SaaS discovery gaps are turning shadow IT into access risk

At a glance

What this is: This is a SaaS discovery and governance explainer showing how browser, SSO, connectors, and identity-provider data can reveal shadow IT and unmanaged access.

Why it matters: It matters because SaaS sprawl now intersects with NHI, human identity, and access governance, so teams need visibility before they can certify, revoke, or rationalise access.

By the numbers:

• 38% of admins admit they can’t even discover all applications in use.

👉 Read JumpCloud's how-to on discovering SaaS apps and shadow IT

Context

SaaS discovery has become an identity governance problem, not just an inventory exercise. When employees adopt applications without IT involvement, the result is not only shadow IT but also unmanaged authentication paths, unreviewed permissions, and access that never enters the normal lifecycle process.

In practice, the question is whether IAM and SaaS management can still see what identities are touching what apps, through which accounts, and with what authority. The article argues that visibility is the first control plane for that problem, especially when approved and unapproved apps coexist in the same browser and identity estate.

Key questions

Q: How should security teams govern shadow IT discovered in SaaS environments?

A: Start by turning discovery into a governance workflow. Classify each application as approved, tolerated, or unapproved, then assign ownership, risk review, and remediation deadlines. Discovery without accountability only produces inventory. The control objective is to ensure every app has a decision path tied to identity, access, and data handling.

Q: Why does SaaS visibility matter for identity governance?

A: Because access control depends on knowing which applications, identities, and delegated permissions actually exist. If teams cannot see the app estate, they cannot certify access, revoke stale consents, or remove orphaned accounts. Visibility is the prerequisite for lifecycle governance across human, machine, and app-linked identities.

Q: What do security teams get wrong about SaaS discovery tools?

A: They often treat discovery as a reporting function instead of a control function. The real value comes when discovered applications are tied to SSO state, OAuth permissions, account inventories, and ownership. That combination supports remediation, not just awareness, and reduces the chance that shadow IT becomes enduring access risk.

Q: How do organisations know whether SaaS governance is working?

A: Look for a shrinking gap between discovered apps and approved apps, fewer unowned OAuth consents, and faster closure of shadow-account findings. If discovery reports keep growing without corresponding remediation, the programme is producing visibility but not control.

Technical breakdown

Browser-based SaaS discovery and shadow IT detection

Browser extensions can capture SaaS usage at the point of interaction, which is where many unmanaged tools first appear. By observing sign-up, login, and usage patterns in real time, discovery tooling can identify apps that never passed through procurement or IAM review. This is not the same as passive asset inventory. It is identity-linked behaviour capture, so the result is a map of what users actually touch rather than what the CMDB says exists. That makes it valuable for uncovering shadow IT, but also for spotting dormant tools that still retain accounts or data access.

Practical implication: use browser telemetry to find unmanaged applications before they become persistent access and data-governance problems.

SSO-connected applications as an approved access baseline

When SaaS applications are integrated with SSO, they can be automatically tagged as part of the managed ecosystem and monitored continuously. That creates a clean baseline between sanctioned and unsanctioned use, which is important because governance fails when approved access and off-book use are mixed together. SSO visibility also links app usage to user sessions, giving IAM and IT teams a way to see frequency and participation without relying on manual attestations. The architectural value is not discovery alone, but a trusted list of managed applications that can be compared against the wider app footprint.

Practical implication: treat SSO-connected apps as the governed baseline and compare them against discovered apps to expose unmanaged drift.

OAuth permissions and connector-driven access visibility

Direct connectors into core SaaS and identity platforms surface deeper data than surface-level login logs. They can expose account inventories, activity history, and in some cases OAuth permissions that grant third-party tools access through user consent. That matters because a SaaS app can look harmless while still holding broad delegated access in the background. In governance terms, this is where discovery becomes entitlement analysis. Teams are no longer just asking which apps exist, but which identities and consents extend into those apps and whether the access still makes sense.

Practical implication: review OAuth grants and connector-fed account data together so delegated access can be revoked before it becomes forgotten standing access.

NHI Mgmt Group analysis

Shadow IT is now an identity control problem, not an app discovery problem. The article shows that users can adopt SaaS tools faster than central teams can inventory them, which means traditional approval and onboarding workflows are bypassed. Once that happens, the organisation loses sight of who authorised what, where data moved, and whether access was ever assessed. The practical conclusion is that discovery must feed governance, not just reporting.

