SaaS discovery and license control: what Zluri vs BetterCloud shows

At a glance

What this is: This is a SaaS management comparison that argues broader discovery methods improve visibility, license control, spend management, and shadow IT coverage.

Why it matters: It matters because SaaS sprawl is also identity sprawl, and IAM, IGA, and PAM teams need visibility into applications, accounts, and access paths before they become unmanaged risk.

👉 Read Zluri's comparison of BetterCloud and SaaS management approaches

Context

SaaS management is fundamentally an identity governance problem because every connected app introduces accounts, OAuth grants, SSO links, and renewal obligations that security teams must track. The core issue in this comparison is not feature parity, but whether discovery and control logic is broad enough to keep pace with unsanctioned applications, underused licences, and access that survives beyond business need.

For IAM, IGA, and security teams, the practical question is how much of the SaaS estate remains invisible when discovery depends on only a few signals. A programme that cannot see apps purchased outside IT, apps used through personal devices, or apps accessed through multiple identity paths will struggle to govern access consistently across human and non-human activity.

Key questions

Q: How should security teams govern SaaS apps that appear outside IT procurement?

A: Security teams should treat off-procurement SaaS as an identity and data risk, not just a finance anomaly. Start by identifying the app, the identities that access it, and whether it stores business data or delegated permissions. Then route it through ownership, review, and either sanctioned onboarding or controlled removal before it becomes a permanent blind spot.

Q: Why do SaaS apps create governance problems for IAM and IGA programmes?

A: SaaS apps create governance problems because every app introduces an account, a grant, or a login path that can outlive the business need behind it. When discovery, entitlement review, and offboarding are not linked, access persists after users stop relying on the app. That is how SaaS sprawl becomes lifecycle drift.

Q: What do teams get wrong about shadow IT in SaaS environments?

A: Teams often treat shadow IT as a blocking problem, when it is usually a visibility and workflow problem. If employees can buy or adopt tools faster than IT can evaluate them, the issue is process latency. The right response is to shorten approved access paths while capturing app usage before it becomes unmanaged.

Q: Who should own SaaS licence reclamation and app offboarding?

A: Ownership should sit with a shared governance process across IAM, IT, procurement, and application owners, because reclaimed licences can still hide active access or stored data. The key is to make offboarding and renewal decisions from the same entitlement record, so decommissioning does not lag behind spending decisions.

Technical breakdown

SaaS discovery depends on how many identity signals you can observe

SaaS discovery is the process of identifying which applications are in use, how they are accessed, and which identity paths connect to them. OAuth and SSO monitoring can reveal sanctioned connections, but they rarely capture the full shadow estate. Broader discovery usually combines finance data, endpoint telemetry, browser activity, MDM signals, CASB feeds, HR data, and directory records. That mix matters because the same application can appear through multiple access paths, and a single control source can miss apps bought outside IT or used from unmanaged devices.

Practical implication: map every discovery source to an identity signal, then compare coverage against apps bought outside IT and apps reached through personal endpoints.

License management is really entitlement lifecycle management

License management is not just cost reduction. It is the control process that decides whether app entitlements should remain assigned, be right-sized, or be reclaimed when usage drops. In SaaS environments, entitlement drift happens when licences remain active after a role change, project end, or app abandonment. A strong programme correlates usage telemetry with ownership, cost centres, and renewal dates so that underused or duplicate subscriptions can be removed before they turn into waste or residual access risk.

Practical implication: treat licence reclamation as a lifecycle event tied to usage thresholds and ownership review, not as a finance-only exercise.

Shadow IT becomes an access governance issue once apps hold data

Shadow IT is not only an inventory problem. Once employees sign into unsanctioned SaaS tools, those tools can hold business data, tokens, delegated permissions, and collaboration history outside approved controls. That creates risk across data handling, offboarding, and compliance because IT may not know the app exists until an incident or audit reveals it. Security teams should therefore view app discovery as the first step in governing where data and identities flow, not as a separate software catalogue exercise.

Practical implication: prioritise discovery workflows that expose unsanctioned apps before you rely on policy enforcement or blocking.

NHI Mgmt Group analysis

SaaS visibility is only useful when it translates into identity control. A platform can claim broad discovery, but governance value comes from closing the loop between app usage, licence assignment, and offboarding. SaaS estates fail when the organisation can see an app but cannot remove access cleanly or reclaim entitlements at the right time. The practitioner test is whether discovery output feeds lifecycle action, not whether the inventory looks complete.

