SaaS license tracking exposes the governance gap in shadow IT

At a glance

What this is: This is a SaaS license management guide showing that manual tracking methods fail to give complete visibility into SaaS usage, renewals, and offboarding.

Why it matters: It matters because SaaS licensing is also an identity governance problem: incomplete discovery creates shadow IT, waste, and revocation gaps across human and non-human access flows.

By the numbers:

• Zluri says its discovery engine uses nine methods to find 100% of SaaS app licenses in an organisation.

👉 Read Zluri's guide to tracking SaaS software licences

Context

SaaS license tracking fails when organisations treat application spend as a procurement problem instead of an identity and governance problem. When employees can sign up for tools outside central workflows, the result is not just wasted spend but a partial record of who has access to what, where renewals sit, and which licences should be revoked or downgraded.

That gap matters for IAM teams because SaaS usage is now intertwined with joiner, mover, and leaver processes, contractor access, and access reviews. The operational question is not whether teams can see invoices, but whether they can maintain a trustworthy system of record for every application, user, and entitlement across the software stack.

Key questions

Q: How should teams govern SaaS licences when users can sign up outside IT?

A: Teams need a discovery-backed system of record that reconciles SSO, finance, HR, and app integrations into one view of subscriptions and access. Without that, shadow IT remains invisible, renewals are guessed, and offboarding cannot reliably revoke what was never centrally tracked in the first place.

Q: Why do spreadsheets fail for SaaS licence governance at scale?

A: Spreadsheets fail because they are manually updated, lag behind user behaviour, and cannot validate whether a licence is still assigned, used, or approved. At scale, they become a record of prior assumptions rather than current access state, which makes them unsuitable for renewal and revocation control.

Q: What breaks when ITAM or SAM is used to manage SaaS licences?

A: The control breaks because ITAM is built around hardware and SAM is often oriented to installed software, while SaaS is identity-linked and continuously changing. That leaves licence assignment, external-user access, and renewal risk outside the tools’ strongest control paths.

Q: How do teams know if SaaS licence optimisation is actually working?

A: They should see fewer duplicate licences, lower unused-seat rates, and cleaner offboarding outcomes across departments and contractors. If discovery still misses apps connected through finance, browser use, or direct subscriptions, then the optimisation programme is only partial and the savings figure is not trustworthy.

Technical breakdown

Why spreadsheets fail as a system of record

Spreadsheets can list software assets, but they do not enforce discovery, validation, or change control. In a fast-moving SaaS environment, that means the data is always behind reality, especially when users add apps independently or renewals happen outside IT workflows. A spreadsheet can support a small, stable environment, but it cannot reliably establish authoritative entitlement state across departments, vendors, and contractors.

Practical implication: use spreadsheets only as a temporary inventory aid, not as the control plane for licence governance.

Why ITAM and SAM miss SaaS identity risk

Traditional IT asset management focuses on hardware, while software asset management is usually built around installed, on-premise licensing. SaaS breaks both assumptions because the asset is not a machine image on a desktop, it is an identity-backed subscription that can be created, shared, renewed, or abandoned without local installation. That shifts the governance problem from endpoint ownership to access and lifecycle visibility.

Practical implication: map SaaS licensing to identity lifecycle controls, not just to asset registers or software procurement records.

How automated discovery changes renewal and revocation control

Automated discovery gives teams a current view of apps, users, licence types, and spend, which is essential for renewal decisions and offboarding. The technical value is not the dashboard itself but the underlying ability to reconcile multiple signals from directories, SSO, finance, and integrations into a single operational record. Without that reconciliation, renewal calendars and revocation workflows are based on incomplete evidence.

Practical implication: require discovery coverage that can feed renewal, approval, and termination workflows from a unified source of truth.

NHI Mgmt Group analysis

Shadow SaaS is a governance failure before it is a cost problem. When employees can subscribe to tools outside a central control plane, the organisation loses the ability to prove who has access, who approved it, and whether it should still exist. That is a lifecycle and entitlement visibility failure, not just a procurement inefficiency. Practitioners should treat unmanaged SaaS as an identity surface that expands outside review cycles.

