SaaS management and shadow IT expose identity governance gaps

At a glance

What this is: This is a SaaS management comparison piece that argues visibility, access control, and lifecycle automation are the core problems in sprawling SaaS estates.

Why it matters: It matters because SaaS sprawl is an identity governance problem as much as a software spending problem, affecting NHI, human access, and lifecycle controls across the stack.

By the numbers:

• Zluri says it uses five discovery methods to find 100% of SaaS apps in an organisation.

👉 Read Zluri's comparison of Intello alternatives for SaaS management and access control

Context

SaaS management is the operational layer that helps organisations discover applications, control access, track usage, and reduce shadow IT across tools such as Google Workspace, Microsoft 365, Slack, and Salesforce. In identity terms, the problem is not just spend control. It is whether teams can see which human and non-human identities are using which apps, and whether onboarding, offboarding, and approvals are actually governed.

This article compares several SaaS management platforms, but the deeper pattern is familiar: once SaaS estates spread across finance, SSO, browser, and API signals, ownership becomes fragmented. That fragmentation makes it harder to enforce lifecycle discipline, review access consistently, and retire unused access before it becomes residual risk. For organisations with large SaaS footprints, the governance gap is often bigger than the tool gap.

Key questions

Q: How should teams govern SaaS sprawl without losing access visibility?

A: Start by building a single inventory that merges SSO, finance, API, and browser discovery into one ownership model. Then tie each application to a business owner, lifecycle event, and renewal decision. If the organisation cannot answer who owns an app and why it still exists, it does not really control it.

Q: Why do SaaS management tools matter to identity governance programmes?

A: They expose the application layer where identities are granted, used, and often left behind. That makes them useful for access reviews, offboarding, and entitlement cleanup, especially when shadow IT hides in approved platforms. SaaS management becomes identity governance when it links visibility to revocation.

Q: What breaks when onboarding and offboarding are handled separately from SaaS administration?

A: Accounts and permissions remain active after users move roles, leave teams, or stop using an application. That creates residual access, renewal waste, and unclear accountability. Lifecycle processes have to drive SaaS administration, not sit beside it, or the organisation keeps paying for access it no longer needs.

Q: How do you know whether SaaS visibility is actually improving control?

A: Look for fewer orphaned apps, faster removal of unused licenses, cleaner ownership records, and consistent revocation at leaver events. If reporting improves but stale access remains, the programme is measuring inventory rather than control.

Technical breakdown

SaaS discovery depends on multiple identity signals

Modern SaaS discovery usually combines SSO data, finance and expense systems, direct APIs, and endpoint or browser signals. No single source gives a complete picture because sanctioned apps, shadow IT, and free or unsanctioned tools often appear in different places. The technical challenge is correlation, not just collection. Teams have to reconcile user activity, application ownership, and subscription data before they can govern access or usage effectively.

Practical implication: treat SaaS discovery as an identity correlation problem, not a license inventory exercise.

Onboarding and offboarding are lifecycle controls, not admin tasks

SaaS platforms often promise automated onboarding and offboarding, but the governance value comes from linking those workflows to identity lifecycle events. Joiner, mover, and leaver processes must remove application access, revoke entitlements, and close dormant accounts across all connected systems. If approvals, contracts, and access reviews sit in separate workflows, the organisation can still end up with valid access after the business relationship has changed.

Practical implication: connect SaaS administration to joiner-mover-leaver governance so access does not outlive the user or contract.

Usage visibility is the control plane for SaaS rationalisation

Usage monitoring tells teams which applications are active, underused, duplicate, or unsupported by clear business ownership. That matters because app consolidation and licence optimisation only work when usage data is reliable enough to guide deprovisioning and renewal decisions. Without that visibility, organisations renew on assumption, keep redundant tools in circulation, and lose the ability to distinguish strategic platforms from accidental sprawl.

Practical implication: use usage telemetry to drive renewal, consolidation, and decommissioning decisions instead of relying on static inventory.

NHI Mgmt Group analysis

Shadow SaaS is an identity governance problem before it is a software problem. When organisations cannot see which apps are in use, they also cannot reliably govern who has access, how that access was granted, or when it should be removed. That makes SaaS discovery a prerequisite for lifecycle control, not a reporting feature. Practitioners should treat hidden applications as hidden identities in disguise.

