SaaS management platforms now govern identity, usage, and risk

At a glance

What this is: This is a SaaS management platform roundup whose key finding is that modern SMPs are moving from visibility into identity-aware governance, including shadow IT, shadow AI, license optimisation, and access control.

Why it matters: This matters because IAM teams increasingly need one operating view for SaaS sprawl, user access, and non-human application accounts, rather than separate inventory, governance, and security workflows.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's top 20 SaaS management platforms for 2026

Context

SaaS management platforms have traditionally been treated as inventory and spend tools, but the category now overlaps directly with identity governance. Once a platform can see who is using each app, what privileges they have, and whether the app should remain approved, it is operating in the same risk space as IGA and NHI governance.

Zluri's framing reflects a broader market change: shadow IT and shadow AI are no longer separate operational annoyances, they are identity problems. The governance question is no longer just how many apps exist, but which identities, including service accounts and AI-enabled access paths, are allowed to use them and under what control.

Key questions

Q: How should security teams govern SaaS sprawl without losing identity control?

A: Security teams should connect app discovery to identity ownership, entitlement review, and revocation workflows. A SaaS inventory only becomes governance when each app is tied to a responsible user, group, or machine identity and when unused access can be removed without manual stitching across tools.

Q: Why do shadow AI tools create identity governance risk?

A: Shadow AI is risky because users often reach those tools through identities, browser sessions, or tokens that were never assessed for data handling or access scope. The issue is not just policy compliance. It is whether the identity path into the tool is authorised, reviewable, and reversible.

Q: What breaks when SaaS management cannot trigger revocation?

A: Visibility without revocation leaves dormant access in place, which means inactive users, unused licenses, and stale app relationships continue to carry risk. The control failure is operational, not analytical. The platform may know the problem exists but still leave the exposure untouched.

Q: How do SaaS management platforms differ from identity governance tools?

A: SaaS management focuses on discovering, classifying, and optimising the app estate, while identity governance focuses on who should have access and whether that access should persist. In practice, the two are converging because SaaS control is incomplete unless discovery, review, and deprovisioning are linked.

Technical breakdown

SaaS discovery pipelines and identity context

SaaS discovery is strongest when it combines multiple signals rather than relying on one control plane. API integrations can show sanctioned app relationships, SSO can show authenticated usage, browser activity can reveal unsanctioned access, and finance data can expose tools that never passed through procurement. When these signals are correlated, the platform can move from app inventory to identity-aware usage mapping, which is what turns software sprawl into governance data. That shift matters because unmanaged apps often sit outside normal approval and review cycles. Practical implication: teams should evaluate whether discovery can distinguish sanctioned use from shadow usage and whether it can connect each app to an accountable identity.

Practical implication: teams should evaluate whether discovery can distinguish sanctioned use from shadow usage and whether it can connect each app to an accountable identity.

Shadow AI creates an access governance problem, not just a policy problem

Shadow AI becomes risky when employees use generative tools through identities that were never reviewed for data access, retention, or outbound sharing. If the platform can detect use, classify the app, and enforce policy in real time, it is doing more than app monitoring. It is acting on identity and entitlement boundaries that traditional SaaS inventories never modeled. That is especially important where a user account, browser session, or API token can expose sensitive data to a model provider outside approved workflows. Practical implication: organisations should treat unapproved AI app usage as an access governance event, not merely an acceptable-use issue.

Practical implication: organisations should treat unapproved AI app usage as an access governance event, not merely an acceptable-use issue.

Identity-connected SaaS governance closes the loop between review and revocation

The strongest SMP designs link application visibility to IGA actions, so a discovered app can trigger review, an inactive user can trigger deprovisioning, and an out-of-policy tool can trigger access restrictions. That creates a closed loop between detection and enforcement, which is the difference between reporting drift and reducing it. It also narrows the gap between SaaS management and NHI governance, because app-level access often depends on service accounts, API keys, or delegated integrations that outlive their business need. Practical implication: practitioners should verify that SaaS management findings can actually drive deprovisioning, not just create dashboards.

Practical implication: practitioners should verify that SaaS management findings can actually drive deprovisioning, not just create dashboards.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-aware SaaS management is now part of the governance stack, not a sidecar to it. The article shows the category moving beyond renewal tracking into access context, shadow app detection, and automated actions. That matters because the security question is no longer whether an app exists, but whether the identities inside it are still authorised, reviewable, and revocable. Practitioners should treat SMP output as governance input, not just procurement data.

