TL;DR: SaaS cost management is presented as a way to control subscription sprawl, right-size licenses, and prevent auto-renewal waste, but Zluri's guide also shows how weak visibility, decentralised buying, and shadow IT create budget and governance risk. The real issue is not just spend reduction, but who has authority over software access and renewal decisions.
At a glance
What this is: This is a practical guide to SaaS cost management, and its core finding is that poor visibility, decentralised purchasing, and auto-renewals drive waste and shadow IT.
Why it matters: It matters to IAM practitioners because software sprawl, unmanaged access, and renewal drift sit on the same governance surface as SaaS identity, approvals, and lifecycle control.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read Zluri's guide to SaaS cost management and subscription spend control
Context
SaaS cost management is really an access governance problem when buying, usage, and renewal decisions are decentralised. Once teams can subscribe independently, organisations lose track of who is using what, which licenses are redundant, and which tools continue to renew without review.
For identity teams, the overlap with SaaS governance is direct: application inventory, entitlement ownership, renewal oversight, and offboarding all affect whether software spend is controlled or allowed to accumulate silently. Zluri's guide frames the commercial problem, but the security implication is that unmanaged software often signals unmanaged identity and lifecycle controls.
Key questions
Q: How should organisations control SaaS spend without losing governance over access?
A: They should treat SaaS spend as part of identity and lifecycle governance, not just procurement. The practical model is to maintain a complete application inventory, assign ownership for every tool, review usage before renewal, and remove dormant access before it becomes recurring spend. That keeps budget control tied to accountable access decisions.
Q: Why do decentralised SaaS purchases create security and cost risk?
A: Decentralised purchasing breaks the connection between approval, visibility, and renewal. Teams can create duplicate licenses, unmanaged accounts, and unsanctioned tools that never enter central oversight. The cost impact is wasted spend, while the security impact is a growing shadow IT estate with unclear ownership and weak offboarding.
Q: What breaks when organisations rely on auto-renewals for SaaS subscriptions?
A: Auto-renewals turn a governance decision into a default state. Without timely review, organisations keep paying for applications that may be unused, redundant, or misaligned with current business needs. The breakage is not only financial; it also weakens lifecycle control because access persists longer than the business justification.
Q: Who should own SaaS license recertification and renewal decisions?
A: Ownership should sit with a named business controller supported by IT, security, and procurement. That owner should confirm usage, validate business need, and approve renewal or removal. If no one owns the decision, the subscription will usually persist by inertia, which is how waste and unmanaged access accumulate.
Technical breakdown
How SaaS subscription sprawl creates hidden governance debt
SaaS sprawl emerges when multiple teams procure tools independently and no single inventory reflects the full software estate. The result is duplicate licensing, orphaned subscriptions, and renewal terms that outlive their original business need. Cost control fails here because financial ownership and access ownership are usually separated. When usage data is incomplete, organisations end up paying for applications that are technically active but operationally unused, which also makes lifecycle decisions harder to audit.
Practical implication: tie application inventory to ownership and renewal approval so no subscription can renew without a named accountable controller.
Why license usage monitoring is an identity governance control
License usage monitoring is not just expense reporting. It is the process of confirming whether assigned access, paid seats, and real activity still match. Underused licenses often indicate stale entitlements, poor offboarding, or role changes that were never reflected in the SaaS stack. In identity terms, this is a recertification problem for application access. If usage is not measured against assignment, organisations cannot tell whether they are funding productive access or carrying dead entitlements across the estate.
Practical implication: compare assigned seats with actual usage and recertify dormant accounts before each renewal cycle.
Auto-renewals and shadow IT weaken SaaS lifecycle control
Auto-renewals are operationally convenient but governance-light. When procurement records, contract dates, and access owners are fragmented, renewals happen by default rather than by decision. Shadow IT makes the problem worse because tools may be purchased outside IT and never enter central review. That means SaaS cost management has to cover both procurement and access lifecycle, otherwise the organisation only sees the cost after the service has already persisted for another term.
