TL;DR: SaaS renewals often become reactive because usage data is fragmented, ownership is unclear, and offboarding gaps leave former employees and unused licenses on the books, according to 1Password. The governance problem is not negotiation skill but identity visibility, because renewal decisions are only as accurate as the access data behind them.
At a glance
What this is: This is an analysis of why SaaS contract renewals turn into surprise costs, with fragmented usage visibility and offboarding gaps as the central problem.
Why it matters: It matters to IAM practitioners because SaaS renewals expose how access governance, lifecycle control, and spend oversight intersect across human, NHI, and operational identity programmes.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read 1Password's analysis of SaaS renewal management and access visibility
Context
SaaS renewal management is an access governance problem as much as a finance problem. When teams cannot see who is using an application, how often they use it, and whether those licenses remain necessary, renewal decisions default to habit rather than evidence. In identity terms, that means entitlement sprawl is quietly being re-locked for another term.
The article points to a familiar governance failure: contracts sit with finance, partial usage signals sit with IT, and ownership is often buried in procurement history or inherited through mergers. That split makes renewals vulnerable to shelfware, unmanaged access, and stale accountability. For identity teams, renewals are a lifecycle checkpoint, not just a commercial event.
Key questions
Q: How should teams manage SaaS renewals when usage data is incomplete?
A: Start by treating renewals as a governance review, not a purchasing task. If usage data is incomplete, teams should reconcile contract records, identity data, and application telemetry before approving anything. The goal is to decide whether access, cost, and business need still align. If they do not, renewal should trigger license reclamation and access cleanup instead of automatic rollover.
Q: Why do SaaS renewals expose access governance gaps?
A: Renewals expose governance gaps because they force teams to prove who still needs access, who owns the tool, and whether the contract matches reality. When those answers are unclear, the organisation usually has fragmented ownership, stale accounts, or missing offboarding. That is an identity problem first and a finance problem second, which is why renewal reviews should include access validation.
Q: What breaks when former employees are still counted in SaaS renewals?
A: What breaks is both spend accuracy and access governance. Former employees left in renewal counts inflate license totals, hide unused capacity, and signal that offboarding is not fully closing access paths. The right response is to reconcile leaver records with active subscriptions before contracts roll over, so stale access does not become another year of avoidable cost.
Q: Who should be accountable for SaaS renewal decisions?
A: Accountability should sit with the business owner of the application, supported by IT for access data and finance for contract control. If any one of those groups owns the process alone, the organisation loses either usage context, entitlement accuracy, or cost discipline. Shared review is the only reliable way to make renewal decisions that stand up operationally.
Technical breakdown
Why SaaS renewal decisions fail without usage telemetry
Renewal decisions depend on usage telemetry that is often incomplete, delayed, or split across tools. Finance sees spend, IT sees some app inventories, and neither may see whether access is active, dormant, or duplicated across teams. In identity governance terms, the renewal problem begins when entitlement records and actual use are disconnected. If the programme cannot reconcile assigned licenses with real behaviour, it cannot distinguish shelfware from operational dependency.
Practical implication: tie renewal review to verified usage data, not contract history.
How ownership gaps inflate access and spend risk
Ownership gaps appear when SaaS tools are bought by teams, inherited through M&A, or renewed automatically without clear accountability. That creates a governance blind spot where no one is explicitly responsible for validating need, approving cost, or removing access. In practice, the same missing owner that allows cost leakage also allows privilege leakage, because no one is closing the loop on who should still have access to what.
Practical implication: assign a named business and technical owner for every renewing application.
Why offboarding and renewal should be treated as the same control point
Offboarding gaps are not just a workforce leaver problem. They also show up as dormant licenses, inherited accounts, and app access that survives long after utility has ended. Renewal time is the best checkpoint to catch that drift because it forces a review of whether access is still justified. When offboarding is weak, renewals preserve stale entitlements and embed unnecessary cost into the next cycle.
Practical implication: use renewal reviews to reclaim licenses and remove unused access before contracts roll over.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SaaS renewals are a lifecycle governance test, not a procurement event. The article is describing what happens when identity and entitlement data are too fragmented to support a decision. If teams cannot answer who is using an app, they cannot know whether access and spend remain justified. Practitioners should treat every renewal as a control checkpoint for access validity, ownership, and removal.