SaaS visibility is the front end of lifecycle governance for both human and non-human access. The same lifecycle question appears whether the identity is a person, a service account, or a delegated OAuth grant. If the app is not in the governance inventory, recertification, offboarding, and exception handling cannot work reliably. Practitioners should treat discovery as the prerequisite for lifecycle enforcement across identity types.

OAuth consent creates a quiet entitlement layer that many teams still underestimate. The article’s mention of revoking risky permissions highlights a broader issue: delegated access can survive long after the user stops relying on the app. That makes app discovery inseparable from consent review and shadow-account cleanup. The implication is that governance must track consented access as carefully as assigned access.

Visibility without ownership still leaves security blind spots. Centralising app data is useful only if someone is accountable for acting on it, especially when multiple identity platforms and SaaS connectors are involved. This is where many programmes stall, because they can produce a list of tools but not a decision path for approval, removal, or escalation. The practitioner takeaway is to pair discovery with explicit ownership and review cadence.

SaaS sprawl is becoming a proxy for trust sprawl across the identity stack. As more work moves into browser sessions and federated logins, the boundary between application inventory, access governance, and data risk keeps narrowing. That means IAM leaders need to think in terms of trust surfaces, not just software counts. The next control maturity step is to connect discovery, access review, and remediation into one operating model.

From our research:

• The 2026 Infrastructure Identity Survey found that 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For the lifecycle and entitlement angle, see NHI Lifecycle Management Guide for the governance model that turns visibility into review and revocation.

What this signals

SaaS discovery is converging with broader identity governance. As organisations spread work across browsers, SSO, and federated SaaS logins, the governance question is no longer whether apps exist but whether every identity path is observable and reviewable. The practical signal for teams is to unify discovery, consent review, and lifecycle governance before unmanaged access becomes normalised.

Shadow IT becomes much harder to dismiss once it is tied to actual identity activity. If a tool is being accessed through work accounts, it is part of the enterprise trust surface whether procurement approved it or not. Teams should expect browser-based discovery and connector-fed inventories to become standard inputs to recertification and exception handling.

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey, SaaS visibility will increasingly need to include non-human and agent-linked access paths as well as human user activity.

For practitioners

• Establish a governed SaaS baseline Classify SSO-connected applications as approved and compare them against browser-discovered tools every review cycle. Use the delta to identify unmanaged apps, orphaned usage, and business-unit exceptions that need formal ownership.
• Review OAuth consents as access entitlements Treat delegated permissions in Google Workspace and similar identity platforms as standing access that must be reviewed, not one-time user convenience. Revoke broad or stale grants and document the business justification for any retained consent.
• Use connector data to find shadow accounts Pull user inventories and activity logs from key SaaS platforms, then reconcile them against your identity source to find accounts that exist without current ownership or offboarding status.
• Define an action path for discovered apps Create a triage flow that assigns each discovered application to approve, monitor, remediate, or remove. Without a decision path, discovery data becomes a report rather than a control.
• Extend lifecycle reviews beyond core directories Include SaaS applications, user-consented integrations, and app-to-app connections in access recertification so lifecycle governance covers the real operating environment rather than only directory records.

Key takeaways

• SaaS discovery has become an identity governance requirement because unmanaged apps create unmanaged access paths.
• The strongest control signal is the gap between discovered tools, approved tools, and delegated permissions.
• Teams that connect discovery to ownership, recertification, and revocation will be better positioned to contain shadow IT.

Key terms

• Shadow IT: Software or services adopted outside formal IT approval or governance. In identity terms, shadow IT becomes a control problem because users create access paths, permissions, and data flows that bypass inventory, review, and offboarding processes.
• OAuth consent: A user or administrator grant that allows a third-party application to access data or act on behalf of an account. In practice, OAuth consent can function like standing delegated access and should be reviewed with the same seriousness as any other entitlement.
• SaaS discovery: The process of identifying which cloud applications are in use, who is using them, and how they are accessed. Effective discovery combines browser telemetry, SSO data, and connector-based account insights so governance teams can distinguish approved apps from unmanaged ones.
• Shadow account: An account that exists in a SaaS application or related system without a clear ownership, lifecycle status, or current governance decision. Shadow accounts can persist after role changes or offboarding, creating hidden access and compliance risk.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by JumpCloud: SaaS discovery methods for modern IT visibility and governance. Read the original.