Practical implication: enforce a renewal review window and require every unsanctioned SaaS app to pass into central oversight or be removed.
NHI Mgmt Group analysis
SaaS cost management is an access governance discipline disguised as finance. The article focuses on spend, but its failure modes are classic IAM issues: decentralised buying, missing ownership, and license drift. Once access decisions are distributed without lifecycle controls, cost leakage becomes the visible symptom of governance failure. The practitioner takeaway is that software spend and software authority should be managed together.
Visibility is the named control gap that determines whether SaaS sprawl stays contained. If teams cannot see who owns an app, who uses it, and when it renews, they cannot govern it. That is not a pricing problem alone; it is a control-plane problem across procurement, entitlement review, and offboarding. The practical implication is that any cost programme without application ownership will underperform.
License right-sizing is really recertification for SaaS entitlements. The guide repeatedly points to underused seats and redundant purchases, which is the same pattern identity teams see when access reviews are done too late or without usage evidence. Organisations that treat license management as a procurement task miss the lifecycle dimension entirely. The practitioner conclusion is that renewal decisions should be evidence-led, not calendar-led.
Shadow IT creates a parallel SaaS identity estate outside normal governance. When employees buy tools directly, the organisation inherits unmanaged accounts, unmanaged renewals, and fragmented audit trails. That is why cost control and security control converge in the same place. The practitioner implication is to treat unsanctioned apps as governance exceptions, not just budget anomalies.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- The NIST Cybersecurity Framework 2.0 is a useful next reference for aligning inventory, ownership, and governance controls.
What this signals
The deeper signal for practitioners is that SaaS rationalisation and identity governance are converging. Once procurement, usage, and offboarding are separated, the organisation loses the ability to prove that software remains necessary, approved, and controlled.
A useful concept here is license governance debt: the backlog that builds when subscriptions, seats, and renewal decisions are not reconciled against real usage. That debt shows up first as overspend, then as audit friction, and finally as unmanaged access across the application estate.
For practitioners
- Centralise SaaS ownership Create a single inventory that maps each application to a business owner, technical owner, and renewal date. Require that no subscription can renew without a recorded review decision.
- Recertify unused seats before renewal Compare assigned licenses with actual usage and flag dormant accounts, duplicate tools, and unused premium features. Use the review outcome to downgrade, reclaim, or terminate access before contracts auto-renew.
- Bring shadow IT into review Detect unsanctioned SaaS by correlating finance records, SSO logs, and browser or endpoint discovery. Route every found app through approval, rationalisation, or removal, with a clear owner assigned.
- Align procurement with lifecycle controls Link purchasing workflows to access governance so onboarding, entitlement review, and offboarding are part of the same process. This prevents software from remaining active after the business need has ended.
Key takeaways
- SaaS spend problems usually start as governance problems, not pricing problems.
- Usage visibility, ownership, and renewal review are the controls that separate rational spend from silent waste.
- Identity teams should treat SaaS inventory and recertification as part of the same lifecycle discipline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Application inventory and ownership support access governance for SaaS. |
| NIST CSF 2.0 | ID.AM-2 | The article centers on knowing what software exists and who uses it. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding and revocation gaps mirror broader non-human lifecycle weaknesses. |
Apply lifecycle review to non-human credentials and remove access when business need ends.
Key terms
- SaaS Cost Management: The discipline of controlling, monitoring, and optimising spending on subscription software across an organisation. It combines procurement oversight, usage analysis, renewal review, and ownership discipline so that software spend reflects current business need rather than historical purchases.
- Shadow IT: Software or services acquired and used outside approved organisational processes. In practice, shadow IT creates visibility gaps, weakens renewal control, and introduces unmanaged accounts or data flows that security and identity teams may not see until after the risk has already accumulated.
- License Recertification: A periodic review of whether assigned software access is still needed and being used. It is similar to access recertification in identity governance, but focused on paid application seats, ensuring dormant or duplicate licenses are removed before they become recurring waste.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
This post draws on content published by Zluri: SaaS Management SaaS Cost Management. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
