TL;DR: SaaS management platforms help IT teams recover visibility, reduce redundant apps, manage licenses and contracts, and surface security risk across a growing SaaS stack, including shadow IT and unauthorized access attempts, according to Zluri. The deeper issue is not software sprawl alone, but the identity and governance gaps that appear when access, usage, and lifecycle controls are fragmented.
At a glance
What this is: This is a SaaS management platform explainer that says SaaS sprawl creates visibility, licensing, contract, and security gaps that IT teams need to centralise.
Why it matters: It matters because SaaS sprawl is also identity sprawl, and IAM, IGA, and PAM teams need a clearer view of which apps, licenses, and access paths are actually in use.
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
👉 Read Zluri's article on why SaaS management platforms matter for IT teams
Context
SaaS sprawl is a governance problem before it is a tooling problem. When applications are bought outside IT, licenses go untracked, renewals slip, and access decisions become disconnected from ownership and review. For identity teams, that means the control plane for human access, service accounts, and delegated app access is no longer consistent across the estate.
A SaaS management platform tries to restore that control plane by discovering apps, classifying them, and linking usage to cost and risk. That matters because many organisations still manage access and application inventory in separate workflows, which leaves gaps between who can use a service, who pays for it, and who is accountable when something goes wrong.
Key questions
Q: How should security teams govern SaaS sprawl across identity and procurement workflows?
A: They should build one control view that connects discovery, ownership, licensing, and access review. SaaS sprawl becomes manageable when every application is tied to a business owner, a login source, and a renewal decision. That prevents shadow IT from turning into shadow access and stops procurement from renewing services that no longer have a valid identity or business need.
Q: Why does SaaS sprawl create identity risk as well as cost waste?
A: Because unmanaged applications often carry active user access, delegated permissions, and stored data even when no one is tracking them centrally. That means the same app that wastes money can also widen the attack surface, create stale entitlements, and bypass normal review cycles. Identity teams should treat unused software as a governance signal, not just a budget issue.
Q: How do teams know whether SaaS governance is actually working?
A: Look for decreasing counts of unmanaged applications, fewer duplicate tools, shorter renewal exceptions, and a tighter match between licensed seats and active users. If the organisation still cannot answer which apps are approved, who owns them, and what data they can reach, governance is only partially effective. Visibility without action is not control.
Q: What is the difference between SaaS inventory and SaaS governance?
A: SaaS inventory tells you what exists. SaaS governance tells you who owns it, who can use it, what it costs, what data it can reach, and when access or contracts should end. Inventory is descriptive. Governance is decision-oriented and lifecycle-based, which is what security, IAM, and procurement teams need to reduce both risk and waste.
Technical breakdown
SaaS discovery is really identity and application inventory correlation
The article’s discovery model relies on multiple signals, including SSO, identity providers, finance systems, app integrations, browser extensions, and optional desktop agents. That approach is useful because no single telemetry source gives a complete view of SaaS usage. In practice, discovery becomes a correlation problem: mapping a login, a payment trail, and an app record to the same service so IT can tell what is sanctioned, shadowed, or simply forgotten. Without that correlation, the organisation cannot distinguish a dormant app from one that still has active delegated access or sensitive data exposure.
Practical implication: build a single SaaS inventory that ties identity signals to procurement and security data before you try to govern renewals or access.
License and contract data become governance signals when linked to usage
The article frames license management as more than cost control. When you can see purchased seats, active users, unassigned licenses, renewal dates, and contract terms in one place, you can spot waste and reduce orphaned entitlements. That is an identity governance pattern as much as a procurement one, because unused licenses often indicate access that was never reclaimed, or at least was never validated against actual need. The real technical value is not the dashboard itself. It is the ability to compare contractual entitlement with observed use and then act on the mismatch.
Practical implication: align license reviews with access reviews so unused seats and stale entitlements are removed through the same workflow.
Security scoring for SaaS depends on data exposure and access scope
The post describes risk scoring that considers events, data shared, compliance posture, and security probes. That is the right architectural direction because SaaS risk is not only about whether an app is approved, but what it can touch and who can do what inside it. Read-only access is lower risk than modify or delete access, and broad access to repositories, file stores, or collaboration data raises the impact of any compromise. From an identity perspective, the important issue is not just the app's trust level. It is the breadth of authority granted to users and the app itself.
Practical implication: rank SaaS applications by data access scope and delegated privilege, then prioritise review of high-impact applications first.
NHI Mgmt Group analysis
SaaS management has become an identity governance problem, not just an operations problem. The article shows that discovery, licensing, renewals, and security review are all being pulled into one operational layer because SaaS buying has outpaced manual administration. That matters because the same identity gaps that create shadow IT also create shadow entitlements, especially when app ownership is unclear. The practitioner conclusion is that SaaS governance now belongs in the same conversation as access governance, not after it.
