SaaS identity governance needs a stronger operating model

At a glance

What this is: This is a vendor commentary on how SaaS adoption shifts software operations into an identity governance problem, with access control, shadow IT, and compliance becoming central.

Why it matters: It matters because IAM, IGA, and security teams now have to govern a much wider SaaS-driven access surface that spans human users, service access, and machine-connected workflows.

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's commentary on SaaS identity governance and access control

Context

SaaS governance becomes an identity problem when software sprawl creates more accounts, access paths, and approval gaps than teams can track manually. The article argues that organisations increasingly need to treat access control, shadow IT, compliance, and security as one operational surface rather than separate functions.

That framing fits modern IAM and IGA programmes because SaaS is where human access, delegated application access, and lifecycle governance intersect. For teams trying to reduce control drift, the issue is not simply buying more software, but governing who and what can use it across the stack.

Key questions

Q: How should security teams govern SaaS sprawl without slowing the business down?

A: Start by making SaaS discovery, ownership, and access review part of the same control process. If teams can adopt software faster than central IAM can see it, governance will always lag behind usage. The goal is not to block adoption, but to ensure every application has a known owner, access path, and offboarding process.

Q: Why does shadow IT create an IAM problem instead of only a procurement problem?

A: Shadow IT becomes an IAM problem because every unsanctioned application creates its own identities, permissions, and lifecycle obligations. Once accounts exist outside central review, the organisation loses control over joiner, mover, and leaver actions, and cannot reliably certify or revoke access across the full software estate.

Q: What breaks when SaaS access is automated without good identity data?

A: Automation breaks when it is asked to act on incomplete ownership, stale entitlements, or poor application discovery. In that state, workflows can accelerate approval mistakes, leave orphaned access in place, and create a false sense of control because the ticket moved quickly while the underlying risk did not change.

Q: How do IAM and IGA teams reduce risk in a SaaS-heavy environment?

A: They should combine application discovery, entitlement visibility, and lifecycle enforcement into one operating model. That means linking approvals to owners, recertifying app access regularly, and revoking accounts and integrations at offboarding. The control objective is consistent governance across every SaaS application, not isolated policy checks.

Technical breakdown

Why SaaS creates identity sprawl

SaaS environments multiply identities because every application creates its own users, integrations, permissions, and admin paths. In practice, the control problem is not just login, but entitlement drift across thousands of app-level access points. When procurement, IT, and business teams can adopt tools quickly, the identity surface expands faster than central governance can catalogue it. That creates shadow IT, orphaned access, and inconsistent approval paths. The result is a fragmented access model where the organisation no longer has a single view of who can reach what, through which application, and under whose authority.

Practical implication: inventory SaaS access paths as identities, not just applications.

Workflow automation in SaaS governance

Workflow automation can reduce manual effort in access requests, onboarding, and compliance checks, but only if the underlying identity data is accurate. Automation does not fix missing ownership, stale permissions, or poor application discovery. In SaaS governance, automated workflows often become the execution layer for policies that still depend on good lifecycle data, role mapping, and exception handling. Without that foundation, automation can accelerate bad decisions instead of improving control. The technical question is not whether automation exists, but whether it is wired to trustworthy identity and entitlement context.

Practical implication: connect automation to authoritative identity and entitlement sources before scaling it.

Shadow IT and access control in subscription software

Shadow IT in SaaS is usually an identity and procurement signal before it is a pure technology problem. A new subscription often means a new admin console, new user store, and new permission model outside the normal governance workflow. That makes access control harder because the organisation may not know the application exists until after accounts have been created and data has moved into it. Security teams then inherit a system whose access paths were never designed into central policy. This is why discovery, ownership, and access review have to operate together.

Practical implication: pair SaaS discovery with access review and app ownership assignment.

NHI Mgmt Group analysis

SaaS sprawl is an identity governance problem first and a software problem second. The article correctly treats SaaS adoption as a change in how access is created, approved, and controlled. Once every team can subscribe independently, governance no longer lives only in the IT stack. The practical conclusion is that SaaS inventory and entitlement oversight must be designed as a core IAM capability, not an afterthought.

