SaaS operations expose the identity governance gap in sprawl

At a glance

What this is: This is a SaaS operations guide that argues application sprawl, visibility gaps, and lifecycle failures create security, compliance, and cost risk.

Why it matters: It matters because unmanaged SaaS access behaves like unmanaged identity sprawl, affecting NHI, human IAM, and lifecycle governance at the same time.

By the numbers:

• 31% of companies say SaaS takes 10% of their overall budget.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Zluri's complete guide to SaaS operations and governance

Context

SaaS operations is the discipline of discovering, governing, provisioning, and retiring cloud applications and the identities that use them. In practice, it becomes an identity governance problem when employees can add tools faster than IT can review access, contracts, and security posture.

The article frames SaaS sprawl, shadow IT, and weak offboarding as the core risks. That is the right lens for IAM and lifecycle teams: the problem is not only how many apps exist, but whether access to those apps is visible, authorised, and removed on time.

Key questions

Q: How should organisations govern SaaS sprawl without losing visibility into access?

A: Treat SaaS discovery, access review, and offboarding as one control loop. Every application should have an owner, every account should be traceable to a business purpose, and every renewal should depend on current usage and current entitlement evidence. If discovery does not lead to revocation or rationalisation, it is only inventory, not governance.

Q: Why does SaaS shadow IT create identity risk as well as compliance risk?

A: Shadow IT becomes identity risk because users often authenticate directly into unapproved apps, creating accounts, data permissions, and OAuth grants outside normal lifecycle controls. That weakens revocation, makes audit evidence incomplete, and increases the chance that departed users or redundant apps still retain access. The governance failure is hidden identity state, not just hidden software.

Q: What breaks when SaaS offboarding is handled manually?

A: Manual offboarding usually leaves some combination of active accounts, lingering OAuth grants, and unused licenses behind. The result is persistent access after a role change or departure, which can produce data exposure, audit exceptions, and unnecessary spend. The core failure is not speed alone. It is the absence of a reliable revocation path across all connected applications.

Q: Who should own SaaS governance in an organisation?

A: SaaS governance should be shared across IAM, security, procurement, finance, and application owners, but it needs one accountable operating model. IAM teams should own access control and lifecycle outcomes, procurement should own commercial terms, and security should own risk review. Without explicit ownership, SaaS renewal and access decisions drift apart.

Technical breakdown

SaaS sprawl and access sprawl in modern identity estates

SaaS sprawl happens when business units and individual users adopt applications faster than governance teams can catalogue them. Access sprawl follows when those apps accumulate accounts, OAuth grants, and duplicate entitlements without a reliable ownership model. The technical issue is not just inventory. It is that identity state becomes distributed across many SaaS tenants, each with different admin controls, logs, and revocation paths. Once that happens, recertification and deprovisioning no longer operate from a single source of truth, which weakens both security and auditability.

Practical implication: centralise SaaS discovery and tie every application to an accountable owner before access review starts.

Joiner-mover-leaver workflows for SaaS accounts

SaaS onboarding and offboarding are lifecycle controls, not help desk tasks. Joiners need timely provisioning, movers need entitlement adjustment, and leavers need access removal across every connected application. The article correctly highlights that manual handling creates delay and error, especially when users hold direct SaaS accounts outside of SSO. In identity terms, the failure is persistent access after role change or departure, which increases the chance of misuse, policy drift, and compliance findings. Effective lifecycle management depends on authoritative HR signals, app-level revocation, and consistent evidence of completion.

Practical implication: automate leaver revocation and mover recalculation across SaaS apps, not just in the primary directory.

SaaS governance, compliance, and cost control are the same control plane

SaaS governance is often treated as a finance issue, a security issue, or a compliance issue depending on who owns the dashboard. The article shows why that split is artificial. Unused licenses, unreviewed applications, and unauthorised sign-ups all reflect the same governance defect: no continuous control over application ownership, entitlement necessity, and renewal decisions. From an IAM perspective, this is where lifecycle governance and vendor governance overlap. If contracts, renewals, and access are not linked, organisations end up paying for apps they cannot justify and defending controls they cannot evidence.

Practical implication: connect entitlement reviews, renewal decisions, and application approval records in one governance workflow.

Threat narrative

Attacker objective: The objective is to exploit unmanaged SaaS access and hidden application use to expose data, bypass oversight, or create downstream compliance and cost damage.

1. Entry occurs when employees sign up for unsanctioned SaaS applications or connect third-party tools outside IT visibility.
2. Escalation follows as those applications accumulate unmanaged access, over-shared data, and unreconciled user accounts across the estate.
3. Impact comes through compliance exposure, data leakage, phishing risk, and wasted spend when access and application ownership are not controlled.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS sprawl is really identity sprawl with a procurement wrapper. The article treats application growth as an operations issue, but the governance failure is broader: every unsanctioned app creates another identity boundary, another review surface, and another revocation path. That is why SaaS management belongs in the same conversation as IAM, IGA, and SaaS lifecycle controls. Practitioners should manage SaaS as an identity estate, not as a software catalog.

