SaaS discovery methods reveal the governance gap in shadow IT

At a glance

What this is: This is a SaaS discovery overview that argues organisations need multiple methods to expose hidden applications, shadow IT, and inefficient software usage.

Why it matters: It matters because SaaS sprawl creates identity and access blind spots that affect human access, non-human integrations, and the controls used to govern both.

👉 Read Zluri's guide to the top 8 SaaS discovery methods for 2026

Context

SaaS discovery is the practice of finding every application people and systems are actually using, not just the software IT thinks is sanctioned. In identity terms, the problem is visibility: once apps sit outside central control, access reviews, offboarding, and privilege management lose their ground truth.

For IAM teams, the issue is not simply cost optimisation. Hidden apps create unmanaged access paths, third-party integrations, and shadow workflows that can sit outside SSO, recertification, and governance processes, which is why discovery has become an identity problem as much as a software inventory problem.

Key questions

Q: How should security teams discover SaaS applications without missing shadow IT?

A: Use multiple discovery paths together, including SSO logs, API connectors, endpoint agents, browser plugins, network telemetry, and finance records. Each method sees a different part of the estate, so relying on only one will leave blind spots. The goal is a reconciled inventory that can be tied back to ownership, authentication, and lifecycle status.

Q: Why do SaaS discovery tools fail to give a complete view on their own?

A: They usually cover only one control surface. Identity tools see authenticated apps, network tools see traffic, and finance tools see spend, but none of them alone can identify every sanctioned and unsanctioned application. Completeness comes from combining signals and resolving mismatches into one governance view.

Q: What breaks in IAM when SaaS usage is hidden outside central control?

A: Offboarding, access reviews, and entitlement governance all weaken because the application is absent from the authoritative inventory. Users can keep accounts, integrations can persist, and data can move through tools that never enter the review cycle. That is how shadow SaaS becomes an access governance problem, not just an IT visibility issue.

Q: How should organisations govern SaaS sprawl across business units?

A: Assign clear application ownership, require periodic reconciliation between discovered apps and approved systems, and connect the results to joiner-mover-leaver processes. Without ownership and lifecycle linkage, each department can accumulate its own shadow stack and the central programme will only see the surface layer.

Technical breakdown

How CASBs and web proxies expose shadow SaaS usage

Cloud access security brokers and web proxies inspect network traffic to infer which SaaS applications are being accessed. A CASB can enforce policy in-line, while a proxy logs traffic for later analysis. Both methods are useful because they surface apps that do not appear in approved inventories, but neither gives a complete picture when users move off-network or use personal devices. Their value is strongest for identifying access patterns that would otherwise remain invisible to central IT.

Practical implication: use network-based discovery to expose unmanaged application use, then correlate it with identity data before it becomes an access governance blind spot.

Why API connectors and SSO miss parts of the SaaS estate

API connectors and SSO integrations work well for known applications because they pull data from vendor portals and authentication systems. That makes them strong for user assignment, subscription counts, and entitlement review, but weak for software that was never integrated in the first place. In other words, they describe the managed estate, not the full estate. Discovery built only on identity federation will always undercount shadow SaaS and externally procured tools.

Practical implication: treat SSO and API telemetry as one input to discovery, not the discovery programme itself.

Why endpoint agents and browser plugins improve but do not complete coverage

Endpoint agents and browser plugins add device-level visibility by capturing software use on managed hardware. They are useful for identifying local usage, unsanctioned browser access, and tier optimisation opportunities. Their limitation is scope: they do not fully cover unmanaged devices, every browser, or every remote work pattern. That makes them better at narrowing the gap than closing it. The strongest programmes combine endpoint telemetry with identity and finance data to build a more faithful application map.

Practical implication: pair endpoint telemetry with finance records and access data so discovery does not stop at the corporate laptop.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS discovery is really an identity governance problem disguised as an inventory problem. Once an application is visible, it can be governed. Until then, offboarding, access review, and privilege certification all operate with incomplete information. That is why discovery should be treated as a prerequisite for governance rather than a separate IT housekeeping task. Practitioners should align discovery outputs to the identity controls that depend on them.

