SaaS management platforms expose the gap between visibility and governance

At a glance

What this is: This is a roundup of SaaS management platforms that argues visibility is insufficient without access governance, usage-based remediation, and identity integration.

Why it matters: It matters because SaaS sprawl now intersects with NHI, autonomous AI app adoption, and human access governance, forcing IAM teams to align inventory, entitlement, and offboarding.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Zluri's roundup of the top 20 SaaS management platforms in 2026

Context

SaaS management is the discipline of discovering applications, understanding usage, and deciding what access and spend should remain in place. The problem is that many platforms still stop at inventory, leaving entitlement, offboarding, and governance decisions disconnected from the data that exposes them.

That gap matters because SaaS environments now contain service accounts, API keys, browser-based access, shadow IT, and shadow AI in the same control plane. For IAM and IGA teams, the practical question is no longer how many apps exist, but whether those identities are still justified, reviewable, and removable across the application estate.

Key questions

Q: What breaks when SaaS management stops at app inventory?

A: When SaaS management stops at inventory, teams can see applications but not whether access is justified, active, or connected to unmanaged identities. That leaves entitlement drift, shadow IT, and dormant accounts outside the control loop. The result is visibility without governance, which is enough for reporting but not enough for security decisions.

Q: Why do SaaS platforms matter to NHI governance?

A: SaaS platforms matter because they are often where service accounts, API keys, and app-specific permissions are created and forgotten. If those identities are not tied to lifecycle controls, they remain active after the business need ends. That turns SaaS management into a non-human identity control point rather than a simple app catalogue.

Q: How should organisations govern shadow AI inside SaaS estates?

A: Organisations should treat shadow AI as an access and policy problem, not only an application discovery problem. That means identifying approved AI tools, monitoring who uses them, and enforcing restrictions when sensitive data or unapproved apps appear. If the control plane cannot see the use, it cannot govern the risk.

Q: How do teams decide whether a SaaS platform is governance-ready?

A: A governance-ready SaaS platform can connect discovery, entitlement, usage, and offboarding in one workflow. If it only counts apps or tracks spend, it is useful for inventory but weak for security. The practical test is whether the platform can support access review, deprovisioning, and policy enforcement from the same data set.

Technical breakdown

Discovery pathways and why single-source inventory fails

SaaS discovery usually fails when it relies on one signal, such as SSO logs or admin APIs. Employees can access applications through browser activity, direct login, forwarded invites, finance records, or unmanaged integrations that never show up in a single control plane. A meaningful SaaS management platform therefore correlates multiple telemetry sources to identify sanctioned, unsanctioned, and shadow applications, then enriches each app with user and usage context. That is not just asset inventory. It is identity-aware discovery, which is the only way to connect app existence to actual access risk.

Practical implication: require multi-source discovery before trusting any SaaS inventory or access review.

Usage-based rightsizing versus entitlement drift

License optimisation is often presented as a cost problem, but it is also an entitlement problem. If a platform can see who has access, who is inactive, and which permissions are actually exercised, it can expose entitlement drift where access outlives usage. The technical issue is not whether a licence is assigned. It is whether the entitlement still maps to real work. Continuous rightsizing becomes a governance signal because it shows where dormant access, duplicate licensing, and excessive permissions are accumulating across the SaaS stack.

Practical implication: tie renewal decisions to active usage and entitlement review, not calendar reminders alone.

Shadow AI governance inside SaaS management

Shadow AI turns SaaS management into an identity governance problem because the control question is no longer only which app is running, but which users and data are flowing through it. If employees can adopt AI tools independently, the platform must track use, flag restricted apps, and connect those events to policy enforcement. This is where SaaS management intersects with autonomous-adjacent behaviour without assuming full autonomy. The important mechanism is continuous monitoring of app usage and access policy, so the organisation can distinguish approved AI use from unmanaged experimentation.

Practical implication: apply app-level policy enforcement to AI tools before their usage becomes invisible and unrecoverable.

Threat narrative

Attacker objective: The objective is to exploit unmanaged SaaS access paths that remain invisible to governance teams and persist long enough to create operational or data exposure.

1. Entry occurs when employees adopt unsanctioned SaaS or AI applications outside the approved procurement and access model.
2. Credential access or abuse follows when the organisation lacks visibility into who is using which app, at what permission level, and with which connected secrets.
3. Impact emerges as shadow access, unused licences, and unmanaged integrations persist beyond review cycles, widening exposure and spend.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Visibility without entitlement context is not SaaS governance. The article reinforces a familiar market flaw: many platforms still measure application presence, not the identity relationships inside each app. That leaves IAM and IGA teams with inventory data but no authority to decide whether access should remain in force. The practical conclusion is that SaaS management only becomes governance when it can answer who, what level, and why now.

