SaaS management platforms expose the governance gap in shadow IT

At a glance

What this is: This is a vendor explanation of why organisations should fund a SaaS management platform, with the key finding that shadow IT, license sprawl, and weak onboarding and offboarding controls create both cost and identity governance risk.

Why it matters: It matters because SaaS app sprawl affects human access governance, NHI-like service access patterns, and lifecycle controls that IAM, IGA, and PAM teams are expected to keep auditable.

By the numbers:

• 30% of the SaaS budget is wasted every, sted every year.
• For a company having 250 employees and 100 applications, you get close to four times the return on the price you pay.

👉 Read Zluri's article on convincing leadership to invest in SaaS management

Context

SaaS sprawl is an identity governance problem before it is a procurement problem. When applications accumulate outside approved processes, organisations lose track of who has access, which accounts remain active, and whether offboarding actually removed every entitlement. That makes the issue relevant to IAM, IGA, and lifecycle governance, not only software spend.

The article argues that spreadsheets and SSO alone do not provide enough control once the application estate expands. The practical gap is visibility into live application usage, approval status, and deprovisioning outcomes, which is exactly where access governance programmes tend to break down first.

Key questions

Q: How should security teams govern SaaS sprawl without relying on spreadsheets?

A: Security teams should treat SaaS sprawl as an access governance problem and maintain a discovery-backed inventory with named owners, review cadence, and offboarding triggers. Spreadsheets can document intent, but they cannot reliably prove who still has access or which subscriptions remain active after staff changes.

Q: Why do SaaS management and IAM teams need to work together?

A: They need to work together because SaaS discovery, access review, and offboarding are identity lifecycle controls, while IAM holds the policy and entitlement context. If those functions stay separate, organisations can renew software that no longer has a business owner and leave orphaned access behind.

Q: What breaks when organisations depend on SSO as their only SaaS control?

A: What breaks is visibility. SSO can show authentication events, but it does not by itself show application approval status, redundant subscriptions, or whether deprovisioning actually removed every entitlement. Teams that stop at SSO usually miss unmanaged apps and stale access paths.

Q: Who should own SaaS access reviews and renewals?

A: The business owner should own the usage decision, IAM or IGA should own the access policy, and IT or procurement should execute the renewal or cancellation. Clear ownership prevents the common failure where an application is paid for after its user base has changed or disappeared.

Technical breakdown

Why SaaS discovery is an access governance problem

SaaS discovery is not just an inventory exercise. In practice, it identifies where the organisation has granted access without a complete picture of business ownership, user activity, and renewal responsibility. Once shadow IT exists, the access layer becomes fragmented: different teams create accounts, renew tools, and remove them on different timelines. That fragmentation creates governance blind spots that no spreadsheet can reliably reconcile at scale. The identity issue is not simply what was purchased, but who can still sign in and who can still act on behalf of the business.

Practical implication: map application discovery to access ownership so every discovered SaaS app has a clear approver, reviewer, and offboarding path.

License renewal, offboarding, and the lifecycle gap

License management becomes an identity lifecycle issue when unused accounts and dormant subscriptions overlap. The article points out that ex-employees may retain access, which means the real failure is not only wasted spend but also incomplete offboarding. In IAM terms, renewal, cancellation, and revocation should be treated as linked lifecycle events. If renewal is handled separately from deprovisioning, the organisation can keep paying for access that no longer has a business owner, while the account itself remains live. That is a lifecycle control failure, not a finance-only oversight.

Practical implication: tie renewal decisions to access recertification and offboarding evidence before any SaaS contract is extended.

Why SSO does not solve SaaS governance on its own

SSO controls authentication, but it does not provide the operational visibility needed to govern app usage, entitlements, and revocation outcomes across a broad SaaS estate. The article correctly notes that only a subset of applications can be connected through SSO, and even where SSO exists, the organisation may still lack clarity on whether the app is approved, actively used, or properly removed. In governance terms, SSO is one control point, not the whole control plane. Treating it as sufficient leaves the organisation blind to the application lifecycle outside the login event.

Practical implication: use SSO data as one signal in a broader application governance process, not as evidence that the SaaS estate is under control.

