TL;DR: SaaS management platforms are moving from app inventory into access governance because Zluri says modern teams need to know not just which apps exist, but who uses them, at what permission level, and whether that access should exist at all. That shift makes SaaS discovery an identity problem, not only a cost problem.
At a glance
What this is: This is a SaaS management platform roundup whose key finding is that visibility alone is no longer enough without identity governance and automated action.
Why it matters: It matters because SaaS sprawl creates human, NHI, and autonomous access risk across licensing, shadow IT, and offboarding, so IAM teams need governance signals, not just inventories.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Zluri's roundup of top SaaS management platforms for 2026
Context
SaaS management has become an identity governance problem because applications are only part of the risk. The real control question is who can use each app, what level of access they hold, and whether that access still makes sense as people, bots, and service accounts move through the environment.
Zluri's roundup reflects a broader market shift away from static SaaS inventory toward governance-linked operations. That matters for IAM teams because discovery without entitlement context leaves shadow IT, stale access, and unreviewed permissions untouched, which is exactly where SaaS sprawl becomes security debt.
For organisations that are already dealing with NHI growth and emerging agentic workflows, SaaS management is no longer an isolated procurement or finance exercise. It sits inside lifecycle governance, access review, and risk reduction, which is why the strongest platforms are being evaluated through identity outcomes rather than feature lists.
Key questions
Q: How should security teams govern SaaS app sprawl without losing access visibility?
A: Security teams should connect SaaS discovery to entitlement data, lifecycle state, and usage telemetry. That lets them distinguish active, sanctioned access from dormant or excessive access and turn app inventory into governance evidence. Without that linkage, teams can count applications but still miss the access conditions that create risk.
Q: Why do SaaS platforms need to sit near identity governance instead of finance only?
A: Because SaaS spend and SaaS access are now tightly coupled. The same data that shows underused licenses also shows stale accounts, shadow IT, and unjustified permissions, so finance-only management misses the security and lifecycle issues that matter to IAM and NHI teams.
Q: How can organisations reduce Shadow AI risk in SaaS environments?
A: Organisations should treat AI app adoption as a governed access path, not just a software choice. That means discovering which users and tokens are reaching AI tools, checking policy compliance on data flow, and applying the same review and exception process used for other unsanctioned applications.
Q: What should teams do when unused SaaS licenses keep accumulating?
A: They should automate reclamation based on actual usage, then align those actions to offboarding and recertification events. If a license is inactive, but the account still exists, the problem is not cost alone. It is persistent access that no longer has a business need.
Technical breakdown
SaaS discovery becomes identity context when permission level matters
Traditional SaaS discovery answers a narrow question: what apps are present. Identity-aware SaaS management answers a broader one: who is using each app, whether that use is sanctioned, and what permissions are attached to the account or token behind it. That distinction matters because app counts do not reveal whether access is active, excessive, or delegated through another identity layer. Once usage data, SSO signals, and browser activity are combined, the platform can expose access that is technically valid but operationally unjustified. The governance value comes from correlating application presence with entitlement state and lifecycle status.
Practical implication: evaluate SaaS tools on entitlement context and lifecycle linkage, not on app inventory depth alone.
Shadow AI is a SaaS management problem with identity and data consequences
Shadow AI behaves like shadow IT with a faster blast radius. Employees can adopt AI apps independently, often outside procurement and IAM review, which means data can move through approved accounts, unmanaged browser sessions, or third-party tokens before security teams notice. SaaS management platforms that monitor AI app adoption are effectively extending app governance into identity and data control. The architectural issue is not simply whether an app is allowed, but whether its access path, user population, and data handling fall inside policy boundaries. That is why real-time detection and policy enforcement now matter in SaaS governance discussions.
Practical implication: treat AI app discovery as an access-control and data-governance workflow, not a reporting task.
Automated license rightsizing only works when usage data drives revocation
License optimisation is often marketed as savings, but from an identity perspective it is about stale access removal. If a platform can detect inactive usage and automatically reclaim or downgrade entitlements, it reduces the accumulation of unnecessary privileges across the SaaS stack. The mechanism depends on trustworthy usage telemetry, configurable thresholds, and a reversible workflow for exceptions. Without that, teams either over-retain licenses or remove access too aggressively. The strongest operational value comes when rightsizing is tied to joiner-mover-leaver signals and periodic recertification rather than isolated cleanup campaigns.
Practical implication: connect SaaS license reclamation to lifecycle events and access review cadence.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Visibility without entitlement context is not governance. A SaaS inventory can tell you how many applications exist, but it cannot tell you whether access is still justified, whether an account is dormant, or whether permissions exceed the user's current role. That distinction is central to OWASP-NHI and NIST CSF thinking because unmanaged access is the control failure, not app sprawl alone. The practitioner takeaway is simple: SaaS governance must evaluate entitlement state, not just application presence.
