SaaS management platforms expose the gap between visibility and governance

At a glance

What this is: This is a vendor comparison guide that argues modern SaaS management has to connect discovery, usage, spend, and access governance in one control plane.

Why it matters: It matters because SaaS sprawl, shadow AI, and stale access all map directly to identity governance, making the SaaS stack a live NHI and human access risk rather than a simple finance problem.

By the numbers:

• According to the article, Zluri offers over 300 integrations to improve the accuracy of license usage data.

👉 Read Zluri's guide to the top 20 SaaS management platforms in 2026

Context

SaaS management is the discipline of discovering, governing, and rightsizing software across the business. In this article, the central problem is not inventory alone but the gap between seeing an app and knowing whether access, usage, and spend are still justified.

That gap matters because SaaS environments increasingly contain shadow IT, dormant accounts, and unmanaged AI apps. For identity teams, the issue is lifecycle control: who gets access, who still needs it, and what should happen when usage drops or risk changes.

Key questions

Q: How should security teams govern SaaS sprawl without losing visibility?

A: Security teams should connect discovery, usage, and access data before making governance decisions. A useful SaaS programme does not stop at app inventory. It links sanctioned status, active use, permission level, and offboarding so that dormant or risky access can be reviewed and removed with evidence.

Q: Why do shadow AI apps create identity governance risk?

A: Shadow AI creates risk because the application can be adopted outside approved procurement and still move sensitive data. That means identity teams need to know who is using the tool, whether the use is authorised, and whether the session should be blocked, monitored, or reviewed.

Q: When should organisations reclaim SaaS licenses instead of waiting for renewal?

A: Organisations should reclaim licenses when usage drops below the policy threshold, not when the contract date arrives. Waiting for renewal turns rightsizing into a budget exercise instead of an identity and access control decision, and it leaves dormant entitlements active longer than necessary.

Q: What is the difference between SaaS inventory and SaaS governance?

A: SaaS inventory tells you what exists. SaaS governance tells you whether the app is sanctioned, who is using it, whether access is still justified, and what action should follow. Governance is the operational layer that turns visibility into recertification, deprovisioning, and spend control.

Technical breakdown

SaaS discovery is a multi-source identity problem

Modern SaaS discovery is not a single scan. It combines API integrations, SSO data, browser activity, and financial system signals to infer which apps exist, who uses them, and whether they are sanctioned. That matters because no single source is complete: SSO misses direct logins, finance misses free tools, and browser telemetry may reveal shadow AI that never touches identity systems. The technical challenge is correlation, not listing. A usable SaaS map requires app classification, account context, and usage evidence in one model.

Practical implication: teams should correlate discovery sources before making access, spend, or offboarding decisions.

License optimisation depends on usage thresholds, not renewal dates

License optimisation becomes meaningful only when the platform can measure actual use and act on it. The article describes automated reclamation and downgrades driven by configurable thresholds, which shifts the process from calendar-based review to continuous rightsizing. In practice, that means the core control is no longer a quarterly spreadsheet exercise. It is a recurring decision engine that compares active usage, entitlement, and business need, then triggers reclaim, downgrade, or review actions based on policy.

Practical implication: define usage thresholds that trigger reclamation before renewal cycles lock in waste.

Shadow AI governance extends SaaS control into runtime access

Shadow AI changes the SaaS problem because unmanaged AI apps can move sensitive data even when they are not traditional enterprise software. Zluri frames governance as real-time visibility, monitoring, and policy enforcement for approved and unapproved AI tools. Technically, that is an access-control and telemetry problem: discover the app, identify the user, observe the session, and enforce policy when a restricted tool is accessed. The same logic applies to any SaaS app that can become a data path.

Practical implication: treat AI app discovery as an access governance workflow, not a separate inventory project.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Visibility without governance is only half a control. The article makes the case that many SaaS management tools still stop at discovery, unused licenses, and renewal reminders. That is useful for spend control, but it leaves identity decisions untouched, especially when access is spread across sanctioned apps, shadow IT, and unmanaged AI tools. The practitioner takeaway is that SaaS management now has to answer who has access, whether that access is still valid, and what happens when it is not.

Shadow AI is the clearest example of SaaS governance expanding into identity governance. When employees independently adopt AI apps, the control problem becomes who can use them, what data they can touch, and whether those sessions are observable. That is an NHI and human IAM issue at the same time, because the software service, the user, and the app policy all matter. Practitioners should treat AI app adoption as an access-risk domain, not just a usage trend.

