SaaS discovery and shadow IT visibility remain IAM blind spots

At a glance

What this is: This is a vendor comparison of SaaS management platforms, with the key finding that broader discovery methods are presented as the difference between partial visibility and usable SaaS governance.

Why it matters: It matters because SaaS discovery directly affects IAM, NHI, and lifecycle governance: if teams cannot see where access exists, they cannot reliably control approvals, review entitlements, or remove stale exposure.

👉 Read Zluri's comparison of SaaS discovery and shadow IT coverage

Context

SaaS discovery is the first control problem in modern identity governance: if teams cannot see which applications are in use, they cannot manage access, review ownership, or offboard stale entitlements cleanly. In practice, hidden SaaS creates shadow IT, weakens compliance oversight, and expands the number of identities and access paths that security teams must govern.

This comparison is really about visibility architecture, not brand preference. Zluri describes a wider set of discovery signals than Trelica, but the broader lesson for IAM and lifecycle teams is that discovery coverage determines whether access governance is continuous or only partially informed.

Key questions

Q: How should security teams build a complete SaaS inventory?

A: Security teams should combine identity, finance, endpoint, browser, and directory signals rather than relying on a single source. That gives them a more complete view of which apps are actually in use, which are approved, and which are unmanaged. A complete inventory is the basis for ownership, review, and offboarding, not just reporting.

Q: Why does shadow IT create an identity governance problem?

A: Shadow IT creates an identity governance problem because unseen apps sit outside ownership, access review, and offboarding workflows. When an application is not discovered, it cannot be assigned a control owner or tied to lifecycle processes. The result is hidden access paths that can persist even when the rest of the programme looks mature.

Q: What do teams get wrong about SaaS discovery and compliance?

A: Teams often mistake partial discovery for complete governance. Compliance reporting may look strong if approved apps are well documented, but unmanaged apps can still expose data, users, and contracts outside normal review. The right question is whether the discovery process covers the full SaaS estate, not whether the dashboard looks populated.

Q: Who should own unmanaged SaaS applications?

A: Unmanaged SaaS applications should be brought under explicit business and technical ownership as soon as they are discovered. Without ownership, there is no reliable way to review access, manage spend, or decide whether the app should stay in use. Accountability is the control that turns discovery into governance.

Technical breakdown

Why SaaS discovery depends on multiple identity signals

SaaS discovery is not a single-control problem because no one data source fully describes application use. Identity providers show who authenticated, finance systems show what was purchased, browser and desktop agents show what was actually used, and directories show which accounts exist. When these signals are combined, teams can separate sanctioned apps from shadow IT and understand whether access is active, dormant, or simply invisible. The technical issue is coverage, correlation, and timeliness: each signal sees only part of the stack, and a single source will always miss something.

Practical implication: correlate identity, finance, endpoint, and directory signals before you treat your SaaS inventory as complete.

Shadow IT becomes an identity problem when discovery is incomplete

Shadow IT is often described as a procurement or application issue, but its security impact is identity-driven. An unmanaged SaaS app can create independent authentication paths, duplicate entitlements, and orphaned access that never enters normal review cycles. If discovery only sees approved apps, then every unmanaged app sits outside the lifecycle processes that would normally assign an owner, enforce least privilege, or trigger offboarding. That gap matters because the control failure is not just missing inventory. It is missing governance attachment, which means the app may persist indefinitely without accountability.

Practical implication: treat every undiscovered SaaS app as an ungoverned identity surface until an owner, access model, and review path are assigned.

SaaS governance fails when access review starts too late

SaaS management tools often report on access, spend, and compliance, but those outputs only help if the underlying discovery is broad enough to catch the full application footprint. Once an app is discovered late, the team is already behind on entitlements, contracts, and policy enforcement. This is especially relevant for lifecycle controls such as joiner-mover-leaver processes, because delayed discovery means the application never enters the workflow at the point where access should have been granted or removed. The result is governance by exception rather than by design.

Practical implication: move discovery upstream in the lifecycle so app inventory exists before recertification, renewal, and offboarding decisions.

NHI Mgmt Group analysis

Discovery breadth is now an access-governance control, not a reporting feature. SaaS visibility determines whether identity teams can see the full set of applications that need ownership, review, and offboarding. If a platform only captures a narrow slice of signals, unmanaged apps stay outside governance and the organisation mistakes partial inventory for control. The practitioner conclusion is simple: discovery coverage is part of the identity control plane.

