SaaS overspending exposes the identity gap in app governance

At a glance

What this is: This is a SaaS cost-optimization playbook that frames overspending as a visibility and governance problem across applications, users, spend, and process.

Why it matters: It matters because SaaS sprawl creates identity and access blind spots that affect human IAM, NHI oversight, and lifecycle governance in the same environment.

By the numbers:

• In 1999, most companies used just one SaaS application, but today more than 240,000 such applications are available.
• 70% of applications within organizations remain unknown to IT departments, making it impossible to manage what isn't visible.

👉 Read Zluri's full SaaS cost optimisation playbook

Context

SaaS cost optimization is not just a finance problem. When organisations lose track of applications, subscriptions, and approvals, they also lose control over who can access what, which tools are shadow IT, and where spend is tied to active use versus waste.

The article frames SaaS management as a lifecycle problem across applications, users, expenditures, and processes. That matters to IAM teams because the same visibility gap that drives overspending also weakens access governance, offboarding discipline, and policy enforcement across human and machine-enabled workflows.

Key questions

Q: How should teams govern SaaS applications that users can adopt without central approval?

A: Teams should treat user-led SaaS adoption as both a procurement and identity issue. The first step is to discover the app, assign ownership, and determine whether it has authenticated users, admin roles, or stored data. If the application is outside governance, it should enter the same review, offboarding, and renewal process as any sanctioned system.

Q: Why do unused SaaS licenses matter to IAM and governance teams?

A: Unused licenses often indicate more than wasted spend. They can signal orphaned access, poor offboarding, duplicate tools, or incomplete ownership records. IAM and governance teams should use license utilisation as an evidence source for access review, because persistent underuse often means the entitlement model no longer matches how the application is actually used.

Q: What breaks when SaaS inventory is split across finance, IT, and security tools?

A: Control breaks when no single team can prove what is deployed, who uses it, and who approved it. Renewal decisions become reactive, shadow IT persists longer, and access reviews lose context. The result is fragmented accountability, where spend, access, and risk are managed as separate problems instead of one lifecycle.

Q: Who is accountable when a shadow SaaS app creates access and cost risk?

A: Accountability should rest with the business owner who introduced the tool, the technical owner who governs access, and the platform or procurement team that approved spend. If those roles are not defined, the organisation cannot close the loop on offboarding, revocation, or renewal, which is how shadow IT becomes persistent.

Technical breakdown

Why SaaS sprawl creates an identity governance problem

SaaS sprawl expands faster than most governance processes can track. Each new application introduces its own authentication paths, admin roles, renewal logic, and ownership model, which means access and spend drift in parallel. When IT cannot see the app, it cannot certify the account, revoke unused access, or validate whether the subscription still matches business need. This is why SaaS optimisation and identity governance overlap so strongly: both depend on reliable discovery, ownership, and lifecycle control.

Practical implication: connect app discovery to access review and offboarding workflows so unseen SaaS cannot also become unseen access.

How shadow IT and unused licenses weaken control

Shadow IT is not only an application inventory issue. It also creates unmanaged identities, duplicate approvals, and orphaned subscriptions that persist after the original business need has faded. Unused licenses are often the symptom of weak joiner-mover-leaver discipline, missing renewal governance, or fragmented ownership across finance and IT. Once SaaS procurement becomes frictionless, the organisation accumulates both cost waste and access waste, and those usually surface together during audit, incident response, or renewal pressure.

Practical implication: treat unused licenses as a control signal, not just a cost metric, and investigate the corresponding identity and ownership gaps.

Why discovery methods matter for SaaS control

The article emphasises multiple discovery methods because no single source gives complete visibility across SaaS, finance, HR, SSO, or endpoint data. A mature programme correlates those sources to map applications, users, transactions, contracts, and renewal dates into one control plane. That is the technical difference between simply counting tools and governing them. In identity terms, discovery is the prerequisite for entitlement management, offboarding, and risk-based rationalisation across the SaaS estate.

Practical implication: build a cross-system discovery model that ties application inventory to user ownership, spend, and renewal evidence.

Threat narrative

Attacker objective: The practical objective is not compromise but unchecked consumption of software, budget, and access pathways outside central governance.

