SaaS management platforms now govern access, usage, and shadow AI

At a glance

What this is: This is a 2026 roundup of SaaS management platforms, with the key finding that modern SMPs are being evaluated on discovery, access governance, license optimisation, and shadow AI controls, not just app inventory.

Why it matters: It matters because IAM, NHI, and human access programmes increasingly intersect inside SaaS estates, where unmanaged apps, unused licences, and unauthorized AI tools can all create governance blind spots.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Zluri's 2026 roundup of top SaaS management platforms

Context

SaaS management platforms are meant to close the gap between what an organisation thinks it has deployed and what employees are actually using. In practice, the problem is not just software sprawl. It is the governance gap between discovery, entitlement, and enforcement across SaaS apps, user access, and emerging AI app adoption.

For IAM teams, that gap now sits across human accounts, service accounts, and non-human access paths inside SaaS tools. A platform that only inventories apps leaves unanswered questions about who can use them, which permissions are still justified, and how quickly dormant or shadow applications are removed from the access model.

Key questions

Q: How should security teams govern shadow AI inside SaaS environments?

A: Security teams should treat shadow AI as an identity and data governance issue, not just an application approval problem. The practical goal is to bind AI tool discovery to user attribution, access policy, and data handling rules so unsanctioned tools can be evaluated and restricted within the same governance workflow as other SaaS apps.

Q: Why do SaaS platforms need to connect discovery with access review?

A: Discovery without access review leaves organisations with a list of apps but no decision path for removing unnecessary access. Connecting the two lets teams validate ownership, confirm whether usage is justified, and route dormant or unmanaged apps into the recertification process before they become long-lived governance gaps.

Q: When should organisations prioritise licence reclaim over new app buying?

A: Organisations should prioritise licence reclaim when usage data shows repeated inactivity, duplicate tools, or role mismatch across existing subscriptions. In many SaaS estates, the problem is not lack of software but excess entitlement, so reclaiming unused access often produces faster governance and budget benefits than adding more tools.

Q: What is the difference between SaaS management and identity governance?

A: SaaS management focuses on discovering applications, optimising licences, and tracking usage, while identity governance decides who should retain access and under what conditions. In mature programmes, the two overlap because app visibility becomes most valuable when it drives access reviews, deprovisioning, and policy enforcement.

Technical breakdown

SaaS discovery is now a control-plane problem

Modern SaaS discovery uses multiple telemetry sources such as API integrations, SSO data, browser activity, and finance system signals to reconstruct application usage. That matters because a single source rarely captures sanctioned apps, shadow IT, and unmanaged AI tools in one view. The technical shift is from static inventory to contextual identity mapping, where usage, ownership, and access level are linked to each app record. Practical implication: teams need discovery data that can drive entitlement decisions, not just reporting dashboards.

Practical implication: require discovery data that can drive entitlement decisions, not just reporting dashboards.

License optimisation depends on usage telemetry, not renewal dates

Traditional licence management treats renewals as calendar events. A more useful model ties reclaims, downgrades, and reassignments to actual usage thresholds. That approach turns SaaS management into an access lifecycle mechanism, because underused licences often indicate stale entitlement, inactive accounts, or role mismatch. In identity terms, the platform becomes a signal source for recertification and deprovisioning. Practical implication: if usage data is not authoritative enough to trigger action, the programme is still operating as an inventory process.

Practical implication: if usage data cannot trigger action, the programme is still an inventory process.

Shadow AI governance extends SaaS control into new identity risk

Shadow AI changes the scope of SaaS management because AI tools can move data, retain prompts, and create access paths outside established approval workflows. The control problem is not only app approval, but also data handling, user authorisation, and policy enforcement when employees adopt generative AI tools independently. That is why SaaS governance now overlaps with human IAM and NHI oversight in the same operating model. Practical implication: treat unsanctioned AI apps as an identity and data governance issue, not a procurement problem.

Practical implication: treat unsanctioned AI apps as an identity and data governance issue, not a procurement problem.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

App inventory is no longer the primary governance outcome. The market has moved toward control of access, usage, and enforcement inside the SaaS estate. A platform that only lists applications leaves the core identity questions unresolved, especially when shadow IT and shadow AI both create access paths that do not begin with formal approval. Practitioners should treat inventory as the starting point, not the control objective.

