SaaS-heavy environments, it means access, ownership, renewal, and removal are controlled as one process rather than treated as separate tasks.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Master SaaS Budget Planning, a guide for finance teams. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
