SaaS management mistakes expose identity and governance blind spots

At a glance

What this is: This is a SaaS governance analysis that shows how manual tracking, legacy tools, weak procurement controls, and manual provisioning create visibility and access gaps across enterprise applications.

Why it matters: It matters because SaaS sprawl is now an identity problem as much as a procurement problem, affecting NHI, human access, offboarding, and compliance workflows.

By the numbers:

• An average mid-size business uses 1250 SaaS applications.
• 75% of those with Flexera paid $3M-$10M in audit fees in just the past year.
• With its 9 discovery methods and the largest app library cosistening over 225k apps, Zluri discovers 100% of SaaS apps used in your organization.
• Only 20% said their focus is security, risk, and governance.

👉 Read Zluri's blog on the six SaaS management mistakes to avoid

Context

SaaS management is not just a software inventory exercise. In identity terms, it is the discipline of knowing which applications exist, who can access them, how those entitlements are granted, and when they are revoked.

The article’s core claim is that visibility gaps, spreadsheet tracking, legacy asset tools, and manual provisioning create compounding governance risk. For IAM and IGA teams, the issue is broader than spend control because unmanaged SaaS quickly becomes unmanaged identity surface area.

When app ownership, procurement, and access administration are disconnected, organisations lose the ability to enforce lifecycle controls consistently. That makes shadow IT, excess access, and compliance failures more likely even when the organisation believes it has basic control in place.

Key questions

Q: How should security teams govern SaaS applications across the identity lifecycle?

A: Security teams should govern SaaS as part of identity lifecycle management, not as a separate procurement exercise. That means discovering every app, assigning ownership, reviewing entitlements regularly, and automating joiner-mover-leaver actions so access is granted and removed consistently across the SaaS estate.

Q: Why do spreadsheets fail as a control for SaaS governance?

A: Spreadsheets fail because they cannot keep pace with frequent application changes, entitlement movement, and ownership shifts. They create an inventory that looks complete but is already stale, which undermines access reviews, compliance checks, and offboarding decisions.

Q: What do organisations get wrong about SAM and CASB for SaaS control?

A: They assume tools built for software counting or cloud monitoring can replace identity governance. In practice, SAM and CASB provide partial visibility, but they do not fully manage application entitlements, revocation, or lifecycle accountability across SaaS.

Q: Who should be accountable when SaaS access is not removed after offboarding?

A: Accountability should sit with the organisation that owns identity governance for the application, not only with the hiring manager or procurement team. If access remains active after offboarding, the failure is usually a missing lifecycle control and unclear ownership across HR, IT, and application administration.

Technical breakdown

Why spreadsheets fail for SaaS inventory control

Spreadsheets break down when SaaS environments become too dynamic for manual reconciliation. Application counts change, subscriptions rotate, and ownership shifts faster than human update cycles can keep up. In governance terms, the inventory is only as reliable as the last manual edit, which means the source of truth is always stale somewhere. Once that happens, access reviews, procurement checks, and license rationalisation all inherit the same error. Practical implication: treat spreadsheets as a temporary intake tool, not the system of record for SaaS governance.

Practical implication: move SaaS inventory into an automated discovery and ownership model before access and compliance decisions depend on stale data.

Why legacy SAM and CASB tools miss SaaS access risk

Traditional SAM tools were built to count installations and licence metrics, not to govern cloud subscriptions, user entitlements, or application-level access. CASB tools improve visibility into certain cloud activities, but they do not provide full identity context or reliable access control across the SaaS estate. That creates a false sense of coverage because the organisation can see some usage while still lacking control over who is entitled to what. Practical implication: separate license accounting from identity governance and use the right control plane for each.

Practical implication: do not assume on-prem software controls or limited cloud monitoring can replace SaaS entitlement governance.

How manual provisioning creates excess access and offboarding gaps

Manual provisioning and deprovisioning introduce two linked failures: over-entitlement at join time and residual access at exit time. When administrators grant access by hand, they often provision more than the user needs because they lack full context on role, app ownership, and downstream dependencies. During offboarding, missed revocations leave accounts active long after employment ends, which turns SaaS into a persistence layer for unauthorised access. Practical implication: automate joiner, mover, and leaver processes across SaaS applications, especially where data exposure or licence consumption is material.

Practical implication: prioritise automated deprovisioning and entitlement checks for applications that hold sensitive data or privileged access.