Software licence sprawl is the visible symptom of weak joiner-mover-leaver discipline. The article shows that licence assignment, renewal, and revocation are all lifecycle events, yet many teams manage them with disconnected processes. When offboarding does not reliably terminate app access, the organisation carries dormant entitlements that continue to consume budget and create governance debt. Practitioners should align licence administration with access lifecycle ownership.

Discovery quality determines whether optimisation is real or cosmetic. A licence optimisation programme is only as good as the completeness of its discovery layer. If the system misses browser-installed apps, finance-spend subscriptions, or contractor entitlements, then usage reports will undercount risk and overstate control. Practitioners should measure discovery breadth before trusting any savings claim.

System of record quality now defines SaaS control maturity. The article points to a broader market shift in which SaaS management platforms are becoming operational control points for access, renewal, and revocation. That does not replace IAM or IGA, but it does mean license governance is converging with identity governance. Practitioners should evaluate whether their current tooling can sustain that convergence without manual reconciliation.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For a broader view of lifecycle control, see NHI Lifecycle Management Guide, which maps how provisioning, rotation, and offboarding should be governed across identity types.

What this signals

Licence tracking is converging with identity governance. As more SaaS procurement moves outside traditional IT workflows, the control question becomes whether organisations can maintain an accurate entitlement record across employees, contractors, and business units. That pushes SaaS management closer to joiner-mover-leaver discipline and makes access ownership more important than purchase ownership.

Discovery breadth will become the differentiator in SaaS control quality. A platform that only sees a subset of subscriptions cannot support reliable renewal, revocation, or spend optimisation. For practitioners, the key signal is not how many dashboards exist, but whether the discovery layer can surface external users, duplicate apps, and stale subscriptions before they become policy exceptions.

Identity lifecycle will increasingly define SaaS economics. The best savings programmes will look less like budget trimming and more like entitlement hygiene, with access reviews, offboarding, and renewal decisions tied to one operating model. For teams building that model, the overlap between SaaS governance and NHI lifecycle controls is now hard to ignore.

For practitioners

• Create a single SaaS entitlement inventory Reconcile app discovery from SSO, finance, HR, and direct integrations into one authoritative register so renewals and access decisions are based on current usage, not scattered spreadsheets.
• Tie licence revocation to offboarding workflows Make licence termination part of the same process that removes user access during leaver handling, contractor exit, and role change events so dormant subscriptions do not persist after access should end.
• Review spend for unused and downgradable licences Compare assigned licences against actual usage data and downgrade or reclaim entitlements that are underused, over-tiered, or attached to accounts that no longer need them.
• Set renewal decisions on discovery evidence Require current discovery data before approving renewal, especially where the platform cannot show who is using the app, whether external users are involved, or whether the application is still business-critical.

Key takeaways

• Manual licence tracking creates blind spots that quickly turn into shadow IT, weak revocation, and inflated SaaS spend.
• The main evidence problem is not lack of data, but lack of a trustworthy system of record for apps, users, and entitlements.
• Teams that connect discovery to offboarding and renewal workflows will control SaaS risk more effectively than teams relying on spreadsheets or static inventories.

Key terms

• SaaS management platform: A SaaS management platform is a control layer for discovering, tracking, and governing cloud software subscriptions across an organisation. It connects usage, ownership, renewal, and access data so teams can reduce waste and improve lifecycle control over applications that users can adopt without central approval.
• Shadow IT: Shadow IT is software or services adopted outside approved governance channels. In SaaS environments, it usually appears when users self-subscribe, expense tools directly, or share access informally, creating blind spots in renewal, security, and offboarding processes.
• System of record: A system of record is the authoritative source teams rely on for a specific operational truth. For SaaS governance, it should show which applications exist, who uses them, who approved them, and when access or renewal decisions were last validated.
• Joiner-mover-leaver process: A joiner-mover-leaver process manages access when people enter, change roles, or leave an organisation. In SaaS governance, it must cover licence assignment, role changes, and termination so software access follows employment status rather than drifting beyond it.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.

This post draws on content published by Zluri: SaaS Management How to Track Software License. Read the original.