SaaS management and identity controls before recession pressure hits

At a glance

What this is: This is a SaaS management and cost-optimisation article that also surfaces identity and access governance gaps, especially around onboarding, offboarding, and access control.

Why it matters: It matters to IAM practitioners because software sprawl, renewal drift, and over-broad access are governance failures that affect NHI, human access, and lifecycle control alike.

By the numbers:

• Zluri says it can discover 100% of SaaS apps in an organisation.
• Zluri says it notifies teams 30 days, 15 days, and one day before contract expiry.
• 30% after purchase

👉 Read Zluri's analysis of SaaS management investments for recession pressure

Context

SaaS management becomes a governance issue when organisations accumulate software faster than they can control access, renewals, and offboarding. In practice, the problem is not only spend leakage, but also the growth of unmanaged identities and permissions across an expanding application estate.

For IAM, the important question is whether the organisation can still see who has access to what, why that access exists, and when it should end. The article points to the same structural weakness that shows up in NHI programmes: visibility and lifecycle control lag behind adoption.

Key questions

Q: How should organisations govern SaaS access as part of lifecycle management?

A: Treat each SaaS application as an identity lifecycle object with an owner, approval path, review cadence, and offboarding trigger. Access should be recertified when the business purpose changes, not only when a contract renews. This prevents dormant entitlements, orphaned integrations, and forgotten shared workspaces from persisting across the stack.

Q: Why do SaaS renewals often expose governance weaknesses?

A: Renewals force organisations to answer whether an app is still needed, who still uses it, and whether its access remains justified. If those questions are hard to answer, the issue is not procurement alone. It shows that access review, inventory, and lifecycle ownership are already too weak to support good governance.

Q: What do teams get wrong about SaaS security scoring?

A: Security scores are often treated as a substitute for governance, when they are only a signal. A score cannot tell you whether permissions are still appropriate, whether an integration is still needed, or whether a departing team has removed its access. Those decisions still require ownership and review.

Q: Who is accountable when SaaS access persists after a tool is no longer needed?

A: Accountability sits with the business owner, the application owner, and the identity governance team together. If any one of them assumes someone else will remove access, the entitlement can remain active long after the business use case ends. Lifecycle control must be assigned before the tool is put into production.

Technical breakdown

SaaS sprawl and identity lifecycle control

SaaS sprawl creates a lifecycle problem because every new app adds users, roles, shared workspaces, integrations, and offboarding tasks. When access is created faster than it is reviewed, the organisation loses the ability to prove who still needs the entitlement. That is an identity governance failure, not just an asset management issue. The same pattern appears in non-human identities when service accounts, tokens, and app-to-app connections outlive their original purpose. Practical implication: treat each SaaS deployment as a governed identity lifecycle with joiner, mover, and leaver controls.

Practical implication: Map every SaaS app to an owner, lifecycle event, and removal path before the app enters production.

Why renewal calendars are really entitlement controls

Renewal management is often presented as finance work, but the operational issue is entitlement persistence. If no one checks whether an app is still used, access and licences remain active by default, which increases both cost and attack surface. That matters because dormant apps still hold credentials, integrations, and export paths even after business owners stop paying attention. In identity terms, renewal is a forcing function for review. If the organisation cannot decide whether a tool should stay, it usually cannot decide whether its access should stay either. Practical implication: pair renewal review with access certification and integration cleanup.

Practical implication: Tie every contract renewal to access review, integration review, and deprovisioning validation.

SaaS security scores and access-level design

A security score is only useful if it reflects actual control boundaries. The article’s access-level examples show the real issue: view, edit, comment, and delete all carry different blast radii. In SaaS environments, over-granting is common because teams optimise for speed during onboarding and do not revisit scope later. That creates a governance gap across human users and machine-driven app connections alike. For NHI and IAM teams, the control question is whether access is task-scoped or merely convenient. Practical implication: separate high-risk permissions from routine collaboration access and review them on different cadences.

Practical implication: Use differentiated reviews for high-risk rights, shared spaces, and app-to-app permissions.