NHI Mgmt Group analysis

SaaS management is identity governance, not just spend management. The article is right to separate cost optimisation from operational control because the real failure mode is unmanaged access across an expanding application estate. Once SaaS becomes employee-led procurement, identity teams lose the ability to enforce application ownership, entitlement review, and offboarding discipline consistently. The implication is that SaaS should be treated as part of the identity control plane, not only the finance process.

Spreadsheet governance creates an identity blind spot at scale. Manual tracking cannot keep pace with frequent application churn, subscription movement, and user entitlement changes. That makes the inventory unreliable before any access decision is even made, which is why downstream controls like recertification and vendor risk review start from bad data. Practitioners should read spreadsheet reliance as a control weakness, not an operational shortcut.

Legacy SAM and CASB tools do not close the SaaS entitlement gap. SAM counts software; CASB observes some cloud behaviour; neither fully governs who should have access to which SaaS apps across the lifecycle. That matters because the control failure is not just visibility, but the lack of authoritative entitlement context. For identity programmes, the lesson is to align each tool to the governance job it can actually perform.

Manual provisioning and offboarding are lifecycle failures that turn SaaS into shadow identity infrastructure. The article’s most important warning is that accounts left active after exit or provisioned too broadly at join time become recurring access debt. That debt accumulates into audit exposure, data access risk, and shadow IT. The implication is that lifecycle governance has to operate across the whole SaaS stack, not only the core directory.

Access ownership must follow application ownership. Procurement controls, data policy, and access governance are usually managed by different teams, but the article shows why that separation weakens accountability. A SaaS estate without clear ownership boundaries cannot reliably answer who approved an app, who can use it, or who removes access when conditions change. Practitioners should use this as a prompt to align app ownership, entitlement ownership, and offboarding ownership.

From our research:

• Only 20% said their focus is security, risk, and governance, according to The State of Non-Human Identity Security.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a deeper lifecycle view, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

Access governance is becoming the operating layer for SaaS control. As application counts rise, the programme signal to watch is whether ownership, discovery, and offboarding are being managed as one workflow or three disconnected tasks. Teams that still rely on manual inventories will struggle to keep pace with application churn and entitlement drift.

SaaS sprawl now behaves like shadow identity sprawl. When an application can be procured without a formal control path, the result is not only spend waste but also access that bypasses lifecycle review and revocation discipline. For practitioners, the practical next step is to link procurement approval, identity ownership, and access removal into the same governance chain.

The article’s strongest named concept is inventory-to-entitlement drift, meaning the gap between what the organisation believes it has and what users can actually access. That gap widens fastest when inventory is manually maintained and entitlement changes are not tied to authoritative identity events. The programme response is to treat drift as a governance metric, not an administrative nuisance.

For practitioners

• Replace spreadsheet inventory with automated discovery Use discovery methods that reconcile application ownership, active users, and subscription status continuously so access and procurement decisions are based on current data, not manual updates.
• Separate licence management from entitlement governance Keep SAM and CASB outputs for what they do well, but establish a SaaS governance process that owns application access, user entitlement review, and revocation decisions.
• Automate joiner-mover-leaver workflows across SaaS apps Trigger provisioning and deprovisioning from authoritative identity events so account creation, access changes, and removal happen consistently across high-risk applications.
• Formalise SaaS procurement approval criteria Require data security, privacy, retention, and acceptable use review before new apps are purchased so procurement does not create unmanaged identity and compliance exposure.

Key takeaways

• The central risk is not SaaS spend alone but the identity and governance blind spots created by incomplete visibility and manual control.
• The article’s evidence shows that large SaaS estates, legacy tool limitations, and manual provisioning combine to create real audit, access, and offboarding exposure.
• The most effective response is to automate discovery, entitlement governance, and lifecycle revocation across the SaaS stack.

Key terms

• SaaS governance: SaaS governance is the set of controls that decide which applications may be used, who owns them, how access is granted, and when access is removed. It combines procurement, identity lifecycle, security review, and compliance oversight so application sprawl does not become unmanaged risk.
• Entitlement drift: Entitlement drift is the gap between the access an organisation expects users to have and the access they actually retain over time. It usually appears when provisioning, changes, and offboarding are handled manually or in separate systems, leaving access rights stale, excessive, or undiscovered.
• Shadow IT: Shadow IT is the use of applications or services without formal approval or visibility from the teams responsible for governance and security. In SaaS environments, it often emerges when employees can procure tools directly, bypassing inventory, policy review, and lifecycle controls.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: 6 SaaS Management Mistakes to Avoid. Read the original.