SaaS spend management exposes the hidden identity control gap

At a glance

What this is: This is a comparison-style analysis of SaaS spend management alternatives, with the key finding that spend control still depends on reliable discovery, renewal visibility, and lifecycle data.

Why it matters: It matters because the same discovery and lifecycle gaps that waste software spend also leave service accounts, app entitlements, and shadow IT outside identity governance.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Zluri's comparison of seven Sastrify alternatives for SaaS spend management

Context

SaaS spend management becomes an identity problem when organisations cannot reliably map who or what is using a subscription, which renewals are active, or which accounts should be removed at departure. In that environment, procurement data and access data drift apart, and the programme loses confidence in both cost control and entitlement control.

The article frames Sastrify as useful for renewals, usage visibility, and procurement support, but it also points to manual setup, reporting gaps, and imperfect spend tracking. That combination is typical of SaaS management tools that sit close to identity governance but do not fully close the loop on application ownership, offboarding, and access revocation.

Key questions

Q: How should security teams handle SaaS subscriptions that sit outside identity governance?

A: Security teams should bring SaaS subscriptions into the same governance model used for identities, access, and offboarding. That means linking each application to an owner, a renewal record, and a termination workflow. If an app cannot be tied to an accountable owner and a current access source, it should be treated as unmanaged exposure, not just unmanaged spend.

Q: Why do shadow IT apps create identity and spend risk at the same time?

A: Shadow IT creates two problems at once. First, it hides recurring cost and duplicate licensing. Second, it creates accounts, tokens, and delegated access that may never be reviewed or revoked. When the application is invisible to governance, the identities attached to it are usually invisible as well, which turns a finance issue into an access-control problem.

Q: What do organisations get wrong about renewal calendars and licence reviews?

A: They often assume a renewal calendar is enough to enforce control. In practice, a calendar only tells you when money is due. It does not prove the seat is still needed, the user is still active, or the entitlement still matches current business ownership. Renewal review must be linked to actual usage and account state.

Q: What is the difference between SaaS spend management and access governance?

A: SaaS spend management focuses on what the organisation pays for, while access governance focuses on who or what can use the service. The two overlap because unused licences, stale app accounts, and unowned subscriptions are often symptoms of the same lifecycle failure. Teams that separate them usually miss the operational link between cost leakage and entitlement drift.

Technical breakdown

SaaS discovery and app ownership mapping

SaaS management platforms aggregate signals from SSO, finance systems, browser data, and direct integrations to infer which applications exist and who uses them. The technical challenge is not just inventory, but ownership accuracy. If an app is discovered through one channel but funded through another, the platform can show activity without proving governance responsibility. That is why duplicate apps, shadow IT, and disconnected cost centres are persistent problems. Discovery quality determines whether downstream renewal, licensing, and access decisions are based on reality or on partial telemetry.

Practical implication: require app ownership and funding ownership to be reconciled before relying on any SaaS inventory.

Renewal calendars, license right-sizing, and entitlement drift

Renewal management works by combining contract dates, usage telemetry, and licence assignment data to identify wasted spend before payment is due. The weakness is entitlement drift, where assigned seats outlive actual use or move with no corresponding governance update. Right-sizing only works if usage is measured consistently and the identity attached to the licence is still valid. Otherwise, the organisation may optimise cost on paper while leaving dormant or over-assigned accounts in place.

Practical implication: tie renewal decisions to verified usage and current account ownership, not to last quarter's licence allocations.

Manual setup and reporting gaps in SaaS management

When a SaaS platform requires manual input for contracts, spend records, and app metadata, the control model becomes dependent on human upkeep. That creates delay, inconsistency, and blind spots, especially in larger estates with many departments and cards. Reporting then becomes descriptive rather than governable, because the system can show spend after the fact but cannot always explain whether access, purchase authority, and application use were aligned at the time.

Practical implication: treat manual enrichment as a governance risk and define minimum data quality thresholds before using the platform for decisions.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Software spend and identity governance are converging faster than most teams' operating models. The article shows that renewal management, user usage, and app discovery now sit in the same workflow as procurement control. That matters because the same missing ownership data that creates SaaS waste also creates entitlement drift, offboarding gaps, and unreviewed application access. Practitioners should stop treating SaaS spend as a finance-only domain.