NHI Mgmt Group analysis

Shadow SaaS is an access governance failure, not just an inventory gap. Once users can adopt applications outside approved channels, the organisation has already lost deterministic control over entitlement creation and review. That shifts the problem from procurement discipline to identity governance, because access can persist without a clear owner or removal trigger. Practitioners should treat undiscovered SaaS as unmanaged access, not merely unknown software.

Lifecycle controls break when renewal and revocation are separated. The article’s offboarding example shows the core issue clearly: a user can leave while the application subscription continues, or the application can remain active after the user should have been removed. That means access review and offboarding are no longer optional administrative tasks, but the only reliable way to prevent dormant access from surviving organisational change. Teams should align renewal workflows with lifecycle governance.

SaaS management platforms surface a broader identity surface than SSO can see. SSO tells you something about authentication, but not enough about application adoption, redundancy, or whether the account lifecycle is actually clean. The named concept here is application lifecycle visibility: the ability to connect discovery, approval, access, and removal into one control loop. Practitioners need that control loop because uncontrolled app sprawl creates shadow access as quickly as it creates shadow IT.

Budget justification should be framed as governance recovery, not tooling preference. The article makes a financial case, but the security case is stronger: organisations cannot certify what they cannot see, and they cannot offboard what they do not track. That is why SaaS governance belongs in IAM and IGA conversations alongside cost control. The practitioner conclusion is to present SaaS management as evidence-backed control recovery.

The post-pandemic SaaS estate has become a lifecycle burden for identity teams. More apps, faster buying cycles, and more offboarding edge cases increase the chance that access outlives employment or business need. That makes SaaS governance part of normal identity operations, not a one-off clean-up project. Teams should plan for continuous entitlement hygiene rather than periodic spreadsheet reconciliation.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• The same research found that companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, which shows how quickly fragmented control areas consume spend.
• For practitioners, the forward move is to pair application discovery with lifecycle governance, as outlined in NHI Lifecycle Management Guide, so access, ownership, and offboarding remain aligned.

What this signals

Application lifecycle visibility: the next governance standard for SaaS-heavy estates is not just discovery, but proof that each app has a reviewer, an owner, and a removal path. As application counts rise, the organisations that can connect those three points will be the ones that keep entitlement risk and renewal waste under control.

The practical signal for IAM and IGA teams is that SaaS governance now sits alongside lifecycle hygiene, not outside it. Where discovery, renewal, and offboarding remain disconnected, shadow access will continue to outlast business need, and no amount of SSO coverage will close that gap.

For practitioners

• Establish a single application owner for every SaaS app Require each discovered application to have one business owner, one technical owner, and one access review cadence so renewal, approval, and removal are never handled in isolation.
• Link offboarding to subscription cancellation Do not close user departure workflows until application access has been revoked and any unnecessary subscriptions have been cancelled or reassigned.
• Replace spreadsheet tracking with discovery-backed inventory Use application discovery data to reconcile approved, active, and redundant SaaS tools before finance or IT makes renewal decisions.
• Use SSO only as one control signal Treat SSO login data as partial evidence and compare it with direct application usage and entitlements before certifying access or renewing a contract.

Key takeaways

• SaaS sprawl becomes an identity governance problem as soon as access, ownership, and removal stop moving together.
• Visibility alone is not enough, because the real control failure is the gap between discovery and offboarding.
• Teams should tie renewal decisions to access review evidence so dormant apps and stale accounts do not survive routine budgeting.

Key terms

• Shadow SaaS: SaaS applications adopted or maintained outside approved governance processes. The problem is not only unknown software, but unknown access, ownership, and removal responsibility, which makes lifecycle control and auditability difficult to sustain.
• Application Lifecycle Visibility: The ability to connect discovery, approval, usage, renewal, and removal into one control view. It goes beyond inventory by showing whether an application still has a valid business owner, active users, and a defined offboarding path.
• SaaS Access Governance: The discipline of controlling who can use a SaaS application, who approves that access, and how it is removed when it is no longer needed. It links identity policy, lifecycle events, and entitlement review into one operational process.
• Offboarding: The process of removing access when a user leaves or no longer needs a system. In SaaS environments, offboarding must include account revocation, license recovery, and confirmation that any residual access paths have been closed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management How to Convince Your Boss to Invest in an SMP? Read the original.