TL;DR: SaaS management platforms are increasingly being evaluated not just for app discovery and cost control, but for how they surface who has access, at what level, and whether that access should still exist, according to Zluri. That shift makes SaaS management an identity governance problem, not a procurement one.
At a glance
What this is: This is a SaaS management platform roundup whose central finding is that SaaS management is now inseparable from identity governance, access visibility, and automated remediation.
Why it matters: It matters because IAM teams need a single view of apps, users, licences, and access state across SaaS, NHI, and AI app adoption or they will keep missing governance gaps.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Zluri's roundup of the top SaaS management platforms for 2026
Context
SaaS management is the discipline of discovering, tracking, and governing software applications in use across an organisation. In practice, that now includes access state, licence status, and shadow app adoption, which makes it part of identity governance rather than a standalone IT inventory exercise.
The article argues that the useful question is no longer how many SaaS apps exist, but who is using them, what level of access they have, and whether that access should still be active. That framing is familiar to IAM teams because the same governance problem shows up across human accounts, service accounts, and emerging AI app use.
For organisations already dealing with service account sprawl, unmanaged credentials, and review fatigue, the SaaS layer becomes another place where access can drift faster than governance cycles. That is a typical maturity problem, not an edge case.
Key questions
Q: How should security teams govern SaaS apps that are outside formal approval channels?
A: Start by treating unapproved SaaS as an identity and data governance issue, not just an app inventory problem. Classify the app, identify the identities using it, and decide whether access should be approved, constrained, or removed. The goal is to bring unmanaged usage into the same control path as sanctioned applications.
Q: Why do SaaS management platforms matter to IAM teams?
A: Because SaaS platforms often hold the actual access relationships that IAM teams need to govern. They expose who is using an app, what level of access exists, and whether that access still makes sense. That makes them useful for entitlement reviews, offboarding, and shadow app remediation across the identity lifecycle.
Q: What do organisations get wrong about SaaS licence optimisation?
A: They often treat licence reduction as the end goal when the real issue is access state. Removing a licence does not automatically remove app permissions, delegated tokens, or lingering accounts. Effective optimisation needs to pair spend control with identity cleanup so the governance gap does not remain open.
Q: How do teams stop SaaS sprawl from becoming a security problem?
A: By connecting discovery to policy enforcement. When a new app appears, teams should assess its data handling, identity links, and approval status before usage becomes routine. If the app cannot be governed in the same workflow as approved services, it should remain restricted until it can.
Technical breakdown
SaaS discovery is a data correlation problem, not a simple inventory
Modern SaaS management depends on correlating multiple sources such as API integrations, SSO telemetry, browser activity, and finance data. No single feed tells you both sanctioned usage and shadow usage, so platforms infer a fuller picture by combining signals. The important distinction is between app presence and app behaviour: discovery tells you what exists, while governance tells you whether the identity attached to that app still deserves access.
Practical implication: teams should map every discovery source to an identity control owner, not just a software owner.
Access context matters more than licence counts
Licence optimisation is useful, but it is not the same as access governance. A deprovisioned licence may still leave an account, token, or delegated permission in place, and a live licence may mask a dormant or over-privileged identity. SaaS management becomes materially more valuable when it connects usage, entitlement, and access review state in one workflow rather than treating each as a separate report.
Practical implication: tie licence reviews to access recertification so entitlement removal and privilege removal happen together.
Shadow AI extends the SaaS governance problem into new identity surfaces
When employees adopt AI apps outside approved channels, the issue is not only app sprawl. It is also data exposure, policy bypass, and unmanaged identity relationships with tools that may store prompts, files, or conversation history. In identity terms, shadow AI behaves like unmanaged SaaS plus unresolved access policy, which is why governance needs to cover discovery, approval, and continuous monitoring.
Practical implication: classify AI app adoption as an identity governance intake problem, not only a security exception queue.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SaaS management has become an identity control plane, not an IT convenience layer. The article's most useful contribution is that it links application visibility to access governance, licence state, and remediation. That is the right direction because the real risk is not app count alone, but unmanaged entitlements inside an expanding SaaS estate. Practitioners should treat SaaS management as part of the identity system, not a parallel dashboard.
Shadow AI turns app discovery into a governance requirement, not a reporting exercise. Once employees can adopt AI tools independently, every unvetted app becomes a possible policy bypass, data path, and accountability gap. The governance issue is bigger than software sprawl because AI adoption can create hidden access relationships that never pass through standard intake. Teams should expect AI app discovery to land in identity, risk, and compliance workflows at the same time.