Manual discovery is a control weakness, not just an administrative inconvenience. When contract details and app metadata require human entry, the platform inherits the same latency and error patterns that identity governance tries to remove elsewhere. The result is a fragmented control plane where cost data, usage data, and account data no longer agree. That is a governance failure mode, not a reporting quirk, and it should be treated as such.

Licence recovery on employee departure is an NHI-adjacent lifecycle problem, not a pure procurement task. The article's emphasis on reclaiming licenses after departure shows that application subscriptions follow lifecycle events, just like service accounts and tokens do. Once an employee leaves, any app account or connected entitlement linked to that user should be considered part of the offboarding chain. Practitioners should align SaaS renewal processes with identity lifecycle controls.

Shadow IT in SaaS spend platforms is the same structural issue as shadow NHI elsewhere in the enterprise. If the organisation cannot see all apps, it also cannot see all the identities attached to those apps. That creates hidden attack surface, hidden cost, and hidden accountability in one move. The named concept here is identity-finance drift: when spending systems and identity systems describe different versions of the application estate. Practitioners should manage both views as one governance problem.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For lifecycle depth, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be governed together.

What this signals

SaaS spend platforms are increasingly acting as surrogate identity governance tools, but they only work when discovery, ownership, and lifecycle data are aligned. The practical question for programme leaders is whether their procurement stack can surface stale accounts, inactive subscriptions, and unowned applications before renewal pressure turns into control failure.

Identity-finance drift: when the finance system says an application is active but the identity system cannot verify who still uses it, governance breaks in the gap between the two records. That is where cancelled licences, orphaned access, and hidden SaaS exposure tend to accumulate.

With 96% of organisations storing secrets outside dedicated secrets managers in vulnerable locations including code, config files, and CI/CD tools, the broader lesson is clear: visibility gaps rarely stay confined to one programme. Teams should expect SaaS management, access governance, and secret hygiene to converge in the same operating review.

For practitioners

• Reconcile app ownership with account ownership Map each SaaS application to a business owner, a technical owner, and the identity source that governs accounts and licences. Do not approve renewals until those three records agree.
• Treat offboarding as licence recovery plus access removal When an employee departs, reclaim the seat, disable the app account, and confirm any connected API or delegated access has been revoked. Include this in the same closure checklist used for identity lifecycle events.
• Set a data-quality threshold for spend decisions Require contract, owner, usage, and renewal fields to be complete before the platform is allowed to drive cancellation or right-sizing decisions. If the records are incomplete, route the item for manual review instead of automating the action.
• Separate discovery confidence from reporting confidence Measure whether the tool can find all apps independently of whether it can report on spend accurately. Discovery gaps and reporting gaps create different risks, and both must be tracked in the same governance review.

Key takeaways

• SaaS spend tooling becomes an identity control problem when application ownership, usage, and offboarding are not kept in sync.
• The main risk is not just wasted budget. It is the persistence of unreviewed accounts, licences, and delegated access behind incomplete records.
• Practitioners should align renewal workflows with identity lifecycle controls so that cost decisions and access decisions are made from the same data.

Key terms

• SaaS Spend Management: SaaS spend management is the practice of tracking, analysing, and controlling software subscription costs across the business. In identity terms, it also depends on knowing who owns each app, who uses it, and when access should be removed so financial control and entitlement control stay aligned.
• Shadow IT: Shadow IT is software or service use that sits outside approved governance channels. It creates cost opacity and identity opacity at the same time, because the organisation may not know who created the account, who can use it, or whether the application has ever been reviewed for access risk.
• Entitlement Drift: Entitlement drift is the gradual mismatch between current business need and active access or licence assignment. It appears when renewals, role changes, or departures are not reflected in account state, leaving organisations paying for access that should have been removed or revalidated.

Deepen your knowledge

SaaS lifecycle governance and lifecycle-driven access removal are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect procurement visibility with identity control, it is a practical place to start.

This post draws on content published by Zluri: SaaS Management Top 7 Sastrify Alternatives For SaaS Spend Management [2026]. Read the original.