Shadow AI extends the SaaS problem into non-human and delegated access. Once employees can adopt AI tools independently, the identity boundary moves beyond sanctioned software into runtime data sharing and unreviewed access paths. That means SaaS governance is now intersecting with NHI patterns such as tokens, service credentials, and delegated integrations, even when teams did not label it as NHI work. The practitioner conclusion is that app governance and identity governance are converging faster than most operating models.
License optimisation is really lifecycle enforcement in disguise. Reclaiming unused access is not just a procurement win, it is a governance control that reduces privilege persistence across SaaS estates. When platforms automate that action, they are compensating for the fact that many organisations still lack reliable offboarding and access review discipline. The implication for practitioners is to treat SaaS licence data as lifecycle evidence, not just a cost-management dataset.
SaaS management platforms are becoming control-plane candidates, not standalone tools. The market is moving toward systems that can discover, evaluate, and act on access conditions in one place. That development matters because it pushes IAM teams to decide whether SaaS management belongs beside IGA, CASB, and lifecycle orchestration rather than in a separate operational silo. The practitioner conclusion is that tool selection should follow governance architecture, not departmental boundaries.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- The lifecycle angle is covered in NHI Lifecycle Management Guide, which is the right next resource for offboarding and rotation planning.
What this signals
SaaS governance is converging with identity governance. As organisations add more apps, the decisive question is no longer only what they bought, but who can still reach it, how that access is validated, and whether the entitlement belongs in the current lifecycle state. A useful benchmark is that only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, which shows how weak the underlying identity picture still is.
Shadow AI will push SaaS teams into NHI territory faster than most roadmaps anticipate. Browser-based adoption, delegated tokens, and unmanaged integrations mean the control problem is already spanning human users, non-human credentials, and semi-automated workflows. Teams that keep these domains separate will miss the cross-domain access paths that determine real risk.
The operational signal to watch is whether licence reclamation, access review, and offboarding actions share the same source of truth. If they do not, SaaS programmes will keep producing inventory but not governance, which is the difference between cost control and risk control.
For practitioners
- Map SaaS discovery to entitlement state Require each discovered app to carry user, role, permission level, and lifecycle status so inventory can support access review decisions rather than just procurement visibility.
- Treat Shadow AI as governed access Route unsanctioned AI app findings through the same approval, monitoring, and exception workflow used for shadow IT, including policy checks for data handling and account provenance.
- Automate reclamation from usage and offboarding signals Tie license downgrade or revocation actions to inactivity thresholds, joiner-mover-leaver events, and recertification outcomes so stale access does not persist after business need changes.
- Review SaaS controls as part of IAM operating model Align SaaS management outputs with IGA, PAM, and NHI governance so app visibility, access reviews, and revocation actions all feed the same control plane.
Key takeaways
- SaaS management only becomes security-relevant when it tells you who can use each app and whether that access still belongs.
- Shadow AI turns SaaS discovery into an identity and data governance problem, not just an application inventory exercise.
- The practical test for platform selection is whether it connects discovery, entitlement review, and automated reclamation in one workflow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Licence and access reclamation map to NHI rotation and lifecycle control gaps. |
| NIST CSF 2.0 | PR.AC-4 | SaaS entitlement management depends on least-privilege access control. |
| NIST Zero Trust (SP 800-207) | AC-1 | Continuous verification fits SaaS access that changes as usage and roles shift. |
Align SaaS access cleanup to NHI-03 by linking inactivity signals to revocation and review.
Key terms
- SaaS management platform: A SaaS management platform is a system used to discover, inventory, and control software-as-a-service usage across an organisation. In governance terms, it becomes useful when it connects application presence to users, permissions, spend, and lifecycle state so teams can act on access risk, not just list apps.
- Shadow AI: Shadow AI is the use of AI applications or AI-enabled services that are not fully sanctioned, monitored, or governed by the organisation. The risk is not only tool adoption. It is uncontrolled data flow, unmanaged identities, and access paths that bypass normal review and approval processes.
- Entitlement context: Entitlement context is the surrounding access information that explains what an identity can do inside an application and whether that access is still justified. It combines role, permission level, usage state, and lifecycle status, which turns a flat inventory into evidence for governance and remediation.
- Access reclamation: Access reclamation is the act of removing or downgrading permissions that are no longer needed. In SaaS environments, it is most effective when driven by usage data, offboarding signals, and recertification outcomes so stale access does not persist simply because the account or license still exists.
Deepen your knowledge
SaaS governance, app discovery, and lifecycle-linked access review are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls around shadow IT, shadow AI, and entitlement sprawl, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Top 20 SaaS Management Platforms [2026]. Read the original.
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