Shadow AI is forcing SaaS management to become an identity control plane. Once employees can introduce AI apps independently, the platform has to track access, policy status, and usage in near real time. That shifts the discipline from passive catalogue management to active governance over human, machine, and emerging AI-adjacent access paths. Practitioners should treat AI app discovery as a control problem, not a reporting feature.

Ephemeral credential trust debt: SaaS environments accumulate trust assumptions faster than review cycles can retire them. An app, token, or integration can remain technically active long after the business need has disappeared, and that creates access that is harder to justify than to create. The implication is that organisations need to think in terms of trust debt, where every unmanaged connection adds future governance cost.

Identity and spend are now the same governance problem. The article shows that usage data is no longer just a finance input. When inactive accounts, unused licences, and unreviewed access are analysed together, they reveal where entitlement discipline is failing across the stack. That makes finance, security, and IAM co-owners of the same control surface, not separate consumers of reports.

SaaS management is becoming the front line for NHI lifecycle control. SaaS platforms increasingly sit where service accounts, API keys, and app-specific permissions are created, used, and forgotten. That means the discipline now overlaps directly with non-human identity governance, especially around offboarding and rotation. Practitioners should treat SaaS management as a lifecycle control point, not a procurement dashboard.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For lifecycle context, see NHI Lifecycle Management Guide for how discovery, rotation, and offboarding fit together.

What this signals

Identity sprawl is now embedded in SaaS sprawl. When app inventory, access rights, and unmanaged secrets live in separate tools, governance becomes fragmentary and slow. Teams that still treat SaaS management as procurement support will miss the point that identity control now sits at the centre of software governance.

The practical signal for programmes is that renewal, deprovisioning, and access review need to converge around one data model. If SaaS usage can trigger policy action, then the platform becomes part of the control plane rather than a reporting layer, which changes how IAM, finance, and security share accountability.

With 90% of IT leaders saying properly managing NHIs is essential for zero trust, the direction of travel is clear: SaaS governance is moving toward identity-aware enforcement, not passive dashboards, per the Ultimate Guide to NHIs.

For practitioners

• Correlate multiple discovery sources before trusting app inventories Combine SSO, API, browser, finance, and admin telemetry so unmanaged apps and shadow AI do not disappear between tools. Use the resulting view to drive app-level review, not only reporting.
• Tie access review to real usage data Review who is actually using each application, which entitlements are active, and whether access level still matches the work being done. Treat dormant access as a governance signal, not just a cost issue.
• Map SaaS offboarding to identity lifecycle controls Connect user termination, app deprovisioning, and connected secret revocation into one workflow so service accounts and app tokens are not left behind after the business need ends.
• Apply policy enforcement to shadow AI app use Define approved AI tools, monitor user activity in those tools, and alert when restricted apps appear so unmanaged experimentation is contained before data exposure expands.

Key takeaways

• SaaS management becomes materially more useful when it links discovery to entitlement, usage, and removal, not when it merely lists applications.
• The scale of unmanaged identity risk is already visible in NHI research, which shows how weak visibility and poor offboarding create persistent exposure.
• IAM teams should treat SaaS governance as a control surface where shadow IT, shadow AI, and NHI lifecycle management intersect.

Key terms

• SaaS Management Platform: A SaaS management platform discovers, inventories, and operationalises control over cloud applications used across the business. In practice, it should connect usage, licensing, access, and offboarding so security and finance teams can act on the same data, not separate reports.
• Shadow AI: Shadow AI is the use of AI applications or AI-enabled services that are not visible to central governance. It becomes a control problem when users can move data, credentials, or work outputs through tools that have not been approved, reviewed, or tied into identity oversight.
• Entitlement Drift: Entitlement drift is the gap between access that exists and access that is actually needed or used. In SaaS environments it often appears as dormant accounts, duplicated licences, or permissions that remain after the business need has changed, creating governance and audit exposure.
• Identity-Aware Discovery: Identity-aware discovery is the practice of finding applications and then linking each one to the people, accounts, and permissions using it. That extra layer matters because inventory alone cannot show who can act inside the app, which connections are active, or where offboarding should begin.

Deepen your knowledge

SaaS governance, shadow AI, and non-human identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to move from inventory to enforcement, this is the right place to start.

This post draws on content published by Zluri: SaaS Management Top 20 SaaS Management Platforms [2026]. Read the original.