Shadow AI turns application discovery into non-human identity governance. When employees adopt generative tools outside approved workflows, the real control issue is not the application category but the identities and tokens carrying data into it. A SaaS platform that can surface those paths is effectively mapping an NHI exposure surface that conventional SAM or finance tooling cannot see. Practitioners should use this to connect SaaS governance with secret handling, access policy, and approved AI use.

Identity blast radius is the right concept for SaaS sprawl. A growing app estate is not just a cost problem, it is a containment problem. The more apps an organisation allows, the more places an identity can drift, overreach, or remain active after business need ends. This is where access reviews, offboarding, and entitlement cleanup become one discipline across human users and machine accounts alike. Practitioners should measure how far one identity can move across the SaaS estate before governance detects it.

SaaS management and NHI lifecycle control are converging in the same operational loop. The article repeatedly points to app discovery, user activity, deprovisioning, and policy enforcement in one system. That is the same lifecycle problem enterprises face with service accounts and API tokens, only expressed through SaaS. The governance implication is clear: a platform that cannot tie discovery to revocation cannot claim control, only visibility. Practitioners should insist on lifecycle actionability, not just inventory depth.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage. That is the baseline risk behind unmanaged SaaS integrations and delegated access paths.
• Use the NHI Lifecycle Management Guide to connect discovery with offboarding and rotation decisions. That is the point where SaaS visibility becomes operational control.

What this signals

Identity-aware SaaS governance will keep converging with NHI control planes. Teams that still separate app inventory from identity lifecycle will keep finding gaps between discovery and action, especially where delegated SaaS access depends on service accounts, API keys, or third-party integrations. The practical signal is to assess whether your current tooling can move from finding an app to revoking its access path in one workflow.

The next governance gap is not app sprawl alone, but unmanaged access paths inside approved apps. As more organisations allow sanctioned SaaS and AI tools, the control problem shifts to what those platforms can do on behalf of the user. That is where lifecycle review, secret handling, and policy enforcement need to converge, with NIST Cybersecurity Framework 2.0 providing a useful baseline for govern and protect functions.

For practitioners

• Map SaaS discovery to accountable identities Require the platform to link each detected app to the user, group, service account, or token that created the access path. If it cannot separate sanctioned use from shadow use, it cannot support review or offboarding decisions.
• Treat shadow AI as an access review trigger Route unapproved AI app usage into the same review workflow used for risky SaaS access, especially where browser sessions or delegated credentials move data into external models.
• Connect app visibility to deprovisioning workflows Verify that inactive users, unused licenses, and expired app relationships can drive revocation across the stack rather than only generating reports for IT or finance.
• Extend lifecycle controls to SaaS integrations and tokens Review service accounts, API keys, and delegated connections that keep SaaS integrations alive after business need ends, then tie them to offboarding and recertification processes.

Key takeaways

• SaaS management is becoming an identity governance function because app visibility without access accountability leaves real risk untouched.
• Shadow AI and SaaS sprawl create the same operational issue: identities and tokens can outlive the business need that created them.
• The control standard is shifting from reporting and inventory to revocation, lifecycle cleanup, and policy enforcement inside the same workflow.

Key terms

• SaaS Management Platform: A SaaS management platform discovers, classifies, and tracks software-as-a-service applications across an organisation. In identity terms, its value increases when it can connect apps to users, permissions, and lifecycle actions such as review, removal, and renewal decisions.
• Shadow AI: Shadow AI is the use of AI tools or AI-enabled services that are not approved, tracked, or governed by the organisation. The risk is not only unsanctioned software, but unsanctioned identity paths, data sharing, and token use that sit outside normal access controls.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, and applications one identity can reach before governance detects and constrains it. In SaaS environments, it expands when permissions, delegated access, and inactive accounts remain in place across too many apps for too long.
• Non-Human Identity: A non-human identity is a machine or software identity such as a service account, API key, token, certificate, bot, workload, or AI agent. These identities need lifecycle control because they can retain access, bypass human review cycles, and create hidden exposure when left unmanaged.

Deepen your knowledge

SaaS sprawl, shadow AI, and lifecycle-driven access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building control coverage across apps, identities, and delegated access, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Top 20 SaaS Management Platforms [2026]. Read the original.