1. Entry begins when users adopt SaaS applications through free trials, credit cards, or other low-friction procurement paths that bypass central review.
2. Escalation follows as duplicate apps, unauthorized access, and hidden subscriptions accumulate without ownership, making governance and revocation increasingly difficult.
3. Impact appears as budget overruns, redundant tools, shadow IT exposure, and a weakened ability to prove who has access to which application and why.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS overspending is really an identity visibility failure. The article describes the financial symptoms, but the structural issue is that organisations cannot govern what they cannot see. When application inventory, user ownership, and spend data sit in separate systems, access reviews and renewal decisions become guesswork. The practitioner conclusion is simple: SaaS optimisation and identity governance must share the same discovery layer.

Shadow IT and shadow access usually arrive together. A user who can adopt an app without central review can often create an unmanaged access path at the same time. That makes SaaS sprawl an IAM control problem, not just a procurement problem, because the same gap that creates duplicate subscriptions also creates unreviewed identities and orphaned entitlements. The practitioner conclusion is that app rationalisation must include entitlement rationalisation.

Lifecycle governance is the missing discipline in most SaaS cost programmes. The article repeatedly points to renewals, unused licenses, and reactive buying, which are all lifecycle signals. A programme that lacks joiner-mover-leaver discipline, ownership assignment, and offboarding evidence will continue to pay for software after the business use has ended. The practitioner conclusion is that spend control cannot mature without lifecycle control.

Identity blast radius expands when SaaS procurement is easy and accountability is diffuse. Each new subscription adds another admin surface, another identity source, and another revocation path to manage. That creates a broader operational attack surface even before any external attacker is involved, because error, duplication, and orphaning compound across the estate. The practitioner conclusion is to measure governance by how quickly it can map and remove unused access.

Discovery is the control plane, not the reporting layer. The article's strongest operational insight is that browser agents, SSO, HR systems, finance data, and contracts all have to converge if teams want real control. Once discovery becomes the shared record, finance, IT, and IAM can make the same decision from the same evidence. The practitioner conclusion is to treat cross-system visibility as a foundational governance control.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a lifecycle lens on this same governance problem, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding fit together.

What this signals

SaaS optimisation programmes are converging with identity governance because the same discovery failures drive both overspend and access drift. With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the broader lesson is that unmanaged assets rarely stay financially isolated for long.

Identity blast radius: once procurement, access, and renewal are decoupled, every new subscription becomes another place where accountability can be lost. Teams should expect future SaaS governance to look less like software finance and more like continuous entitlement control across app, user, and spend records.

For practitioners

• Map SaaS inventory to identity ownership Correlate app discovery with SSO, HR, finance, and contract records so every subscription has a named business owner and an accountable technical owner.
• Review unused licenses as access anomalies Investigate whether inactive subscriptions reflect dormant users, failed offboarding, duplicate tools, or approvals that were never cleaned up after role changes.
• Tie renewals to recertification decisions Require access certification and business justification before renewing significant SaaS spend, especially where usage data shows underutilisation or shadow adoption.
• Build one discovery process across finance and IAM Use the same control record for spend, usage, and identity so procurement, security, and operations stop making conflicting decisions about the same application.

Key takeaways

• SaaS overspending is a governance symptom, but the underlying control failure is usually poor visibility into applications, users, and ownership.
• The same conditions that produce shadow IT and unused licenses also weaken access review, offboarding, and renewal discipline.
• Teams that connect discovery to lifecycle governance can reduce waste without treating cost control and identity control as separate programmes.

Key terms

• SaaS sprawl: SaaS sprawl is the uncontrolled growth of cloud applications across an organisation, often with overlapping use cases and unclear ownership. It becomes an identity and governance issue when app adoption outpaces inventory, approval, access review, and renewal controls.
• Shadow IT: Shadow IT is technology adopted or operated outside formal governance processes. In SaaS environments, it usually means a user or team has procured an application without central visibility, which can leave access, data handling, and contract renewal outside normal control.
• License utilisation: License utilisation measures how much of a purchased software entitlement is actually being used. Low utilisation often indicates waste, but it can also reveal access misalignment, inactive accounts, or subscriptions that should be removed or recertified.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management Mastering SaaS Cost Optimization, a strategic playbook. Read the original.