Licence sprawl is a visible symptom of invisible access governance failure. The recurring problem is not simply overspend. It is the absence of a reliable joiner-mover-leaver process for SaaS access, especially where app ownership has drifted across teams or transactions. That makes renewals a proxy for broader IGA maturity, because stale entitlements and unused contracts are usually produced by the same process breakdown.
Access review and contract renewal are converging into one governance motion. Organisations that separate commercial review from access review create duplicate work and miss the control opportunity. The strongest programmes use renewal windows to validate business need, remove dormant accounts, and reclaim excess licenses in the same workflow. Practitioners should align SaaS renewal controls with identity lifecycle governance rather than manage them in parallel silos.
Only 5.7% of organisations have full visibility into their service accounts, and that same visibility gap is now appearing in SaaS estates. The underlying problem is not limited to machine identities. The same inability to see who has access, where it sits, and whether it is still required shows up in renewals, shadow IT, and inherited applications. Practitioners should read this as a broader visibility deficit that spans human, NHI, and application access.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- That visibility and lifecycle gap is explored further in NHI Lifecycle Management Guide, which is the right next read when renewal hygiene and access cleanup need to be joined up.
What this signals
Licence renewal is becoming a proxy for identity hygiene. When organisations cannot tell who is actively using a SaaS application, they also cannot reliably tell which identities should be removed, recertified, or reclaimed. The same control discipline that governs leavers and dormant access should now govern renewals, because stale contracts are often a sign of stale entitlements.
That shift matters because renewal cycles create a recurring governance opportunity. Teams that connect spend review to access review will see faster license reclamation, cleaner ownership, and less shadow IT accumulation. Teams that keep finance and identity separate will keep paying to preserve uncertainty.
For practitioners
- Create a renewal ownership register Map every renewing SaaS application to a named business owner, technical owner, and finance contact so no contract reaches auto-renewal without an accountable reviewer.
- Reconcile licenses against active usage before notice windows open Pull usage data early enough to identify shelfware, duplicate tools, and dormant accounts before the renewal notice forces a rushed decision.
- Fold leaver cleanup into renewal reviews Use each renewal checkpoint to remove access for former employees, reclaim unused seats, and verify that inherited accounts still have a valid business need.
- Set up renewal alerts with cross-functional review Trigger alerts 30 to 90 days ahead and route them to IT, finance, and the application owner so access, spend, and business need are reviewed together.
Key takeaways
- SaaS renewals become expensive when identity visibility, ownership, and offboarding are all weak at the same time.
- The scale of the problem is operational, not just financial, because stale access and unused licenses tend to persist into the next contract term.
- The practical fix is to make renewal review a lifecycle control point for access validation, license reclamation, and accountable ownership.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | SaaS renewals depend on knowing who has access and whether it is still justified. |
| NIST CSF 2.0 | PR.IP-7 | Renewal reviews are a process checkpoint for removing stale accounts and reclaiming access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The lifecycle gap around unused or stale access mirrors NHI offboarding failures. |
Apply NHI-03 thinking to SaaS renewals by revoking unused access as part of each review cycle.
Key terms
- SaaS renewal management: The process of reviewing software contracts before they auto-renew or are re-signed. In identity terms, it is also a control point for validating active use, confirming ownership, and removing access that no longer has a business purpose.
- Shelfware: Software that is paid for but not meaningfully used. Shelfware often appears when license counts are not reconciled against real usage, leaving organisations to renew unused entitlements and absorb avoidable cost.
- Access recertification: A periodic review of whether a person, account, or application should still have access. For SaaS estates, recertification should compare assigned licenses and active use, then remove entitlements that no longer match a valid need.
Deepen your knowledge
SaaS renewal governance and identity lifecycle cleanup are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to align access review with commercial renewal cycles, it is worth exploring.
This post draws on content published by 1Password: SaaS renewal management and access visibility. Read the original.
Published by the NHIMG editorial team on 2026-03-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
