SaaS lifecycle governance is becoming an IT performance problem

At a glance

What this is: This is a Josys campaign post arguing that modern IT should be run like a performance discipline, with SaaS visibility, lifecycle automation, and access control at the centre.

Why it matters: It matters because SaaS governance now sits across NHI, human access, and lifecycle management, so IAM teams need consistent controls for onboarding, offboarding, visibility, and audit readiness.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Josys' Run SaaS Right campaign on SaaS governance and IT performance

Context

SaaS sprawl turns identity governance into an operating discipline, not just an access review exercise. When teams cannot see which applications are active, who still has access, or where licenses and permissions drift over time, onboarding and offboarding become control failures rather than administrative chores.

Josys frames that problem as a performance issue for IT, but the underlying security question is broader: how do organisations keep human access, machine access, and application lifecycle controls aligned when the software estate keeps expanding? That is the real governance gap for IAM, IGA, and SaaS operations teams.

For identity practitioners, the signal is clear. Visibility, entitlement cleanup, and lifecycle enforcement are no longer separate workstreams, because every unmanaged application creates both cost leakage and a potential access path that never gets retired.

Key questions

Q: How should organisations govern SaaS sprawl without losing access control?

A: Start with a complete application inventory, then assign business and technical ownership to every app. Governance fails when applications are adopted outside a lifecycle process, because access, licensing, and offboarding drift apart. The practical goal is to make every application visible, reviewable, and removable through a single control path.

Q: Why does SaaS lifecycle management matter to IAM teams?

A: Because SaaS lifecycle management determines whether access remains justified after a user changes role or leaves. If offboarding, certification, and license cleanup are not linked, organisations keep paying for inactive software while carrying unnecessary access risk. IAM teams need the same lifecycle discipline that they apply to accounts and privileges.

Q: What breaks when SaaS visibility is incomplete?

A: Access reviews become partial, offboarding becomes inconsistent, and audit evidence stops reflecting reality. Incomplete visibility means teams cannot reliably tell which apps are active or which identities still have access. That creates blind spots across security, compliance, and cost control at the same time.

Q: How can teams keep SaaS access and spending under control?

A: Reconcile application usage, assigned licenses, and account activity in one workflow. When those records are managed separately, organisations miss both excess spend and excess privilege. A joined-up process makes it easier to remove dormant access and retire unused licenses before they become governance debt.

Technical breakdown

SaaS sprawl and identity lifecycle drift

SaaS sprawl means the application estate grows faster than the governance process that tracks it. In practice, that creates lifecycle drift: users keep access after moving roles, licenses remain assigned after inactivity, and offboarding does not fully remove access paths. The risk is not only wasted spend. Every unmanaged application becomes a separate identity boundary with its own authentication, authorization, and audit trail, which makes enterprise control fragmented by design. Practical implication: treat application inventory, access ownership, and deprovisioning as one lifecycle process, not three unrelated tasks.

Practical implication: unify application inventory, access ownership, and deprovisioning so lifecycle drift cannot accumulate unnoticed.

Visibility into who has access to what

Access visibility is the control that tells you whether governance is real or only assumed. For SaaS estates, that means knowing which apps are connected, which identities are active, which accounts are shared, and which entitlements are no longer justified. Without that baseline, access reviews are retrospective paperwork rather than a live control. The same logic applies across human and non-human identity programmes: if the inventory is incomplete, every downstream decision is partially blind. Practical implication: establish authoritative records for users, apps, and entitlements before relying on certification or audit activity.

Practical implication: build authoritative inventories for users, apps, and entitlements before relying on reviews or audits.

License management as a governance signal

License management is often treated as finance work, but in SaaS environments it is also a security and governance signal. A stale license can indicate a stale identity, a neglected application, or a control gap in offboarding. When licensing, access, and use are not reconciled together, organisations can end up paying for shadow adoption while also carrying hidden exposure. That is why entitlement cleanup matters: it removes both unnecessary cost and unnecessary access. Practical implication: reconcile usage, license assignment, and account activity in the same workflow so waste and risk are addressed together.

Practical implication: reconcile usage, license assignment, and account activity in one workflow to reduce both waste and risk.