Shadow SaaS creates unmanaged entitlement paths that conventional IAM programmes do not see. The issue is not only that an app is unknown. It is that users may create accounts, approve integrations, or move sensitive data through that app outside formal provisioning and review flows. That breaks the assumption that sanctioned authentication layers capture the whole access surface. Practitioners should map discovery findings directly into lifecycle and access governance.

Browser plugins, CASBs, API connectors, and endpoint agents each reveal a different slice of the control plane. No single discovery method is sufficient because software use now spans managed devices, remote work, personal devices, and vendor APIs. The practical lesson for identity teams is to stop looking for one source of truth and instead build a reconciled identity and application graph. Practitioners should measure coverage by overlap, not by tool count.

Identity governance collapses when SaaS usage is distributed faster than entitlements can be reconciled. SaaS discovery methods expose that operational reality. The field now needs governance models that can absorb decentralized application choice without losing control of access, ownership, or offboarding. Practitioners should assume the application estate will keep changing and build governance around that churn.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• SaaS discovery findings should be paired with NHI Lifecycle Management Guide so discovery leads to governance, not just inventory.

What this signals

Shadow application discovery is converging with non-human identity governance. As organisations map SaaS usage, they are also uncovering service accounts, integrations, and delegated access paths that were never designed into the original IAM programme. That means discovery data should feed entitlement ownership, review cadence, and offboarding logic, not sit in a separate IT operations dashboard.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, the broader lesson is that unmanaged software rarely stays software-only for long. Every hidden app can become a credential store, an API bridge, or a workflow dependency, which is why discovery now influences identity design as much as security posture.

Application sprawl is now a control-plane problem. The more SaaS tools proliferate, the more governance depends on reconciling identity, spend, and usage evidence into one view. Programmes that only count licensed apps will miss the entitlements, connections, and offboarding obligations that actually determine exposure.

For practitioners

• Map discovery outputs to identity controls Tie every discovered application to an owner, authentication method, and lifecycle status so offboarding and access reviews are not operating on stale inventories.
• Combine network, endpoint, and identity telemetry Use CASB, proxy, browser, and agent data together with SSO and directory signals to close the blind spots each method leaves behind.
• Reconcile shadow apps against finance records Compare expense data, invoices, and renewal records with your app inventory so unsanctioned purchases and duplicate subscriptions are visible to governance teams.
• Review SaaS access during offboarding Treat discovered SaaS apps as part of leaver processing so accounts created outside the central stack are not left behind after employee or contractor exit.

Key takeaways

• SaaS discovery is not just procurement hygiene, because hidden applications create identity blind spots that IAM teams cannot govern well.
• No single discovery method gives full coverage, so practitioners need a blended view across network, endpoint, identity, and finance signals.
• Discovery only matters when it feeds ownership, offboarding, and access review workflows, otherwise shadow SaaS remains unmanaged.

Key terms

• SaaS Discovery: SaaS discovery is the practice of identifying all software-as-a-service applications used inside an organisation, including sanctioned, shadow, and department-owned tools. In mature identity programmes, discovery is not just inventory work. It is the evidence base for access governance, offboarding, cost control, and compliance reporting.
• Shadow SaaS: Shadow SaaS is any SaaS application used without formal approval or full visibility from IT and security teams. These apps often enter the environment through individual purchases, informal team adoption, or untracked integrations, which makes them especially difficult to include in lifecycle and access controls.
• Application Inventory: An application inventory is the authoritative list of software an organisation believes it uses and governs. For identity teams, the inventory matters because every access review, ownership decision, and offboarding workflow depends on it being complete enough to reflect the real application estate.
• Identity Governance: Identity governance is the set of processes used to assign, review, certify, and remove access in a controlled way. In a SaaS-heavy environment, governance must extend beyond traditional directory systems to include discovered applications, external integrations, and the accounts created inside them.

Deepen your knowledge

SaaS discovery, hidden applications, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance around shadow SaaS and unmanaged access paths, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Top 8 SaaS Discovery Methods in 2026. Read the original.