Lifecycle governance is the named gap this category now exposes. SaaS tools that can connect usage signals to deprovisioning, access reviews, and rightsizing are effectively operating in the lifecycle layer, not just the inventory layer. The issue is whether the organisation can remove access when apps go idle, users leave, or sanctioned status changes. That makes lifecycle offboarding and recertification the practical centre of SaaS governance, not an adjacent process.

Identity blast radius is the right concept for SaaS sprawl. The more apps, accounts, and permissions a platform can reveal, the more quickly a single unmanaged entitlement can become a broader exposure path. This is especially true when business units independently adopt tools outside central control. The practitioner conclusion is straightforward: governance must be designed around blast-radius reduction, not just application count.

Control-plane convergence is where this market is heading. The article shows the category moving from standalone SaaS inventory toward platforms that blend discovery, access governance, spend control, and security policy. That convergence helps practitioners avoid stitching together disconnected workflows, but it also raises the bar for entitlement hygiene and lifecycle automation. Teams should expect SaaS management to be judged by actionability, not visibility alone.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage. That pattern shows how quickly unmanaged access becomes measurable business impact.
• For the control path behind that risk, see the NHI Lifecycle Management Guide, which connects discovery, rotation, and offboarding into one lifecycle view.

What this signals

Lifecycle governance will matter more than product breadth. SaaS management platforms are increasingly judged by whether they can move from discovery to offboarding and access reviews in one workflow. The organisations that keep treating SaaS tools as inventory systems will continue to miss the identity layer where risk accumulates.

Identity teams should expect SaaS governance to absorb more AI app oversight. As unmanaged AI tools enter the workplace, the boundary between software governance and access governance continues to blur. Programmes that already align with the NIST Cybersecurity Framework 2.0 will be better placed to connect identify, protect, detect, and respond activities around SaaS usage.

Five-point-seven percent visibility is the warning sign, not the finish line. The real programme question is whether your current stack can identify dormant access, shadow tools, and unused entitlements quickly enough to change behaviour before risk becomes operational debt. That is where SaaS management and NHI governance finally converge.

For practitioners

• Correlate discovery sources before acting on SaaS inventory Combine API, SSO, browser, and finance signals so sanctioned, unsanctioned, and shadow AI apps are not judged from a single incomplete view.
• Tie idle usage to lifecycle removal decisions Define a usage threshold for dormant accounts and unneeded licenses, then route those records into deprovisioning or recertification instead of waiting for renewal season.
• Separate shadow AI review from generic software procurement Route unmanaged AI apps through access policy checks, data-handling review, and monitoring rules because they create identity and data risk even when no contract team is involved.
• Use access reviews to validate app necessity Treat application access as a live entitlement question, especially where the platform can show who has what permission level and whether that access should still exist.

Key takeaways

• SaaS management is no longer just about app counts because access, usage, and entitlement governance now sit at the centre of the problem.
• Discovery across multiple sources is necessary because no single signal can reveal sanctioned apps, shadow IT, and shadow AI with equal reliability.
• Practitioners should measure SaaS tooling by whether it can trigger recertification, reclamation, and deprovisioning, not by whether it can list software.

Key terms

• SaaS Management Platform: A SaaS management platform discovers, tracks, and governs software subscriptions across an organisation. In practice, it combines inventory, usage analytics, spend control, and access-related workflows so teams can decide what stays, what gets removed, and what needs review.
• Shadow AI: Shadow AI is the use of AI tools that have not been approved, inventoried, or governed by the organisation. It matters because these tools can process data, create access paths, and bypass normal review steps even when employees think they are simply experimenting with software.
• License Optimisation: License optimisation is the process of matching software entitlements to actual use so organisations do not pay for access they no longer need. In identity terms, it is a governance function because entitlement reduction often requires review, downgrade, or deprovisioning decisions.
• Lifecycle Governance: Lifecycle governance is the discipline of managing joiner, mover, and leaver changes across identities and accounts. For SaaS environments, it means access is reviewed, adjusted, or revoked when usage patterns, employment status, or app approval status changes.

Deepen your knowledge

SaaS governance, lifecycle control, and identity-linked rightsizing are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a control model that has to cover SaaS sprawl as well as access governance, it is worth exploring.

This post draws on content published by Zluri: Top 20 SaaS Management Platforms [2026]. Read the original.