SaaS management and IGA are converging around identity control

At a glance

What this is: This is an executive-view summary of Zluri’s SaaS management and IGA capabilities, with the key finding that SaaS discovery, lifecycle automation, and access governance are increasingly treated as one problem.

Why it matters: It matters because IAM teams must govern SaaS entitlements, user lifecycle, and compliance evidence across both human and non-human access paths, not just provision accounts.

👉 Read Zluri's executive view on SaaS management and IGA

Context

SaaS sprawl creates an identity governance problem before it becomes a cost problem: teams lose sight of what applications exist, who can access them, and whether access still matches business need. In that environment, SaaS management becomes a governance function, not just an inventory exercise.

For IAM, IGA, and security teams, the issue is whether discovery, request, review, and deprovisioning can work from the same authoritative data set. Where application ownership is fragmented or shadow IT is common, lifecycle controls degrade quickly and audit evidence becomes harder to trust.

Key questions

Q: How should teams govern SaaS access when the application estate keeps changing?

A: Start with discovery, not policy. Teams need a trusted inventory of SaaS applications, owners, users, and entitlements before they can govern access consistently. Once that data exists, connect onboarding, offboarding, and access reviews to the same source so changes in employment or role translate into changes in access without manual rework.

Q: Why do shadow IT and SaaS sprawl break access governance?

A: Because governance only works on systems you can see. Shadow IT creates blind spots in entitlement data, which means reviews, deprovisioning, and SoD checks can miss real access paths. The result is entitlement drift, weak audit evidence, and a higher chance that access persists after the business no longer needs it.

Q: What do security teams get wrong about access reviews for SaaS apps?

A: They often treat reviews as a periodic checkbox instead of a decision process grounded in app usage and ownership. If reviewers do not see who uses the app, why access exists, and what changed since the last cycle, they will approve stale entitlements. Reviews should reduce risk, not just generate completion metrics.

Q: What is the difference between SaaS management and IGA in practice?

A: SaaS management focuses on discovering applications, tracking usage, and optimising spend. IGA focuses on access requests, reviews, lifecycle actions, and audit evidence. In modern environments the two overlap, because you cannot govern SaaS access well if you cannot first identify which applications exist and who is connected to them.

Technical breakdown

SaaS discovery as an identity control plane

SaaS discovery is the mechanism that turns scattered app usage data into an inventory that identity teams can govern. In practice, that means aggregating data from IdPs, SaaS APIs, HR systems, and other connectors to identify active applications, users, and entitlements. The technical value is not visibility alone. It is whether the inventory is detailed enough to support access reviews, deprovisioning, and license rationalisation without manual reconciliation.

Practical implication: treat SaaS discovery as a prerequisite for access governance, not a reporting feature.

Lifecycle automation for onboarding, offboarding, and access reviews

Lifecycle automation in SaaS IGA links joiner-mover-leaver events to access decisions, review workflows, and deprovisioning actions. When the source of truth is timely, onboarding can provision the right access quickly, while offboarding can remove access across multiple apps in one workflow. Access reviews then rely on the same entitlement data to certify or revoke access. The architecture matters because each step depends on consistent identity and application data, not disconnected admin tasks.

Practical implication: align HR, IAM, and app ownership data before automating lifecycle actions at scale.

Policy-based access remediation and segregation of duties

Policy-based remediation uses rules to flag risky entitlements, excessive permissions, or conflicting access patterns and then trigger corrective action. In SaaS environments, that matters because role definitions are often loose and application-specific RBAC can hide privilege overlap. Segregation of duties controls also depend on accurate entitlement mapping across apps, otherwise reviews can approve combinations that create audit or fraud exposure. The technical challenge is keeping policy logic aligned with real application entitlements as SaaS estates change.

Practical implication: map remediation rules to actual SaaS entitlements, then validate them against SoD and audit requirements.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS governance is now an identity problem, not just an IT operations problem. Once application discovery, access requests, reviews, and deprovisioning sit in separate tools, accountability fragments and control evidence becomes harder to prove. That fragmentation is what shadow IT exploits. Practitioners should treat SaaS management and IGA as one governance domain.

Application visibility is the control that determines whether SaaS governance exists at all. If teams cannot reliably enumerate applications and entitlements, every downstream process becomes partial at best. The KuppingerCole review highlights that visibility and automation are tightly coupled, because review quality depends on accurate entitlement data. The practitioner implication is straightforward: without a trusted inventory, access governance is performative.