Joiner-mover-leaver failure is the real control gap behind SaaS risk. The article correctly points to onboarding and offboarding as pain points, but the deeper issue is that access changes are not anchored to a reliable lifecycle trigger across all apps. When leavers retain SaaS access or movers keep old privileges, the organisation preserves permissions that no longer match business need. Practitioners should treat lifecycle completion as the control objective, not ticket closure.

Permissioned SaaS waste and security waste are the same governance defect. Duplicate apps, unused licenses, and overbroad access all flow from weak ownership and poor review discipline. Once procurement, renewal, and entitlement decisions are separated, organisations cannot prove why a tool exists or who should still use it. Practitioners should collapse finance, security, and IAM into one SaaS governance loop.

Shadow IT becomes shadow identity the moment a user authenticates. The article focuses on hidden applications, but the more important risk is hidden accounts, hidden OAuth grants, and hidden admin paths created after sign-up. That is why visibility alone is not enough unless it leads to revocation, entitlement reduction, and renewal control. Practitioners should measure whether discovery results in action, not just inventory.

Lifecycle governance across SaaS is now a board-level control, not a hygiene task. The article’s cost framing shows why SaaS oversight matters, but the security and compliance implications are equally material. A stack with uncontrolled applications and unclear account ownership cannot produce reliable audit evidence or consistent deprovisioning outcomes. Practitioners should elevate SaaS governance into the same operating cadence as identity review and vendor risk.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For the broader governance backdrop, read NHI Lifecycle Management Guide for the lifecycle controls that connect discovery, revocation, and offboarding.

What this signals

Shadow SaaS will keep widening the identity surface unless discovery is tied to action. Teams that only inventory applications will still miss the accounts, grants, and renewal decisions that create real exposure. The practical signal is whether your SaaS programme can convert discovery into revocation, rightsizing, and ownership assignment inside one operating cycle.

Access review must move closer to the application layer. Directory-centric governance is not enough when users can create direct accounts, connect third-party tools, or retain permissions outside the primary SSO path. SaaS programme owners should expect to use the Ultimate Guide to NHIs and NIST Cybersecurity Framework 2.0 as reference points for ownership, control, and evidence.

SaaS governance is converging with lifecycle governance across all identity types. The same programme that removes abandoned SaaS accounts today will increasingly need to handle service accounts, workload identities, and AI-connected tools through one control model. With the Ultimate Guide to NHIs as the baseline, teams should expect tighter linkage between procurement, access, and revocation evidence.

For practitioners

• Build a single SaaS inventory with accountable ownership Map every application to a business owner, technical owner, and security owner, then require a reviewable reason for each app’s presence in the stack.
• Automate joiner-mover-leaver events across connected apps Use HR and directory signals to trigger provisioning, entitlement reduction, and revocation in every SaaS system that can hold direct user accounts.
• Tie renewal approval to access evidence Do not renew subscriptions unless the app still has active business use, approved ownership, and a current access review record.
• Remove duplicate and underused applications before the next cycle Use usage and license data to eliminate redundant tools, then verify that retired apps no longer retain active users or residual access paths.
• Review OAuth-connected third parties as part of SaaS governance Treat third-party connections as identity dependencies and verify that each OAuth grant is still necessary, monitored, and revocable.

Key takeaways

• SaaS sprawl becomes an identity governance problem the moment users can create applications and accounts faster than IT can review them.
• Manual offboarding, weak ownership, and disconnected renewal decisions leave access behind even after an app is no longer needed.
• Teams should treat SaaS discovery, entitlement review, and lifecycle enforcement as one continuous control process, not separate functions.

Key terms

• SaaS Sprawl: The uncontrolled growth of cloud applications across an organisation, often driven by self-service sign-ups and local business needs. In identity terms, SaaS sprawl creates many separate access boundaries, making ownership, review, and revocation harder to prove and much easier to miss.
• Shadow IT: Technology use that happens outside approved governance processes, usually without central visibility or formal risk review. In SaaS environments, shadow IT quickly becomes hidden identity state because users create accounts, permissions, and data sharing paths that security teams may never see.
• Joiner-Mover-Leaver Lifecycle: The access lifecycle that covers onboarding, role changes, and offboarding for identities of any type. For SaaS, the control objective is to ensure that each state change triggers the right provisioning, entitlement adjustment, and revocation across every connected application.
• Access Sprawl: The accumulation of unnecessary, duplicated, or poorly governed permissions across applications and services. It usually appears when entitlements are granted faster than they are reviewed or removed, creating excess exposure, audit difficulty, and avoidable operational waste.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management SaaS Operations (SaaS Ops) - The Complete Guide. Read the original.