SaaS expense tracking exposes the identity governance gap in renewals

At a glance

What this is: This is a Zluri guide on tracking SaaS expenses, showing that discovery, invoice control, finance data, renewal calendars, and reporting are the main levers for reducing hidden SaaS spend.

Why it matters: It matters to IAM practitioners because SaaS spend is often a proxy for unmanaged access, weak ownership, and poor lifecycle governance across human, NHI, and autonomous-adjacent tool estates.

👉 Read Zluri's guide on tracking SaaS expenses and renewals

Context

SaaS expense tracking is really a governance problem: if no one can see what is being bought, renewed, and billed, then the organisation cannot control the software surface or the access decisions tied to it. In IAM terms, the issue sits at the boundary between procurement, finance, and identity ownership, where shadow usage and duplicate subscriptions tend to grow.

For identity teams, the lesson is straightforward. SaaS discovery, invoice reconciliation, and renewal control are not just finance tasks, because they determine which applications remain active, which users keep access, and which systems are still in scope for review. That makes spend visibility part of lifecycle governance, not a separate admin exercise.

Key questions

Q: How should security teams control SaaS renewals without losing visibility across departments?

A: Security teams should treat renewals as a shared governance checkpoint, not a finance-only event. Build one inventory that connects application ownership, usage, invoice data, and contract terms, then require a named approver before any renewal continues. That approach reduces uncontrolled spend and keeps access-bearing services from persisting without review.

Q: Why do SaaS expenses become an IAM issue instead of just a procurement issue?

A: Because SaaS costs follow active services, and active services usually carry user access, data exposure, and lifecycle obligations. When procurement, IT, and identity teams work from different records, services can renew even when usage has dropped or ownership is unclear. IAM teams need spend visibility so lifecycle decisions stay aligned with access governance.

Q: What breaks when SaaS discovery is incomplete?

A: Incomplete discovery leaves shadow apps, duplicate subscriptions, and employee-purchased tools outside the control model. That means invoices cannot be matched cleanly, renewal decisions are based on partial data, and ownership remains ambiguous. In practice, the organisation pays for services it cannot reliably govern or retire.

Q: What should organisations do when a SaaS renewal is coming up and usage is unclear?

A: Pause automatic renewal until the application has been reviewed for business value, ownership, and active usage. If no accountable owner can justify the service, move it to cancellation or offboarding rather than allowing the subscription to continue by default. Renewal dates should trigger a decision, not an autopay event.

Technical breakdown

SaaS discovery as the starting point for spend control

SaaS discovery is the process of identifying which applications exist in the estate and where they are being used. Zluri describes discovery through SSO, finance systems, direct integrations, MDM, CASB, directories, HRMS, desktop agents, and browser extensions. The technical point is that no single source of truth exists across modern SaaS estates, so discovery must aggregate signals from identity, endpoint, and financial telemetry. Without that correlation, spend reviews are always incomplete and access decisions remain disconnected from actual usage.

Practical implication: build discovery coverage that links identity, endpoint, and finance signals before you try to optimise renewals.

Invoice and true-up tracking against actual application use

Invoice tracking matters because SaaS bills often include licence changes, premium features, consumption charges, and true-up costs that do not appear in simple subscription lists. The mechanism is a reconciliation problem: finance records show what was paid, while usage and contract data show what should have been paid. If those streams are not matched, overbilling and duplicate charges stay hidden. This is why spend governance needs contract data, transaction data, and application usage in the same control view.

Practical implication: reconcile invoices with usage and contract terms before renewal approval, not after payment clears.

Renewal calendars as a lifecycle control, not an admin convenience

Renewal calendars turn SaaS expiry dates into a governance checkpoint. Instead of allowing automatic payment to continue by default, they surface upcoming renewals with timing, amount, and payment mode so teams can decide whether the application still deserves budget and access. Technically, this is a lifecycle control because it creates an off-ramp before spending and access persist without review. In IAM terms, renewals are a decision point where ownership, business value, and continued entitlement should all be reassessed together.

Practical implication: treat every renewal as a reauthorisation event and require a named owner before funds are committed.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS spend control is an identity governance problem disguised as financial hygiene. When organisations cannot tie applications, invoices, and renewals back to ownership, they lose control over who can approve, continue, or cancel access-bearing services. The article shows that the operational pain is not just wasted budget, but the absence of a reliable decision path for SaaS lifecycle governance. Practitioners should treat spend visibility as a governance prerequisite, not a reporting luxury.

Renewal drift is the named failure mode this topic exposes. Applications continue to consume budget and retain access because renewal decisions are not synchronised with usage, contract review, and business ownership. That failure mode is not solved by more manual spreadsheets, because spreadsheets do not create authority or enforcement. The implication is that IAM and procurement teams need a shared control model for service continuation, not separate records that age at different speeds.

