TL;DR: SaaS discovery without connection to the underlying application leaves access, least privilege, and lifecycle actions trapped in spreadsheets and manual review loops, according to Josys. The governance gap is not visibility alone but the inability to enforce policy where permissions actually live, which makes review, offboarding, and exception handling drift out of control.
At a glance
What this is: Josys argues that SaaS discovery alone does not close the identity governance gap because access control still sits inside unmanaged applications.
Why it matters: IAM, IGA, and NHI teams need to treat visibility as only the first step, because fragmented app-level permissions undermine least privilege and lifecycle governance across all identity types.
👉 Read Josys's analysis of the SaaS discovery and access control gap
Context
SaaS discovery shows where applications exist, but it does not automatically expose who can access them or how those entitlements are governed. In identity programmes, that distinction matters because visibility without enforcement leaves access decisions fragmented across admin consoles, spreadsheets, and manual follow-up.
The article’s core problem is an IGA gap, not a tooling gap in the narrow sense. When applications are known but not connected, onboarding, offboarding, and access review lose consistency, and least privilege becomes difficult to apply at scale.
Key questions
Q: How should security teams govern SaaS apps that are discovered but not connected to IGA?
A: They should treat discovery as an inventory signal, not a governance outcome. If an app cannot be controlled centrally, teams need a compensating process for entitlement review, revocation, and offboarding. The priority is to close the path from visibility to enforcement, because otherwise access remains fragmented inside the application and manual administration continues to carry the risk.
Q: Why do manual SaaS lifecycle processes increase access risk?
A: Manual processes slow down entitlement removal and make it easy for permissions to outlive the business need that justified them. That creates access debt, especially when movers and leavers are handled through tickets, spreadsheets, or ad hoc admin work. The risk is not just delay. It is inconsistent enforcement of least privilege across the SaaS estate.
Q: What breaks when SaaS apps are visible but not governable?
A: Least privilege becomes inconsistent, offboarding becomes unreliable, and access reviews stop reflecting real entitlement state. The organisation may believe it has coverage, but the actual enforcement remains inside disconnected applications. That gap is where excess access and operational errors accumulate.
Q: How do teams decide whether browser-based app integration is good enough?
A: They should ask whether the recorded workflow is reliable enough to represent the real administrative action over time. If the app changes frequently, the integration needs review and revalidation, or governance can drift silently. The test is not whether the automation works once, but whether it remains trustworthy as the application evolves.
Technical breakdown
Why discovered SaaS apps still resist central governance
Discovery tools can catalogue applications, but catalogue data is not the same as control-plane access. If an app is not connected to the governance layer, the platform can identify its existence without being able to change permissions, enforce policy, or reconcile entitlement state. That creates a split between visibility and authority. In practice, identity teams then rely on manual review, admin-by-admin changes, or spreadsheet tracking, which is where drift begins. The technical issue is not merely integration coverage. It is the absence of an enforceable control path from identity governance to the application itself.
Practical implication: connect discovered applications to a governance control path before treating them as manageable.
Why manual SaaS lifecycle management breaks least privilege
Manual lifecycle management fails because entitlement state changes faster than human review cycles. When joiners, movers, and leavers are handled through ticketing or application-by-application follow-up, access often remains active after business need ends. That creates lingering privilege, inconsistent cleanup, and a growing mismatch between actual and intended access. Least privilege is not just a policy statement here. It depends on timely revocation, accurate entitlement visibility, and a repeatable process for every application, including those without native API support.
Practical implication: measure how many SaaS apps still depend on manual offboarding or ad hoc entitlement cleanup.
How browser-driven app mapping changes the governance model
Browser-based recording and automation can extend governance to applications that lack native integration, but the architectural shift is about reach, not magic. The platform is effectively learning application flows so that repeatable actions can be executed consistently across login, navigation, and data touchpoints. That can reduce the number of disconnected SaaS islands, but it also introduces a dependence on workflow fidelity and ongoing validation when apps change. In governance terms, the control boundary moves from native API availability to whether the recorded process remains accurate enough for secure administration.
Practical implication: treat every non-native integration as a governed workflow that needs validation when the application changes.
Threat narrative
Attacker objective: The practical attacker objective is to exploit unmanaged or stale access that remains available after the organisation believes it has been reviewed or revoked.
- Entry occurs when a SaaS application is discovered but remains outside the governance connection, leaving access state trapped in the app itself.
- Escalation follows through manual reviews, spreadsheet tracking, and delayed offboarding, which allow excessive or lingering access to persist.
