SaaS procurement services show the governance gap in shadow IT

At a glance

What this is: This is a vendor roundup of SaaS procurement services, and its key finding is that procurement becomes slower and riskier when app discovery, contract oversight, and approvals are fragmented.

Why it matters: It matters because SaaS procurement increasingly intersects with IAM, lifecycle governance, and shadow IT control, especially when application sprawl creates unmanaged access and duplicate subscriptions.

By the numbers:

• Zluri says its platform discovers 100% of the SaaS apps in an organisation across five discovery methods.

👉 Read Zluri's article on software procurement services and SaaS negotiation

Context

SaaS procurement is no longer just a buying exercise. It is an identity and governance problem because every redundant application, renewal, and approval step can create unmanaged access, duplicate entitlements, and hidden shadow IT across the software stack.

The article argues that buyers are disadvantaged by opaque pricing, complex contract terms, and fragmented approval chains across finance, legal, security, and requesters. That combination makes procurement slower, less transparent, and harder to govern as the application estate grows.

Key questions

Q: How should security teams govern SaaS sprawl created by shadow IT?

A: Security teams should treat SaaS sprawl as an inventory and ownership problem first. Every application needs a business owner, an access owner, and a renewal owner, plus a way to validate whether it is still in use. That prevents unmanaged subscriptions from becoming unmanaged access paths and makes offboarding possible when tools are retired.

Q: Why do SaaS renewals often create identity governance problems?

A: SaaS renewals preserve whatever access, licence allocation, and administrative structure already exists unless they are tied to review. If procurement renews contracts without checking usage and ownership, dormant accounts and duplicate tools remain in place. That turns a commercial process into an identity lifecycle failure that keeps stale access alive.

Q: What do organisations get wrong about SaaS procurement and access control?

A: They treat procurement, finance, and security as separate processes when SaaS buying actually defines the access model for the app. If the buying workflow does not capture ownership, approval, and offboarding expectations, the organisation ends up with tools no one can govern cleanly. That is how shadow IT becomes a lifecycle issue.

Q: How can teams reduce risk when multiple SaaS tools overlap?

A: Teams should use overlap as a trigger to rationalise the stack, not just negotiate price. Redundant applications usually mean redundant admin consoles, duplicate entitlements, and more places for access to drift. Consolidation should therefore include identity review, licence reclamation, and a decision on which tool owns the business process.

Technical breakdown

Why SaaS discovery changes procurement governance

SaaS discovery is the process of identifying which applications are actually in use across SSO, expense systems, APIs, agents, and browser telemetry. In governance terms, discovery is the control that prevents procurement from negotiating around partial truth. When discovery is incomplete, finance may miss duplicate tools, security may miss shadow IT, and access reviews may never see the full application surface. For identity teams, the issue is not only spend, but the entitlements attached to those applications. Practical implication: procurement and IAM need the same inventory baseline before renewals or rationalisation decisions are made.

Practical implication: align SaaS discovery with identity inventory so procurement decisions reflect the real application and access estate.

How renewal windows become an access governance issue

Renewal timing is often treated as a commercial milestone, but it also determines whether unused licences, dormant accounts, and over-assigned access persist. If contract renewal happens before entitlement review, organisations can renew waste and preserve access that no longer has a business owner. The article’s emphasis on savings, downgrades, and removing duplicate apps shows how financial governance and access governance intersect. Practical implication: tie renewal workflows to entitlement validation so offboarding, licence reclamation, and contract review happen together rather than in separate silos.

Practical implication: require entitlement validation before renewal approval to reduce standing access and wasted licences.

Why contract governance and shadow IT are linked

Shadow IT is rarely just an unsupported app problem. It is usually a contract and access problem, because apps purchased outside standard process often escape normal provisioning, review, and offboarding controls. The article points to overlapping features, redundant apps, and unmanaged subscriptions, all of which increase governance complexity. In mature programmes, SaaS rationalisation should be treated as part of identity lifecycle management, not just cost cutting. Practical implication: build procurement checkpoints that force every new app into a supportable ownership, access, and renewal model.

Practical implication: make every SaaS purchase pass through an ownership and offboarding checkpoint before it is approved.