Shadow AI turns SaaS management into an identity boundary problem. The governance issue is no longer limited to sanctioned business software. Employees are independently adopting AI tools that can receive data, expose it, and sit outside normal app review cycles. That means SaaS management now has to intersect with human access policy, data handling rules, and application approval state in one programme. Practitioners should re-evaluate where SaaS governance ends and identity governance begins.

Usage-based lifecycle control is replacing static licence administration. Renewal dates, licence counts, and app lists do not tell you whether access still makes sense. The more relevant question is whether usage telemetry can justify keeping an entitlement in place. That is a lifecycle question, not a procurement question, and it affects both human accounts and non-human access paths inside SaaS ecosystems. Practitioners should align SaaS controls with recertification and deprovisioning workflows.

Identity governance inside SaaS is becoming a convergence layer. The strongest platform pattern is the one that connects discovery, access review, and deprovisioning rather than treating them as separate workflows. That is useful because SaaS risk is rarely isolated to one control failure. It is usually the combination of unmanaged apps, excessive access, and delayed offboarding. Practitioners should judge platforms by how well they close that loop.

Only 5.7% of organisations have full visibility into their service accounts means visibility gaps remain structural. When the same programme must now account for SaaS apps, AI tools, and machine identities, partial visibility is not enough. The implication is not that teams need more reporting, but that they need governance models capable of acting on incomplete discovery. Practitioners should expect the next wave of SaaS tooling to be evaluated on enforceable identity context, not catalog depth.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• SaaS sprawl and NHI sprawl often converge in the same access layer, which is why the NHI Lifecycle Management Guide is the natural next step for teams trying to close discovery-to-offboarding gaps.

What this signals

App discovery is only useful when it changes the access decision. SaaS programmes that stop at inventory will keep missing the governance point, especially as shadow AI becomes part of the same estate. Practitioners should expect the next generation of SaaS management to be judged by whether it can trigger access review, deprovisioning, and policy enforcement without forcing a separate workflow.

Only 5.7% of organisations have full visibility into their service accounts, according to NHI Mgmt Group research, and that visibility problem is now spilling into SaaS estates. When applications, user access, and machine identities are all part of the same workflow, teams need a unified control model that can survive incomplete discovery. The programme signal is clear: governance maturity will be measured by actionability, not inventory size.

For practitioners

• Tie SaaS discovery to access review workflows Require every newly discovered application to create an access review task, with ownership, usage level, and approval status captured before the app is treated as sanctioned.
• Link licence reclaim rules to real usage thresholds Set reclaim and downgrade conditions based on observed inactivity, not renewal calendars, so dormant entitlement becomes actionable rather than merely visible.
• Extend governance controls to shadow AI apps Classify unsanctioned AI tools under the same approval and data-handling policy set used for SaaS applications, including user attribution and policy enforcement.
• Connect SaaS offboarding to identity lifecycle events Trigger deprovisioning when a user leaves, changes role, or loses business need, and ensure SaaS access is removed across the application stack rather than one app at a time.

Key takeaways

• SaaS management is shifting from app counting to access governance, which changes how IAM teams should evaluate the category.
• Visibility gaps remain large, and shadow AI makes them harder to ignore because unmanaged tools can move data outside approved workflows.
• The practical priority is connecting discovery, usage telemetry, access review, and deprovisioning into one lifecycle loop.

Key terms

• SaaS Discovery: SaaS discovery is the process of identifying which cloud applications are present and in use across an organisation. Mature discovery uses multiple signals such as SSO logs, browser activity, and API data to build a more accurate operational view than manual inventories can provide.
• Shadow AI: Shadow AI is the use of AI tools that have not been approved, governed, or fully understood by the organisation. It matters because these tools can process sensitive data, create new access paths, and bypass normal review workflows unless discovery and policy enforcement are tied together.
• Licence Reclamation: Licence reclamation is the removal or downgrade of software entitlements that are no longer justified by usage. In identity governance terms, it is a lifecycle action based on observed need, and it becomes more effective when usage telemetry is reliable enough to trigger automated review or deprovisioning.
• Access Review: Access review is the periodic confirmation that a user or system still needs a given entitlement. For SaaS and non-human access, it is most effective when linked to real usage, application ownership, and offboarding events, so stale permissions do not survive simply because the review cycle is slow.

Deepen your knowledge

SaaS discovery, access review, and offboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect SaaS governance with identity lifecycle controls, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Top 20 SaaS Management Platforms [2026]. Read the original.