- Impact is governance drift, where least privilege cannot be enforced consistently and identity teams lose reliable control over who can do what across the SaaS estate.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Discovery without control is not governance. The article describes a common IGA failure mode: organisations know the app exists, but they do not have a usable control path into it. That means entitlement state remains trapped in the application, outside central policy enforcement and review. The practical implication is that visibility metrics can look healthy while governance remains weak.
Manual SaaS lifecycle management creates access debt. When onboarding and offboarding depend on manual steps or spreadsheet coordination, access cleanup inevitably lags business change. That lag is not a process inconvenience, it is a governance liability because least privilege becomes time-based instead of state-based. Practitioners should treat every delayed revocation as accumulating access debt.
Browser-mediated integration extends the control surface, but it also shifts the assurance problem. If an application lacks native API support, recording workflows can still bring it under governance, but only if the recorded process remains accurate and reviewed. That means the assurance question moves from integration availability to workflow fidelity. Teams should validate whether the governed action still matches the real application path after updates.
Identity governance breaks when review and enforcement are decoupled. This article shows that access review alone does not solve unmanaged SaaS if revocation, policy enforcement, and lifecycle actions cannot reach the system of record. The category lesson is that IGA maturity now depends on closing the gap between knowing what exists and being able to act on it. Practitioners need to design for enforceability, not just inventory.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- From our research: 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to The State of Non-Human Identity Security.
- As organisations move from discovery to control, the next question is whether their lifecycle processes can keep pace with the estate they can already see, which is explored in the NHI Lifecycle Management Guide.
What this signals
Identity governance is shifting from inventory management to enforceability. A SaaS estate that can be discovered but not controlled still leaves access decisions scattered across application silos. The practical next step is to measure how much of the environment is truly governed versus merely observed, because the difference determines whether access reviews and offboarding have any operational effect.
Access debt is becoming the right concept for teams to track. Every delayed revocation, spreadsheet exception, or manual offboarding step adds state that central IAM cannot confidently reconcile. That concept matters because it is the governance equivalent of technical debt: it accumulates quietly, then shows up as residual access and audit friction.
The finding aligns with the broader pattern captured in the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, where governance depends on provisioning, rotation, and offboarding being actionable rather than merely documented. For teams already operating across human and machine identities, the lesson is to extend lifecycle controls until enforcement reaches the applications themselves.
For practitioners
- Map every discovered SaaS app to an enforceable control path Inventory is not enough. For each discovered application, verify whether access can be changed, revoked, and reviewed from the governance layer rather than only inside the app admin console.
- Eliminate spreadsheet-based access tracking Replace manual entitlement tracking with governed workflows so that access reviews, approvals, and revocations are recorded in one system of record.
- Prioritise non-native integrations for lifecycle review Focus on applications without native API support, because these are the most likely to remain partially governed and to create lingering access after role changes or offboarding.
- Validate recorded workflows after application changes Treat browser-recorded automation as a controlled dependency. Re-test the login path, navigation steps, and target actions whenever the SaaS application changes its interface or process.
Key takeaways
- SaaS discovery without control creates a false sense of IGA coverage because applications can remain visible while access stays unmanaged.
- Manual lifecycle processes extend access debt, making offboarding and least-privilege enforcement drift behind real business change.
- Governance maturity now depends on whether teams can enforce policy inside the application, not just list the application in an inventory.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle gaps and unmanaged access map to weak credential and entitlement governance. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege enforcement and access management are central to this app-coverage gap. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Centralised control over app access aligns with continuously verified access decisions. |
Map every SaaS app to a governed lifecycle path and close unmanaged access before it becomes residual privilege.
Key terms
- Identity Governance And Administration: Identity governance and administration is the set of controls used to decide, review, and enforce who or what should have access. In practice it combines entitlement visibility, approval workflows, recertification, and lifecycle actions so access can be managed consistently across applications and identity types.
- Access Debt: Access debt is the accumulation of permissions that remain in place after the business need has changed. It builds when revocation, review, or offboarding happens slowly, manually, or inconsistently, leaving the organisation with more effective access than its policies intend.
- Lifecycle Management: Lifecycle management is the process of provisioning, changing, reviewing, and removing access as roles and relationships change. For SaaS and other identity systems, the control is only effective when those state changes can be executed reliably, not just documented in a workflow.
- Governance Gap: A governance gap is the distance between knowing an asset exists and being able to enforce policy on it. In identity programmes, it appears when discovery, review, and enforcement are split across different tools or teams, leaving access partially visible but not truly controlled.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Josys: Josys AI Integration Builder: Closing the Identity Governance Gap. Read the original.
Published by the NHIMG editorial team on 2025-12-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