Shadow IT is a lifecycle failure before it is a tooling failure. Unseen applications do not enter joiner-mover-leaver workflows, recertification queues, or contract reviews. That means the organisation loses the ability to assign accountability at the point of first use and then spends later controls trying to recover visibility after the fact. The implication is that SaaS discovery must be tied to lifecycle ownership, not treated as an isolated inventory exercise.

Access and spend data are only useful when they converge into one governance view. Finance data can reveal purchase behaviour, SSO data can show authentication, and endpoint data can expose actual use, but none of those alone proves whether access is appropriately governed. The field should stop treating SaaS management as a narrow procurement or audit task and instead view it as identity evidence assembly. Practitioners should design one decision layer that can reconcile all three.

Managed and unmanaged SaaS create different identity risk profiles, and most teams still blur the distinction. A managed app can be reviewed, recertified, and offboarded. An unmanaged app may never enter those processes at all, which means the organisation carries hidden access paths and hidden compliance exposure. The correct operational response is to distinguish discovered from governed, not just used from unused.

Zero trust for SaaS depends on knowing what exists before you can verify it. Zero trust logic breaks down if the application estate is incomplete. Without discovery across IdP, finance, browser, endpoint, and directory signals, continuous verification becomes selective verification, and selective verification is not a real security model. The practitioner conclusion is that SaaS discovery is a prerequisite to any credible zero-trust access programme.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• That visibility gap is why NHI Lifecycle Management Guide is the better next step for teams trying to connect discovery to offboarding and review.

What this signals

Discovery is becoming the gating control for identity governance programmes. If a SaaS application never enters inventory, it never enters recertification, offboarding, or renewal workflows. The practical shift is that IAM leaders must treat discovery as a prerequisite for governance evidence, not as a separate reporting layer.

With only 5.7% of organisations reporting full visibility into their service accounts, per Ultimate Guide to NHIs, the structural problem is familiar: identity teams often govern what they can see and leave the rest to chance.

SaaS sprawl and NHI sprawl now reinforce each other. Every unmanaged application tends to create more accounts, tokens, and service connections that sit outside normal review. That makes lifecycle discipline and discovery architecture the same programme problem viewed from different angles.

For practitioners

• Build a multi-signal SaaS inventory Correlate IdP, finance, browser, endpoint, MDM, and directory sources so discovered applications can be compared against approved applications and app owners.
• Assign ownership to every discovered app Require each SaaS application to have an accountable business owner, technical owner, and review cadence before it is treated as governed.
• Move SaaS discovery into lifecycle workflows Trigger access review, offboarding, and renewal decisions from a common inventory so new or unmanaged apps do not bypass joiner-mover-leaver processes.
• Separate managed apps from shadow IT in reporting Report unmanaged applications as a distinct control category so security, procurement, and IAM teams can see where governance has not yet attached.

Key takeaways

• Broader SaaS discovery is an identity governance requirement because unmanaged apps cannot be reviewed, owned, or offboarded reliably.
• Visibility gaps turn shadow IT into hidden access risk, hidden compliance exposure, and hidden lifecycle debt.
• Teams should connect discovery to lifecycle workflows so governance starts when an app appears, not after it becomes a problem.

Key terms

• SaaS Discovery: SaaS discovery is the process of identifying which cloud applications are in use across the organisation, including approved and unmanaged tools. Effective discovery combines identity, finance, endpoint, and directory signals so security and governance teams can build an accurate application inventory.
• Shadow IT: Shadow IT is technology used outside formal approval or governance processes. In SaaS environments, it creates hidden access paths, unowned applications, and lifecycle gaps because the organisation cannot apply normal review, policy, or offboarding controls to what it does not know exists.
• Application Ownership: Application ownership is the assignment of clear accountability for a SaaS app's security, usage, and governance. It ensures there is a named party responsible for access review, renewal decisions, compliance checks, and retirement when the application is no longer needed.
• Lifecycle Governance: Lifecycle governance is the discipline of managing access from onboarding through review to offboarding. For SaaS, it means discovered applications must be attached to repeatable joiner-mover-leaver processes so access, spend, and control decisions remain current rather than improvised.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Zluri vs Trelica: Which SaaS Management Platform Is Better? Read the original.