SaaS management platforms expose the limits of legacy SAM

At a glance

What this is: This compares legacy SAM with SaaS management platforms and argues that SaaS-specific governance is better suited to modern app sprawl.

Why it matters: It matters because IAM, IGA, and security teams now need shared visibility into SaaS access, renewal, and offboarding, not just software inventory.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Zluri's comparison of SAM and SMP for SaaS management

Context

Software asset management was built for the era of packaged software, where procurement, deployment, and licence reconciliation were the main control points. SaaS changes the problem: the control surface is now discovery, subscription lifecycle, access review, and offboarding across many independently adopted applications.

For identity teams, the issue is not just spend efficiency. SaaS tools often sit on top of human identity, delegated admin access, and non-human access paths through APIs and integrations, which means governance has to extend beyond asset tracking into access lifecycle control. Traditional SAM can describe the inventory, but it does not fully govern the identity relationships that make SaaS risky.

The practical question is whether the operating model can see who has access, who owns each app, when renewals occur, and how access is removed when usage ends. That is where SaaS management platforms and identity governance start to overlap, and where the limits of legacy SAM become obvious.

Key questions

Q: How should teams govern SaaS applications beyond basic software asset management?

A: Treat SaaS governance as an identity and lifecycle problem, not just a procurement problem. Teams should connect discovery, ownership, access review, renewal approval, and offboarding so each application has a clear accountable owner and a visible access path. That reduces waste, closes abandoned access, and improves audit readiness.

Q: Why do SaaS tools create governance gaps that traditional SAM misses?

A: Traditional SAM focuses on licences and deployment, while SaaS usage often starts through SSO, direct login, or integrations that bypass procurement visibility. That means a team can know what was bought without knowing who is using it, who owns it, or when access should end. The gap is lifecycle control.

Q: How can organisations tell if SaaS management is actually working?

A: Look for fewer orphaned subscriptions, shorter time to remove access after offboarding, cleaner renewal decisions, and a lower number of duplicate applications. If the platform only reports spend but does not change access or renewal outcomes, it is not functioning as a governance control.

Q: Who should be accountable when SaaS access or renewals get out of control?

A: Accountability should sit with named application owners, supported by IAM, procurement, and security. The key is that ownership must be explicit enough to answer who approves access, who validates renewal need, and who removes access when the app is no longer required.

Technical breakdown

Why SAM breaks down in SaaS environments

Software asset management was designed around fixed licences, endpoint deployment, and periodic compliance checks. SaaS is different because access is fluid, subscriptions change continuously, and app usage often starts outside central procurement. That makes discovery, ownership, and renewal management more important than static licence counts. In practice, SAM can still help with broader software governance, but it does not natively follow the identity and access relationships that define SaaS risk. When access is created and removed through federated login, app integrations, and browser-based adoption, the real control problem becomes lifecycle visibility rather than asset inventory.

Practical implication: use SAM for legacy licence governance, but do not rely on it as the primary control for SaaS access and offboarding.

How SaaS management platforms change the control model

A SaaS management platform centralises discovery, usage analytics, subscription ownership, and renewal tracking. That matters because SaaS risk rarely comes from a single application. It comes from many small, unmanaged decisions: duplicate apps, abandoned subscriptions, overprovisioned tiers, and missed renewals. A platform built for SaaS can connect these events into a control loop, but the governance value only appears if identity, finance, and security teams share the same operating view. The platform becomes a coordination layer for access, cost, and compliance, not just an optimisation dashboard.

Practical implication: require shared ownership across IAM, procurement, and security before treating SaaS management as a governance control.

SaaS discovery is an identity problem as much as a procurement problem

Discovery is often described as inventory work, but in SaaS environments it is really an identity mapping exercise. Apps can be adopted through SSO, direct login, expense reimbursement, or third-party integration, which means central teams need multiple signals to understand actual use. Zluri’s example of nine discovery methods reflects that complexity. The deeper point is that unauthorised or forgotten SaaS usage cannot be governed if the organisation only sees what it purchased. Discovery has to reveal where identities are active, not just where contracts exist.

Practical implication: combine discovery sources so app ownership, access, and usage are visible before renewal or access-review decisions are made.

Threat narrative

Attacker objective: The objective is not a classic intrusion, but persistent unmanaged SaaS access that creates avoidable cost and governance exposure.