Privilege drift inside SaaS is the same failure mode that drives NHI exposure elsewhere. A user or service identity that remains active after usage falls away creates the same kind of residual access problem whether the subject is a person, a bot, or a SaaS integration. That is why SaaS governance and NHI governance are converging around lifecycle control, review evidence, and offboarding discipline. Practitioners should stop treating SaaS access as separate from identity lifecycle.
Identity blast radius is the named concept this category now needs. The article shows that the real question is not just discovery breadth, but how far access can spread when SaaS, AI apps, and identity workflows are loosely connected. As soon as unmanaged app adoption connects to standing access, the blast radius extends beyond cost into data exposure and control failure. Practitioners should measure SaaS governance by how quickly they can shrink that blast radius.
Governance tooling that cannot close the loop will keep producing partial visibility. Visibility without automatic action leaves the hardest part untouched, which is revocation, downgrade, or review execution. That matters because SaaS sprawl, license waste, and access drift all become more expensive when the response still depends on manual follow-up. Practitioners should favour workflows that move from detection to decision to enforcement in one operating model.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- That same research finds that 97% of NHIs carry excessive privileges, which is why visibility alone is not enough without entitlement control and review.
- For practitioners building this operating model, the NHI Lifecycle Management Guide is the natural next resource for provisioning, rotation, and offboarding discipline.
What this signals
Identity teams should expect SaaS governance to absorb more of the workload that used to sit in separate app, spend, and access functions. As discovery gets better, the real differentiator becomes whether the programme can route findings into recertification, offboarding, and policy enforcement without manual translation. That is where SaaS management starts behaving like identity governance.
Identity blast radius is now a practical planning concept. The larger the SaaS estate and the more loosely it is tied to access control, the faster one unmanaged app can widen the exposure path across users, licences, and data. Programmes that can collapse that blast radius early will be easier to audit and easier to defend.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the broader identity lesson is clear: hidden access rarely stays hidden for long. SaaS discovery, NHI governance, and AI app monitoring are converging on the same operational question, which is where access actually lives.
For practitioners
- Map SaaS discovery sources to identity controls Tie API, SSO, browser, and finance signals to the owner of access decisions so discovery results can trigger entitlement review, access cleanup, or app approval workflows.
- Bind licence reviews to access recertification Do not let licence optimisation run separately from identity governance. Review who is entitled, who is using the app, and whether the account, token, or delegated permission still needs to exist.
- Treat shadow AI as an identity intake problem Put unapproved AI apps through the same intake, risk classification, and access policy path you use for unmanaged SaaS, because the governance failure is the hidden identity relationship, not the app label.
- Track offboarding across apps, not just directories Verify that app-level access, tokens, and delegated permissions are removed when a user leaves or a use case ends, because SaaS sprawl often hides residual entitlements outside the core directory.
Key takeaways
- SaaS management now sits inside identity governance because visibility, entitlement state, and remediation are inseparable.
- The article's strongest signal is that app discovery only matters when it can drive access reviews, offboarding, and policy enforcement.
- Teams that do not connect SaaS governance to lifecycle control will keep accumulating hidden access and unmanaged risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | SaaS identities still need lifecycle discipline, especially when access outlives usage. |
| NIST CSF 2.0 | PR.AC-4 | The article centers on entitlement visibility and access governance across SaaS apps. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Continuous verification fits SaaS access that changes with app adoption and user activity. |
Review SaaS-connected accounts for dormant access and remove entitlements when usage stops.
Key terms
- SaaS Management Platform: A SaaS management platform discovers, inventories, and governs cloud applications used across an organisation. Its value comes from linking app visibility to licence usage, access state, and remediation so teams can act on shadow IT, spending, and identity risk from one operating view.
- Shadow AI: Shadow AI is the use of AI applications outside formal approval or governance channels. It creates the same discovery problem as shadow IT, but adds data handling, policy, and identity concerns because prompts, files, and access paths may be invisible to the organisation’s control processes.
- Identity Blast Radius: Identity blast radius is the amount of damage a single unmanaged or over-privileged identity can create across apps, data, and workflows. In SaaS environments, it grows when discovery is disconnected from entitlement review, offboarding, and policy enforcement, leaving access active longer than intended.
- Access Recertification: Access recertification is the periodic review of whether an identity still needs the permissions it has been granted. In SaaS governance, it should include licences, app permissions, delegated tokens, and dormant accounts, not just directory records or human-approved access lists.
Deepen your knowledge
SaaS governance, discovery, and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is folding SaaS, AI app, and non-human access into one programme, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Top 20 SaaS Management Platforms [2026]. Read the original.
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