Lifecycle management is where SaaS security either scales or stalls. The article’s emphasis on onboarding, deprovisioning, and access reviews reflects a broader market shift toward continuous governance. That aligns with NIST Cybersecurity Framework 2.0 and the NHI lifecycle mindset, where the control objective is not just granting access but removing it cleanly when it is no longer needed. Teams should assume lifecycle failure becomes breach exposure, audit drag, and cost leakage at the same time.

Shadow IT creates entitlement debt that access reviews alone cannot clear. Reviews can only certify what is already visible, and hidden applications or unmanaged entitlements stay outside the workflow. The deeper problem is that governance assumptions built for known systems break when the application estate is incomplete. Practitioners need to close the discovery gap first, or certification becomes a paper exercise.

Named concept: SaaS entitlement drift. This is the gap between the access people have across expanding SaaS estates and the access the business can still justify. It grows when apps are added without governance intake, when roles change faster than reviews, and when offboarding misses one or more systems. Practitioners should treat drift as a lifecycle failure mode, not a one-off access mistake.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why discovery quality is a governance issue, not a reporting nice-to-have.
• Teams that want the operating model behind that statistic should start with NHI Lifecycle Management Guide, where provisioning, rotation, and offboarding are treated as one lifecycle.

What this signals

The next governance gap is not whether teams can buy more automation, but whether they can maintain a reliable control plane across SaaS, human access, and service identities as the application estate keeps expanding.

A useful planning lens is SaaS entitlement drift: when access accumulates faster than ownership, review, and offboarding can keep up, the environment becomes harder to certify and easier to over-permit. That is where IAM, IGA, and SaaS management stop being separate disciplines and become one operational requirement.

For teams tracking identity maturity, the practical question is whether discovery data is accurate enough to support lifecycle decisions in time. The NIST Cybersecurity Framework 2.0 remains a useful reference point for aligning identify, protect, detect, respond, and recover activities around one governance model.

For practitioners

• Build a single SaaS inventory before automating governance Consolidate application discovery data from SSO, HR, SaaS APIs, and manual app lists into one authoritative register. Use that register to identify shadow IT, orphaned apps, and unowned entitlements before you automate reviews or deprovisioning.
• Tie onboarding and offboarding to authoritative identity events Connect joiner-mover-leaver triggers to SaaS provisioning and deprovisioning workflows so access changes follow employment changes. Validate that offboarding removes access from all major SaaS systems, not just the primary directory-connected apps.
• Use access reviews to resolve entitlement drift, not confirm noise Feed reviewers with application usage, owner context, and entitlement history so they can make real decisions instead of rubber-stamping permissions. Prioritise high-risk SaaS applications and avoid review cycles that only surface the same stale access every quarter.
• Map segregation of duties rules to live SaaS entitlements Define SoD policy against current application roles and permission combinations, then re-check the mappings whenever the SaaS estate changes. This prevents hidden access conflicts from surviving in business-critical systems and supports cleaner audit evidence.

Key takeaways

• SaaS governance fails when discovery, access control, and lifecycle management live in separate processes.
• The scale problem is entitlement drift, which grows as shadow IT, app sprawl, and stale access outpace review cycles.
• Teams should anchor SaaS control to a trusted inventory, then automate onboarding, offboarding, and reviews from that source.

Key terms

• SaaS entitlement drift: The gap between the access users retain across SaaS applications and the access the business can still justify. It appears when apps are added without governance intake, roles change faster than reviews, or offboarding misses systems. The result is excess access that becomes harder to certify over time.
• Shadow IT: Software or services used without formal approval or visibility from the organisation’s control functions. In identity governance, shadow IT matters because it creates applications, users, and entitlements that do not enter normal onboarding, review, and deprovisioning workflows, leaving control gaps and audit blind spots.
• Access review: A governance process where an owner confirms whether a user’s existing permissions are still appropriate. For SaaS estates, the review is only useful when it is backed by current entitlement data, application usage context, and a clear path to revoke access that is no longer justified.

Deepen your knowledge

SaaS lifecycle governance, discovery-led access control, and entitlement review are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance model across SaaS, human, and non-human access, it is worth exploring.

This post draws on content published by Zluri: a summary of KuppingerCole's executive view on Zluri's SMP and IGA. Read the original.