NHI Mgmt Group analysis

SaaS governance is becoming an identity lifecycle problem, not just an IT operations problem. The article is right to frame speed and discipline as important, but the deeper issue is that application sprawl multiplies identity states faster than teams can govern them. Once onboarding, offboarding, and license allocation fragment across hundreds of apps, access control becomes inconsistent by default. Practitioners should read this as a lifecycle governance challenge, not a software management theme.

Visibility is the prerequisite control, because you cannot govern what you cannot enumerate. The post’s emphasis on centralised insight reflects a real control truth across human IAM and NHI management alike. If the organisation cannot see active applications, active accounts, and current entitlements, every recertification cycle starts from incomplete data. Practitioners should treat inventory quality as the first security control, not a reporting afterthought.

License sprawl and access sprawl are the same governance failure expressed in two budgets. One shows up as wasted spend, the other as unnecessary privilege. When those records diverge, organisations lose the ability to prove that access is still justified, which weakens both audit posture and security posture. Practitioners should collapse licensing and entitlement review into the same operational workflow.

Shadow IT becomes shadow identity the moment applications are adopted without lifecycle ownership. The article’s concern about uncontrolled SaaS use maps directly to unmanaged access paths that outlive their business need. That is especially relevant where app adoption is decentralised, because access entitlement can persist long after the service was approved. Practitioners should assign lifecycle ownership to every app, not only the approved core stack.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For lifecycle context, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

SaaS sprawl is a governance signal before it is an operational inconvenience. When application estates expand faster than ownership and offboarding controls, the programme accumulates hidden access paths that no quarterly review can fully clean up. Teams should treat lifecycle accuracy as a leading indicator for both security exposure and budget leakage.

The more decentralised the application estate, the more important it becomes to connect identity, licensing, and application ownership in one control plane. That is where most programmes still struggle: they can see the spend, or the access, or the app inventory, but not all three at once. The result is a control surface that looks managed while still leaking privilege.

A useful concept here is lifecycle drift: the gap between who should have access and who actually still does. When drift is not measured and corrected continuously, SaaS governance becomes reactive and audit evidence degrades over time. Practitioners should prioritise controls that shorten the distance between change in employment status and removal of access.

For practitioners

• Inventory every SaaS application and its identity owner Build a current register of active applications, business owners, and technical owners so no app sits outside lifecycle accountability. Use that register as the source for offboarding, certification, and access review decisions.
• Tie offboarding to access removal in the same workflow Require user departure, role change, or app retirement to trigger access revocation and license cleanup together. That prevents stale accounts from surviving simply because finance and IAM workflows are separated.
• Reconcile license usage against actual account activity Compare assigned licenses with login activity and application usage on a scheduled basis. Where accounts are inactive but still licensed, remove both the cost and the access entitlement.
• Create one access review process across SaaS and identity systems Do not run separate governance routines for application subscriptions, user access, and entitlement validation. A single review cadence is easier to audit and reduces the chance that one control passes while another fails.

Key takeaways

• SaaS sprawl turns lifecycle management into a core identity governance control, because unmanaged applications create persistent access and audit risk.
• Visibility, entitlement cleanup, and license reconciliation are inseparable once organisations manage dozens or hundreds of SaaS apps.
• The practical response is to unify ownership, offboarding, and access review so stale applications do not become stale identities.

Key terms

• SaaS Sprawl: The uncontrolled growth of software-as-a-service applications across an organisation. It creates governance problems because every app can introduce its own identities, permissions, and audit requirements, making it harder to track who has access and whether that access is still justified.
• Lifecycle Drift: The gap between an identity's current state and the governance record that should describe it. In SaaS environments, drift appears when users change roles, leave, or stop using a service but access, licenses, or ownership records are not updated in time.
• Shadow IT: Technology adopted outside formal governance or approval processes. In identity terms, shadow IT matters because unmanaged applications also create shadow access, where accounts, entitlements, and secrets exist without clear ownership, review, or offboarding controls.
• Entitlement Reconciliation: The process of comparing assigned access against actual need, usage, and ownership. For SaaS and identity programmes, it helps identify excess privilege, stale licenses, and orphaned access paths before they become security or cost problems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Josys: Run SaaS Right: Why IT Teams Are Going Pro with Josys. Read the original.