NHI Mgmt Group analysis

SaaS management is an identity governance problem disguised as procurement. The article treats software selection, renewals, and spending as cost disciplines, but each one directly affects who and what can access business systems. When application growth outpaces offboarding discipline, access persists without scrutiny and shadow entitlements accumulate. The practitioner lesson is that SaaS inventory is only useful when it is tied to identity lifecycle control.

Access review cadence is not enough when the application estate expands faster than review capacity. The article’s emphasis on dashboards and notifications points to a familiar control weakness: organisations can know a renewal date and still miss the governance decision behind it. That is where access review, owner attestation, and deprovisioning need to operate together. The implication is that entitlement cleanup must be built into operational finance, not run as an afterthought.

Unreviewed SaaS integrations create the same accountability problem as unmanaged non-human identities. A tool that still connects to data sources after business use has ended behaves like a dormant machine identity with standing trust. The article does not name that failure mode, but the pattern is clear: integration persistence extends blast radius beyond the original business need. The practitioner implication is to govern SaaS connectors with the same lifecycle rigor used for service accounts and tokens.

Training reduces waste only when it includes governance behaviour, not just feature usage. The article is correct that underused software wastes budget, but the sharper issue is that poor training also leads to misuse of access and permissions. Users who do not understand what they can do will either overreach or avoid the controls entirely. That is why training programmes should cover approval paths, access scope, and offboarding responsibilities, not just tool navigation. The implication is better control adoption, not just better utilisation.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That same study finds that 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
• For teams building this capability, NHI Lifecycle Management Guide is the next step for turning visibility into governed provisioning, rotation, and offboarding.

What this signals

OAuth-connected SaaS apps are often the hidden extension of the identity perimeter. When 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, the control problem is no longer limited to user accounts. Teams should expect SaaS governance to converge with NHI governance, especially where integrations and delegated access outlive the business purpose that created them.

Access review and renewal review need to become one operational motion. Separate processes create separate blind spots, and blind spots are where dormant permissions survive. The practical response is to align SaaS procurement, entitlement certification, and offboarding so that every renewal becomes a lifecycle checkpoint.

As more organisations invest in dedicated NHI capabilities, the governance boundary between human users, SaaS apps, and machine identities will keep narrowing. That shift favours programmes that can track ownership, privilege scope, and exit conditions across the whole application estate, not just at the login layer.

For practitioners

• Tie SaaS renewal to access review Require each renewal decision to validate active users, owned integrations, and whether permissions still match current business need. If the app cannot pass that review, do not renew automatically.
• Inventory SaaS integrations as identities Treat every API connection, OAuth app, and service account inside a SaaS tool as a governed identity with an owner, purpose, and removal trigger.
• Separate high-risk permissions from routine use Split view and collaboration access from delete, admin, and export rights so that reviews can focus on the permissions that change blast radius.
• Build offboarding into vendor management Make deprovisioning a required step in vendor exit and non-renewal workflows so access, data sharing, and connectors are removed together.

Key takeaways

• SaaS management becomes an identity governance problem the moment renewals, integrations, and user access drift out of sync.
• Visibility into apps and third-party OAuth access is the prerequisite for controlling both spend and entitlement persistence.
• Organisations that combine procurement review with access review and offboarding will reduce waste and shrink attack surface at the same time.

Key terms

• SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software applications across an organisation without matching governance, ownership, or lifecycle discipline. It creates duplicated tools, forgotten licences, and access paths that are difficult to review, especially when teams adopt apps faster than they can retire them.
• Identity Lifecycle: Identity lifecycle is the full sequence of creating, changing, reviewing, and removing access for a person, machine, or application. In SaaS environments, it includes onboarding, permission changes, renewal checks, and offboarding, all of which must stay aligned to the business purpose of the account or integration.
• OAuth App Visibility: OAuth app visibility is the ability to see which third-party applications have been granted delegated access to internal systems and data. It is a core control for modern SaaS governance because hidden app connections can persist long after the original user or vendor relationship changes.
• Entitlement Persistence: Entitlement persistence is the tendency for access rights, integrations, or licences to remain active after the business need has disappeared. It is one of the main drivers of avoidable exposure in SaaS and NHI programmes because unused access often stays available unless someone actively removes it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management 6 Investments CIOs Must Make Before Recession Hits. Read the original.