Lifecycle drift is the real failure mode behind SaaS sprawl. The article repeatedly points to onboarding, offboarding, approvals, and renewal decisions, which means the underlying issue is not only discovery but failure to bind access to a governed lifecycle. When business units can keep adding tools without strong ownership, access and spend both become residual byproducts. The implication is that SaaS governance must be tied to access certification and offboarding discipline, not only procurement.

Visibility without accountability creates a false sense of control. Many SaaS management tools can show usage, contracts, and app counts, but those signals do not by themselves tell you whether access is still legitimate. A platform can surface sprawl while leaving stale entitlements untouched. Practitioners should view reporting as evidence of exposure, not proof of remediation.

Access control in SaaS estates is converging with broader identity governance. The same lifecycle questions that apply to human users also apply to service accounts, tokens, and delegated app access in connected SaaS environments. As more business processes depend on SaaS integrations, the governance model has to extend beyond seat management into permission scope, offboarding, and revocation control. Teams that keep those domains separate will keep missing the full access picture.

Application rationalisation now doubles as attack-surface reduction. Every redundant or unmanaged SaaS app expands the number of identities, approvals, and integration points that need governance. That is why app consolidation is not just a cost conversation. It is a control conversation, and practitioners should make access scope and lifecycle ownership part of every consolidation decision.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For lifecycle context: Review NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that reduce residual access.

What this signals

Shadow SaaS will keep collapsing the boundary between software sprawl and identity sprawl. The more discovery depends on fragmented signals, the more organisations need a governed ownership model that links app inventory to access review and offboarding. With only 5.7% of organisations having full visibility into their service accounts, the control problem is not theoretical. Teams should expect more pressure to unify SaaS, IAM, and lifecycle workflows rather than treating them as separate programmes.

Licence optimisation is becoming a proxy for access governance maturity. If a platform can identify unused tools but cannot show timely revocation, the programme is still partial. The practical shift is toward evidence of control, not just evidence of inventory, and that means ownership, renewal, and removal workflows need to be auditable end to end.

As SaaS estates expand, the governance question shifts from discovery to accountability. Organisations will need to prove who approved each app, who maintains it, and how access is removed when business need changes. That is where lifecycle discipline, not dashboard breadth, becomes the differentiator.

For practitioners

• Map all SaaS discovery sources to one ownership model Reconcile SSO, finance, API, browser, and desktop discovery into one inventory with a named business owner for each app. Without ownership, visibility cannot turn into remediation or access review.
• Tie onboarding and offboarding to lifecycle events Connect joiner, mover, and leaver workflows to SaaS deprovisioning so access revocation happens when the role changes, the contract ends, or the app is retired.
• Use usage data to drive renewal decisions Review active usage before renewing SaaS licenses, then remove duplicate, underused, or orphaned apps from the renewal queue. This reduces both spend and unmanaged access surface.
• Review delegated and third-party access separately Separate human seat management from OAuth app access and other delegated permissions so service-level access is not hidden inside a SaaS inventory report.

Key takeaways

• SaaS management is ultimately an identity governance problem because discovery, access, and lifecycle control all have to line up.
• Visibility alone does not equal control, especially when shadow IT and delegated access can outlive ownership.
• The operational priority is to bind app inventory, offboarding, and renewal decisions into one auditable workflow.

Key terms

• Shadow It: Shadow IT is software or SaaS used without formal approval, security review, or lifecycle oversight. In identity terms, it creates unseen access paths that bypass onboarding, offboarding, and certification processes, leaving the organisation unable to prove who has access or why it remains valid.
• SaaS Discovery: SaaS discovery is the process of identifying which applications are in use and how they are being accessed across an organisation. Effective discovery correlates multiple signals such as SSO, finance, browser, API, and endpoint data to build a governable application inventory.
• Lifecycle Governance: Lifecycle governance is the discipline of managing identities and entitlements from joiner through mover to leaver states. For SaaS, it means tying application access, approvals, and revocation to business events so permissions do not persist beyond their intended purpose.
• Delegated Access: Delegated access is permission granted indirectly through an app, integration, or token rather than a direct human login. It is common in SaaS ecosystems and must be governed separately because it can remain active even when the original business owner changes or leaves.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Best Alternatives to Intello in 2026. Read the original.