Usage data without entitlement context creates a false sense of control. Knowing that an application is active does not tell you whether the right users still need it, whether the contract is correct, or whether the service should remain in scope. This is where many SaaS programmes stall: they can see activity but cannot turn that visibility into enforceable lifecycle decisions. Practitioners should prioritise controls that connect usage, contract, and ownership into one review path.

Lifecycle governance must extend into spend governance because renewals keep access alive. In mature identity programmes, offboarding is not only about user departure or key revocation, but also about stopping services that no longer have a business case. That means SaaS renewal management belongs beside access reviews and recertification, especially where application usage is fragmented across departments. Practitioners should align procurement checkpoints with identity ownership so services do not outlive their justification.

Cost optimisation and access reduction are converging disciplines. Duplicate subscriptions, underused tools, and unmanaged renewals all indicate that identity, finance, and operations are looking at the same service from different angles. A better model is to treat SaaS rationalisation as a combined entitlement and spend review, which gives the organisation one workflow for removing waste and reducing exposure. Practitioners should use that convergence to simplify ownership rather than create another isolated dashboard.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• That control problem is explored further in NHI Lifecycle Management Guide, which shows how provisioning, rotation, and offboarding should be governed together.

What this signals

Renewal governance is becoming part of identity governance because services outlive their original approvals. When SaaS tools are renewed on autopilot, the organisation preserves both spend and access without a fresh business case. Teams that already struggle with shadow application discovery should expect the same control gap to appear in contract renewals, license sprawl, and offboarding.

Renewal drift is now a durable governance pattern. The more fragmented the purchasing process, the harder it becomes to prove who owns the service, who is accountable for the bill, and who can retire the access. That makes consolidated inventory and renewal review more valuable than isolated finance reports.

With 92% of organisations exposing NHIs to third parties, per Ultimate Guide to NHIs, service continuation and third-party access are converging governance problems. SaaS renewal control should therefore be read alongside access review, offboarding, and vendor lifecycle management, not treated as a separate cost exercise.

For practitioners

• Create a unified SaaS inventory: Map applications from SSO, finance, endpoint, directory, and HR sources into one inventory so renewal decisions start from complete coverage, not a partial spreadsheet. Use the inventory to identify duplicate tools and orphaned subscriptions before budget reviews.
• Reconcile invoices to contracts and usage: Compare actual charges, estimated costs, licence counts, and feature usage each cycle so true-up fees and duplicate billing are visible before approval. Require finance, procurement, and identity owners to sign off on exceptions.
• Turn renewals into governance checkpoints: Make each upcoming renewal require a named business owner, a usage check, and a keep or cancel decision. If the service cannot justify continued value, block auto-renewal and queue it for offboarding.
• Tie SaaS lifecycle decisions to access reviews: Link service continuation to entitlement review so applications with declining use are assessed for removal, scope reduction, or decommissioning. This closes the gap between spend control and access governance.
• Track recurring spend by department and application: Use reporting to show monthly spend patterns, department ownership, and app-level trends so overspend is visible in the same workflow as budget decisions. Escalate anomalies instead of waiting for quarter-end reconciliation.

Key takeaways

• SaaS expense tracking is also lifecycle governance because renewals keep services and access alive.
• Discovery, invoice reconciliation, and renewal calendars matter because they expose spend that manual spreadsheets miss.
• Identity, finance, and procurement need one decision path if organisations want to stop waste without losing control.

Key terms

• SaaS Discovery: SaaS discovery is the process of finding which cloud applications are active across the organisation, including tools bought outside central IT. In practice, it combines identity, endpoint, finance, and browser signals so teams can build a more complete inventory than manual tracking can produce.
• Renewal Governance: Renewal governance is the control process that decides whether a subscription should continue, be reduced, or be removed. It connects ownership, usage, contract terms, and budget approval so recurring spend is not allowed to renew automatically without a fresh business justification.
• True-Up Cost: A true-up cost is the extra amount charged when actual SaaS consumption exceeds the original estimate or licence entitlement. It matters because it reveals where billing and usage have drifted apart, often exposing hidden overspend that would otherwise remain buried in the invoice cycle.
• Shadow SaaS: Shadow SaaS refers to cloud applications acquired or used outside central IT and security oversight. These services often appear first in finance or endpoint data, and they become governance risks when their ownership, renewal status, and access footprint are never brought into the official inventory.

Deepen your knowledge

SaaS expense tracking and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme that must connect spend, access, and ownership, it is worth exploring.

This post draws on content published by Zluri: SaaS Management 5 Ways to Track SaaS Expenses in 2026. Read the original.