SaaS optimization exposes the identity governance gap in shadow IT

At a glance

What this is: This is a SaaS optimization guide that argues organizations can reduce waste by centralizing app visibility, usage analysis, licensing, and renewal management.

Why it matters: It matters to IAM, IGA, and security teams because SaaS sprawl creates unmanaged access paths, shadow IT, and identity blind spots that affect both human and non-human accounts.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's guide to SaaS optimisation and spend control

Context

SaaS optimization is the discipline of finding out what software is in use, what it costs, who can access it, and whether it still serves a business purpose. The identity governance issue sits underneath that work because every unmanaged application creates another access path, another set of entitlements, and another place where ownership can be lost.

For IAM and IGA teams, the practical challenge is not just license waste. It is that SaaS sprawl turns joiner-mover-leaver processes into a broader lifecycle problem across human accounts, service accounts, and connected integrations. When app inventory is incomplete, offboarding, recertification, and privilege review all become less reliable.

Key questions

Q: How should security teams govern SaaS sprawl without losing control of access?

A: Start with a complete SaaS inventory that includes purchased apps, connected integrations, and local account stores. Then tie each app to an owner who is accountable for review, offboarding, and renewal. Without that ownership chain, access reviews become partial and revocation is easy to miss.

Q: Why does SaaS sprawl create identity risk as well as cost waste?

A: Because every extra application can hold active users, OAuth grants, API tokens, or local admins after the business need has passed. That creates a gap between what the organisation pays for and what still has access. The risk is stale entitlement persistence, not just duplicated spend.

Q: What do teams get wrong about SaaS license optimisation?

A: They treat it as a procurement cleanup exercise and ignore the identity state underneath. A license that looks unused may still have a valid account, delegated permission, or integration path. Good optimisation checks purchase state, assigned state, and access state together.

Q: Who should be accountable for offboarding SaaS access when a tool is no longer needed?

A: The accountable owner should be the business or application owner who can confirm removal, not only IT or procurement. Revocation must include users, tokens, and integrations so the application cannot retain access after cancellation or retirement.

Technical breakdown

Why SaaS sprawl becomes an identity problem

SaaS sprawl is the accumulation of applications, subscriptions, and integrations that outgrow central control. Once teams can buy and connect tools outside IT, identity state fragments across SSO, local logins, OAuth grants, API tokens, and vendor consoles. That fragmentation matters because access decisions depend on knowing what exists, who owns it, and whether the account is still needed. Without a current inventory, governance becomes reactive and incomplete. The result is not only duplicate spend but unmanaged entitlements that survive longer than the business need that created them. Practical implication: treat SaaS discovery as an identity control, not just an asset-management task.

Practical implication: treat SaaS discovery as an identity control, not just an asset-management task.

License management and entitlement drift

License management is usually framed as a cost exercise, but it is also an access governance exercise. An unused license can still represent an active identity relationship, especially when the application retains local users, API permissions, or delegated admin rights. Entitlement drift happens when the purchased state, the assigned state, and the actual usage state no longer match. In SaaS environments, that mismatch can persist for months because procurement, IT, and business owners each see only part of the picture. The technical problem is incomplete lifecycle synchronization across directories and application tenants. Practical implication: reconcile purchased, assigned, and active access states on a recurring basis.

Practical implication: reconcile purchased, assigned, and active access states on a recurring basis.

Shadow IT, OAuth grants, and long-lived access

Shadow IT is not limited to unsanctioned apps. It also includes sanctioned tools connected in unsanctioned ways, such as personal OAuth grants, ad hoc integrations, and shared credentials stored outside approved systems. These access paths can outlive the business use case because the identity subject is not always visible in the central directory. That makes offboarding harder and recertification less trustworthy. In practical terms, the environment may look clean at the SaaS subscription layer while still carrying active access through tokens and delegated permissions. Practical implication: include connected apps, token grants, and delegated access in every review cycle.

Practical implication: include connected apps, token grants, and delegated access in every review cycle.

NHI Mgmt Group analysis

SaaS optimization is really lifecycle governance for the application layer. The article frames the problem as cost and efficiency, but the underlying issue is control over who and what keeps access over time. When SaaS purchasing is decentralized, lifecycle events like joiner, mover, leaver, and access review lose their reference point. The implication is that SaaS optimization should be treated as a governance function that spans identity, not as a finance-only exercise.