Identity and app inventory drift is the core failure mode behind SaaS sprawl. Discovery methods can improve visibility, but the deeper issue is that many organisations do not maintain a durable link between app record, identity source, and business owner. When that link breaks, access reviews become partial, renewal decisions become guesswork, and security scoring becomes incomplete. The practitioner conclusion is that inventory quality is now a control, not a reporting feature.
Shadow IT becomes shadow access when unmanaged apps carry delegated permissions. The article’s focus on unmanaged and restricted apps is a reminder that application approval status does not tell you whether the app still has meaningful access to data or downstream systems. That is where SaaS risk crosses from procurement into IAM and PAM territory. The practitioner conclusion is to treat app classification and entitlement review as one governance motion.
Renewal management is a lifecycle control, not just a procurement calendar. The article’s renewal alerts, contract visibility, and usage tracking all point to the same operational truth: if access and payment are not reconciled, organisations will keep funding services and permissions that no longer match business need. That is where lifecycle governance should lead, because offboarding SaaS is as much about reclaiming authority as cancelling spend. The practitioner conclusion is to connect renewal workflows to access revocation workflows.
96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools. This wider NHI risk pattern explains why SaaS governance cannot stop at app inventory. If the application layer is only partially visible, the secrets and tokens behind it are often even less controlled, which expands the blast radius of a compromise. The practitioner conclusion is to extend SaaS governance into secrets and workload identity oversight.
From our research:
- Strong SaaS governance is part of a broader identity control problem: From our research: 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- The visibility gap is equally structural, with only 5.7% of organisations having full visibility into their service accounts, according to Ultimate Guide to NHIs.
- For teams maturing governance, start with the NHI Lifecycle Management Guide to connect discovery, ownership, and offboarding into one operating model.
What this signals
SaaS sprawl is increasingly a lifecycle issue. Once an application is discovered, the harder work is deciding whether it should remain approved, who owns the entitlement, and how access will be removed when usage drops. That is why SaaS governance should sit alongside NHI lifecycle management and not be treated as a procurement-only workflow.
The next maturity step is to connect SaaS governance with identity standards such as the NIST Cybersecurity Framework 2.0. The organisation that can correlate inventory, ownership, access, and data exposure will be better positioned to reduce both shadow IT and unreviewed privilege.
Identity surface expansion: as SaaS counts grow, the control problem shifts from finding apps to proving that every app has an accountable owner, a valid use case, and an offboarding path. Teams that cannot answer those three questions will keep carrying invisible risk in the stack.
For practitioners
- Correlate SaaS discovery across identity, finance, and app telemetry Build a single inventory that reconciles SSO logs, identity provider records, expense data, and direct app integrations so unmanaged applications can be identified without manual chasing.
- Link license reviews to access reviews Use unassigned and underused licenses as a trigger to confirm whether the underlying access should be removed, reassigned, or recertified.
- Prioritise high-risk applications by data authority Rank SaaS apps by what they can read, modify, or delete, and start with services that touch sensitive shared data or critical business systems.
- Tie renewals to ownership and offboarding Require a named owner to approve renewal decisions and make cancellation workflows part of the same process used to revoke access and archive records.
Key takeaways
- SaaS management becomes a governance control when discovery, ownership, licensing, and security review are linked in one workflow.
- The article’s operational value is visibility into shadow IT, duplicate tools, renewal timing, and application risk, all of which affect identity and access decisions.
- The practical response is to connect SaaS inventory to access review, offboarding, and renewal decisions so unused services do not persist as hidden risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | SaaS discovery depends on maintaining an asset inventory across apps and identities. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged SaaS apps often hide secrets and delegated access, a core NHI visibility problem. |
| NIST Zero Trust (SP 800-207) | SaaS access visibility supports continuous verification and least-privilege enforcement. |
Inventory SaaS-linked secrets and credentials so hidden non-human access can be reviewed and removed.
Key terms
- SaaS sprawl: SaaS sprawl is the uncontrolled growth of software as a service applications across an organisation. It usually creates overlapping tools, unclear ownership, inconsistent access controls, and governance gaps that make it harder to manage security, cost, and lifecycle decisions together.
- Shadow IT: Shadow IT is the use of applications or services without approval or visibility from central IT or security teams. In practice, it often emerges when users adopt tools to solve immediate problems, but the organisation then loses control over access, data handling, and renewal decisions.
- License governance: License governance is the process of tracking purchased seats, active use, renewal timing, and ownership so software entitlement matches business need. It becomes a control function when unused licenses are removed, reassigned, or tied to access review rather than left to drift.
- Application entitlement: Application entitlement is the permission or access level a user, app, or service has within a software system. It matters because entitlement determines what data can be reached, changed, or deleted, and stale entitlements can remain active long after the original need has disappeared.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: 5 reasons why you need a SaaS management platform. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