Shadow IT is the operational symptom of control fragmentation. When business users can introduce software outside central procurement and IAM review, the organisation loses the ability to see, certify, and offboard access consistently. That is not just an architecture issue, it is a lifecycle failure across joiner, mover, and leaver processes. The practical conclusion is that application ownership and access review have to be tied together.

Workflow automation only helps when identity context is complete. The article leans on automation as the way to simplify SaaS operations, but automation without authoritative entitlement data simply scales whatever governance state already exists. This is where many SaaS programmes stall: they automate tickets before they stabilise app discovery, role mapping, and exception handling. The practical conclusion is that automation should follow governance clarity, not substitute for it.

Identity governance now spans human users, applications, and service access in the same SaaS estate. Even where the article speaks mainly about employees and access control, the broader implication is that SaaS platforms increasingly host human identities alongside delegated integrations and service credentials. That widens the governance boundary beyond classic SSO administration. The practical conclusion is that IAM teams need one operating model for all identities touching the SaaS layer.

Access intelligence becomes the control plane for SaaS adoption. The article’s core value is its recognition that organisations need continuous visibility into what is being adopted, who owns it, and what access it creates. Without access intelligence, SaaS becomes a collection of unmanaged exceptions rather than a governed portfolio. The practical conclusion is that security, IT, and finance need shared visibility into the SaaS identity surface.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity inventories fail before governance can start.
• SaaS teams that want a stronger operating model should pair this visibility problem with the NHI Lifecycle Management Guide to tighten ownership, rotation, and offboarding discipline.

What this signals

Access intelligence is becoming the practical control plane for SaaS governance. As adoption shifts further into business-led buying, IAM teams need a reliable way to connect application discovery, entitlement review, and offboarding. Without that linkage, the programme will keep finding access problems after the business has already moved on.

The most important signal for practitioners is not how many SaaS tools exist, but how many have named owners, current access records, and a tested offboarding path. If those three elements are missing, the governance model is incomplete regardless of how polished the front-end workflows look.

Only 5.7% of organisations have full visibility into their service accounts, and that visibility gap is the same pattern SaaS governance runs into when ownership is diffuse and app sprawl is unmanaged. The Top 10 NHI Issues is the right companion resource for teams turning discovery into control.

For practitioners

• Build a live SaaS inventory Track every subscribed application, its owner, and its authentication path so the governance team can see where accounts and entitlements actually exist. Include business-led purchases, not only centrally approved apps.
• Tie access requests to app ownership Require a named owner for each SaaS application before new users, admins, or integrations are approved. This prevents orphaned access and makes recertification possible when the business process changes.
• Automate offboarding across SaaS tools Remove user accounts, admin roles, and connected integrations when employees move or leave, and verify that access revocation reaches every subscribed application rather than only the primary directory.
• Review shadow IT as a governance signal Treat unapproved app adoption as evidence that approval workflows, business controls, or security intake are failing. Use discovery data to decide whether to standardise, retire, or formally govern the tool.

Key takeaways

• SaaS adoption is an identity governance problem because every new subscription expands the access surface.
• Automation helps only when app ownership, entitlement data, and lifecycle controls are already in place.
• The control gap is visibility, not intention, which is why discovery and offboarding must operate together.

Key terms

• SaaS identity sprawl: The uncontrolled expansion of identities, entitlements, and admin paths across subscription applications. It matters because each new SaaS tool adds its own access lifecycle, making central governance harder unless discovery and ownership are continuously maintained.
• Shadow IT: Software adopted outside formal procurement or security review. In identity terms, it is a governance signal because the application can create unmanaged accounts, permissions, and integrations before IAM teams know it exists.
• Access intelligence: A continuous view of who can access which applications, through what authority, and with what privileges. It combines discovery, ownership, entitlement visibility, and review data so governance teams can act before access drift becomes a breach or compliance issue.

Deepen your knowledge

NHI governance, identity lifecycle management, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.

This post draws on content published by Zluri: Why Zluri? Why now? Read the original.