Shadow IT creates access debt long before it creates audit debt. Every unmanaged app can hold on to users, local admins, API keys, and third-party grants after the business reason for use has disappeared. That is how entitlement drift becomes a governance problem rather than a tooling inconvenience. Practitioners should read sprawl as deferred revocation, not just duplicated software.

Visibility is the control plane, not the output. A true SaaS inventory is the prerequisite for recertification, offboarding, and least-privilege enforcement across the app estate. Without it, teams are guessing at what should be revoked or reviewed. The practitioner conclusion is simple: no inventory means no reliable identity governance, regardless of how strong the policies look on paper.

Identity security and SaaS cost control are converging in the same operating model. The same blind spots that waste licenses also conceal unmanaged access paths and stale entitlements. That means procurement, IAM, and security operations need shared data and shared ownership of SaaS state. The conclusion for practitioners is to collapse cost management and access governance into one control loop.

Access debt: SaaS environments accumulate dormant users, redundant entitlements, and hidden integrations faster than teams can certify them. This becomes the durable failure mode behind sprawl because ownership and revocation drift apart. Practitioners should recognise access debt as a first-class governance metric.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Another finding from our research shows that 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slow remediation often is in practice.
• For a broader lifecycle view, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

Access debt is the better way to describe SaaS sprawl. The problem is not only too many applications, but too many identity relationships that outlive their business purpose. Once a team loses sight of local accounts, token grants, and delegated connections, SaaS optimisation becomes a control problem that procurement cannot solve alone. For practitioners, the next step is to unify asset, access, and ownership data before the next renewal cycle.

As the environment grows, a single application can carry human users, service accounts, and integration credentials at once. That is why the same lifecycle discipline used for NHI governance must extend into the SaaS layer, where hidden access is often harder to see than software spend. The practical signal to watch is whether offboarding can remove every access path, not just the subscription.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, the pattern is consistent: unmanaged identities accumulate faster than teams can review them. SaaS optimisation programmes should therefore be measured by revocation completeness, not just savings achieved. If an app inventory cannot support that, the governance model is still incomplete.

For practitioners

• Build a complete SaaS inventory across business and IT channels Combine SSO logs, expense data, API integrations, and procurement records so you can see sanctioned and unsanctioned apps in one place. Use that inventory as the source of truth for ownership, review, and offboarding decisions.
• Reconcile licenses, users, and active usage on a fixed cadence Compare what was purchased with what is assigned and what is actually used. Flag dormant licenses, duplicated tools, and orphaned accounts for removal or reassignment before renewal decisions are made.
• Include connected apps and delegated access in recertification Review OAuth grants, vendor integrations, and locally created users alongside directory-based accounts. Revocation should cover tokens and integrations, not just the primary SaaS subscription.
• Align procurement and IAM ownership for every SaaS app Assign one accountable owner for each application so renewal, offboarding, and entitlement review do not fall between teams. If no owner can be named, the application should move to review or restriction.

Key takeaways

• SaaS optimisation is also identity governance because every unmanaged app creates another access path to review, certify, and revoke.
• Cost waste and security exposure often come from the same source, which is SaaS sprawl that hides stale users, tokens, and integrations.
• Practitioners need one control loop for inventory, ownership, entitlement review, and offboarding if they want sustainable SaaS governance.

Key terms

• SaaS sprawl: SaaS sprawl is the uncontrolled growth of cloud applications, subscriptions, and integrations across an organisation. It becomes an identity issue when access ownership, review, and revocation fragment across teams, leaving users, tokens, and local accounts active after the business need has changed.
• Entitlement drift: Entitlement drift is the divergence between what access was intended, what was assigned, and what is still active. In SaaS environments, it often appears when licenses, local users, and delegated permissions remain in place after the original purpose has ended, creating hidden governance risk.
• Shadow IT: Shadow IT is software or access that exists outside central governance, whether through unsanctioned apps or sanctioned apps used in unsanctioned ways. In identity terms, it often includes unmanaged logins, OAuth grants, and integrations that security teams cannot easily see or revoke.
• Access debt: Access debt is the accumulation of dormant accounts, stale permissions, and unreviewed integrations that persist because lifecycle controls are not keeping pace with the environment. It is a useful governance term because it captures both security exposure and the operational cost of delayed cleanup.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management SaaS Optimization: A Comprehensive Guide. Read the original.