1. Entry happens when users or teams adopt SaaS applications outside a central governance process, creating blind spots in inventory and ownership.
2. Escalation occurs when duplicate, unused, or overprivileged subscriptions remain active because access and renewal controls are not connected.
3. Impact appears as overspend, compliance exposure, and abandoned access that persists after business need has ended.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS governance has become an identity problem disguised as an asset problem. The article frames SAM as an inventory discipline and SMP as a SaaS control layer, but the real shift is that access, ownership, and offboarding now define the governance outcome. Procurement alone cannot see delegated access paths, and licence reconciliation alone cannot remove abandoned identity relationships. Practitioners should treat SaaS governance as part of the identity lifecycle.

Legacy SAM assumes software is purchased, deployed, and retired in discrete cycles. SaaS adoption breaks that assumption because applications are often discovered after they are already in use, and access can spread through SSO, direct login, and integrations. That means the control problem is continuous visibility rather than periodic reconciliation. The implication is that asset models without identity telemetry will miss the highest-risk SaaS behaviours.

App ownership is the missing governance control in most SaaS programmes. The article repeatedly returns to renewals, offboarding, and waste, which all depend on someone being accountable for each app. Without named ownership, access lingers, duplicate apps multiply, and compliance evidence becomes fragmented. Practitioners should make ownership assignment a required condition for SaaS approval and renewal.

The named concept here is SaaS identity shadowing: identities and access paths that remain active inside SaaS tools after the business reason for them has moved on. This is not the same as simple software sprawl because the risk sits in the live identity relationship, not the subscription record. The practitioner implication is clear: treat unused SaaS access as an identity governance failure, not just a cost inefficiency.

SMPs matter because they surface the operating data that traditional SAM never needed to collect. Discovery methods, usage analytics, renewal calendars, and offboarding workflows give teams a richer picture of SaaS control health. But those signals only help if they feed governance decisions across IAM, finance, and security. Practitioners should measure whether their SaaS platform is changing decisions, not just producing reports.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• That rotation gap is part of a broader governance pattern covered in NHI Lifecycle Management Guide, where provisioning, rotation, and offboarding need to move together.

What this signals

SaaS identity shadowing: expect more organisations to treat unmanaged SaaS usage as an identity lifecycle issue rather than a cost-only issue. As app sprawl grows, the control question becomes whether discovery feeds ownership, access review, and offboarding quickly enough to matter.

The programmes most exposed are the ones that still separate procurement data from identity data. When renewals happen without access validation, abandoned apps and lingering tokens become invisible governance debt, even if the spend looks normal on paper.

Teams that already map service access through Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs will find the transition easier because the same lifecycle discipline applies to SaaS subscriptions and delegated access paths.

For practitioners

• Map SaaS control ownership to identity ownership Assign each SaaS application a business owner, an access owner, and a renewal owner so discovery, access review, and offboarding are not handled by separate teams with conflicting views.
• Connect discovery to identity telemetry Use SSO logs, directory data, and app integrations alongside procurement records so the organisation can see where SaaS is actually used, not just what has been bought.
• Tie renewals to access validation Require renewal approval to confirm current users, active integrations, and business justification before a subscription is extended, especially for apps with admin or data-sharing privileges.
• Automate offboarding for abandoned SaaS access Remove app access when users depart or when applications are no longer in use, and verify that integrations, tokens, and admin roles are also revoked.
• Review duplicate apps before contract renewal Identify overlapping SaaS products and consolidate them only after checking whether each app has distinct identity, data, or compliance requirements that justify its retention.

Key takeaways

• SaaS management is no longer just a software inventory problem.** Identity ownership, access removal, and renewal discipline now determine whether SaaS governance actually works.
• Traditional SAM can track licences, but it cannot fully govern the live identity relationships inside SaaS.** That gap is where waste, orphaned access, and audit exposure accumulate.
• Practitioners should connect discovery to lifecycle controls.** If discovery does not feed ownership, access review, and offboarding, the programme is reporting on risk rather than reducing it.

Key terms

• SaaS Management Platform: A SaaS management platform is software used to discover, monitor, and govern cloud applications across the organisation. It typically tracks subscriptions, usage, renewals, and owners so teams can reduce waste and improve control over access and compliance.
• Software Asset Management: Software asset management is the discipline of tracking software purchases, deployments, licences, and compliance obligations across an organisation. It is effective for packaged software governance, but it was not designed to fully manage the dynamic identity and subscription patterns of SaaS.
• SaaS Identity Shadowing: SaaS identity shadowing is the condition where active identities, access paths, or integrations remain present in SaaS applications after the organisation has lost track of them. The risk sits in the live identity relationship, not just in the subscription record or procurement file.
• App Ownership: App ownership is the assignment of clear accountability for a SaaS application across access, renewal, and business justification. It ensures there is a named decision-maker for who may use the app, when it should be renewed, and how it should be removed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management SAM vs. SMP: Why SMP is a Better Option for SaaS Management. Read the original.