NHI Mgmt Group analysis

Shadow IT becomes an identity governance issue once procurement cannot see the full SaaS estate. The article’s core problem is not merely vendor comparison or negotiation friction. It is that incomplete application visibility makes it impossible to know where access exists, who owns it, or when it should be removed. Practitioners should treat SaaS discovery as a prerequisite for entitlement control, not a separate procurement task.

Contract sprawl creates licence sprawl, and licence sprawl creates access sprawl. When renewals, upgrades, and duplicate tools are handled outside a governance workflow, organisations keep paying for subscriptions that no longer match business need. That persistence often means stale accounts and unused entitlements remain in place. The implication for practitioners is to join procurement, finance, and identity operations around one renewal and review cycle.

Identity lifecycle discipline belongs inside SaaS procurement, not beside it. The article shows that legal, security, finance, and requesters all influence buying, but none of them can govern access alone. A procurement motion that does not force ownership, review, and offboarding decisions at purchase time will keep creating unmanaged software relationships. Practitioners should redesign buying workflows so every app has a lifecycle owner before approval.

Feature overlap is a governance signal, not just a spend signal. When multiple SaaS products solve the same problem, the organisation usually inherits multiple admin paths, multiple approval chains, and multiple places where access can go stale. That is an IAM and IGA concern as much as a finance concern. Practitioners should evaluate duplication as a control failure that expands administrative overhead and entitlement complexity.

SaaS procurement should be measured by control quality, not savings alone. The article frames value in terms of negotiation leverage and cost reduction, but identity teams need a wider scorecard. If procurement saves money while leaving shadow IT, unowned applications, or unreclaimed licences behind, the programme has only shifted cost from finance to security. Practitioners should define success as cleaner ownership, better reviewability, and fewer unmanaged access paths.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, showing how often identity inventory remains incomplete even before procurement starts.
• That visibility gap is why the NIST Cybersecurity Framework 2.0 matters here: better inventory and governance are the starting point for cleaner SaaS control.

What this signals

Shadow SaaS will keep expanding unless procurement and IAM share one authoritative inventory. The practical test is no longer whether a team can negotiate a lower price. It is whether the organisation can prove who owns the app, who can access it, and who will remove it when the relationship ends.

With 5.7% of organisations reporting full visibility into their service accounts, fragmented discovery remains the norm, not the exception. That gap matters because SaaS sprawl and identity sprawl usually grow together, especially when procurement decisions are made without lifecycle checkpoints.

For mature programmes, the next step is to turn SaaS buying into an enforceable governance workflow. That means joining access ownership, renewal management, and app rationalisation into the same control plane rather than treating them as separate teams.

For practitioners

• Map procurement to identity ownership Require each SaaS request to name a business owner, an access owner, and a renewal owner before approval moves forward.
• Join renewal review to entitlement review Block contract renewal until teams confirm active use, licence fit, and whether any accounts or integrations should be removed.
• Rationalise duplicate applications before expansion Use discovery data to compare overlapping tools and retire redundant apps before approving new subscriptions that increase administrative sprawl.
• Bring finance, legal, security, and IAM into one workflow Create a single approval path that captures commercial terms, security review, access ownership, and offboarding expectations for every SaaS purchase.

Key takeaways

• The article shows that SaaS procurement becomes a governance issue when application discovery, approvals, and renewals are fragmented.
• The scale of the problem is visible in duplicated tools, hidden subscriptions, and the identity ownership gaps that follow them.
• Teams should connect procurement to lifecycle control so every SaaS purchase has a clear owner, review path, and offboarding trigger.

Key terms

• SaaS Procurement Governance: The controls that connect software buying to ownership, approval, renewal, and offboarding. In practice, it ensures a purchased application has a business owner, a security review path, and a clear way to remove access when the tool is no longer needed.
• Shadow IT: Software or services acquired and used outside approved governance channels. It becomes a security issue when the organisation cannot see the application, control its access, or enforce lifecycle processes such as review, renewal, and retirement.
• Licence Rationalisation: The process of reducing redundant or oversized software licences to match actual business need. It is both a financial and identity governance activity because unused licences often reflect stale access, duplicate tools, or subscriptions that should be retired.

Deepen your knowledge

NHI governance, identity lifecycle, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Procurement 7 Software Procurement Services for Better SaaS Negotiation Team. Read the original.