Shadow IT is often the first visible symptom of weak lifecycle discipline. When employees buy or adopt apps outside IT, the deeper problem is usually that sanctioned workflows are too slow, too rigid, or too disconnected from business demand. That is not a tooling story alone, it is an access governance gap. The field should treat unmanaged SaaS adoption as evidence that access request and renewal processes are not keeping pace with how work actually happens.

Broad discovery methods create better coverage, but they also reveal programme fragmentation. Finance, browser, endpoint, HR, directory, and SSO data each capture a different slice of the SaaS estate. The more sources a programme needs, the more likely it is that identity governance is spread across teams without a common operational model. The implication is that practitioners need a single governance view that can absorb multiple signals without losing accountability.

License reclamation should be aligned to access reviews, not just procurement cycles. A subscription that is still paid for may still carry active access, delegated permissions, or stored content. Those are identity and data issues, not only budget issues. Organisations that separate software spend from access governance leave gaps where dormant licences and dormant accounts persist together.

From our research:

• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI, which shows how quickly identity programmes can fall behind operational adoption.
• For a broader baseline on hidden identity risk, see Ultimate Guide to NHIs for governance, lifecycle, visibility, rotation, and offboarding patterns.

What this signals

Shadow SaaS will keep expanding until discovery becomes continuous. A programme that relies on periodic audits will keep missing apps bought outside IT, browser-level usage, and devices that never fully join managed controls. The practical shift is toward continuous intake of identity signals, with procurement, endpoint, and directory data feeding the same governance queue.

67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey. That figure is a warning for SaaS governance too: if credential hygiene lags in AI-adjacent estates, it usually lags in app sprawl and entitlement clean-up as well.

Entitlement lifecycle will become the organising principle for SaaS control. Teams that separate spend management from access governance will keep paying for dormant apps while leaving dormant accounts in place. The better operating model is one record for ownership, usage, and offboarding, with NHI Lifecycle Management Guide patterns adapted to app entitlements.

For practitioners

• Map SaaS discovery inputs to identity signals Inventory which sources you use for app discovery, including SSO, finance, endpoint, browser, MDM, CASB, HR, and directory data. Then document which identity events each source can and cannot see, especially for apps bought outside IT or accessed from unmanaged devices.
• Tie licence reclamation to access reviews Link underused or duplicate licences to a formal review step so that reassignment, downgrade, or removal happens when business usage falls below threshold. Keep the review connected to app ownership and renewal dates so the control closes the entitlement lifecycle.
• Prioritise unsanctioned app containment Build a workflow that identifies shadow IT applications, checks whether data or tokens are stored there, and routes the app to remediation before a policy exception becomes a standing access path. Use this for high-risk apps first, not every app equally.
• Create one SaaS governance view for IT and security Consolidate app usage, ownership, and entitlement status into one operating view so procurement, security, and IAM teams act from the same record. This reduces duplicate actions and makes it easier to remove access when applications are retired or abandoned.

Key takeaways

• SaaS discovery is an identity governance control when it is connected to access, ownership, and offboarding.
• The main risk in shadow IT is not just unapproved software, but unmanaged accounts, data, and delegated access inside that software.
• Practitioners should align app discovery, licence reclamation, and renewal decisions so SaaS sprawl does not become persistent access sprawl.

Key terms

• SaaS Discovery: SaaS discovery is the process of finding which cloud applications are in use and how they are connected to corporate identities. It combines technical signals such as SSO, OAuth, endpoint telemetry, and finance data to expose sanctioned and unsanctioned usage across the environment.
• Shadow IT: Shadow IT is technology adopted without formal IT approval or visibility. In identity terms, it matters because unsanctioned applications often accumulate accounts, data, and delegated permissions that outlive the original business need and sit outside standard governance workflows.
• Licence Reclamation: Licence reclamation is the process of removing or reassigning unused software entitlements before they become wasted spend or residual access risk. In mature programmes, it is tied to usage data, ownership review, and offboarding, not just to procurement or renewal dates.
• Entitlement Drift: Entitlement drift is the gradual mismatch between who should have access and who still does. In SaaS environments, it appears when app licences, account grants, or delegated permissions remain active after the business reason for access has changed or disappeared.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Zluri vs BetterCloud, 5 Key Comparisons. Read the original.