SaaS spend management exposes the hidden identity governance gap

At a glance

What this is: This is a SaaS spend management piece that shows how unused licenses, duplicate apps, auto-renewals, and abandoned apps become both cost waste and governance risk.

Why it matters: It matters because SaaS procurement and offboarding are identity lifecycle problems, and IAM, IGA, and PAM teams need visibility into who owns access, subscriptions, and app retirement across human and non-human workflows.

By the numbers:

• 20.4% in 2022 compared to 2021.
• In 2021 the end-users spent $410.9 billion, and in 2022 the numbers reached $494.7 billion.
• The users are expected to spend nearly $600 billion by 2023.

👉 Read Zluri's analysis of SaaS spending controls for CFOs and IT teams

Context

SaaS spend management is really a governance problem: organisations cannot control what they cannot inventory, and that gap shows up first in unused licenses, duplicate apps, and forgotten renewals. For identity teams, the issue is not just finance. It is lifecycle control over application access, ownership, and offboarding across a sprawling software estate.

The article points to a familiar failure mode in decentralised environments. Employees sign up for tools outside formal procurement, teams keep paying for apps after projects end, and abandoned subscriptions remain active after people leave. That is why SaaS spend control belongs in the same conversation as access reviews, application governance, and deprovisioning.

Key questions

Q: How should teams reduce SaaS overspend without losing control of access?

A: Start with a reconciled inventory of subscriptions, active users, and business owners. Then remove unused licenses, retire duplicate apps, and tie renewal decisions to access reviews and offboarding. Savings are durable only when access ownership and contract ownership are governed together, not as separate processes.

Q: Why do abandoned SaaS apps create both cost and security risk?

A: Abandoned apps keep consuming budget through renewals while their linked accounts, permissions, and data access may remain active. That means the organisation pays for software it no longer uses and also preserves an unnecessary path into business data. The fix is lifecycle control, not just expense tracking.

Q: What do security teams get wrong about duplicate SaaS tools?

A: They often treat duplicates as a finance issue and ignore the identity impact. Each overlapping app creates its own access records, offboarding steps, and audit evidence, which fragments control and complicates governance. Rationalisation should be recorded as an identity governance decision, not only a cost-cutting exercise.

Q: Who should own SaaS renewal and offboarding decisions?

A: Renewal and offboarding should be jointly owned by the business app owner, IT, and security or identity governance teams. That prevents subscriptions from auto-renewing after use has ended and ensures the access, contract, and retirement decisions happen through one accountable workflow.

Technical breakdown

Why SaaS license rightsizing depends on identity lifecycle visibility

Rightsizing only works when organisations can reconcile purchased licenses against active accounts, usage, and ownership. In practice, unused licenses persist because procurement, IT, and business teams hold different records, and no single workflow confirms whether access still serves a current business purpose. That makes license waste a governance signal, not just a budget line item. The deeper issue is that many enterprises treat subscription counts and identity records as separate systems even though they describe the same operational reality. Practical implication: build a reconciled view of app ownership, entitlements, and activity before any rightsizing exercise.

Practical implication: reconcile subscription data, active accounts, and ownership before reducing licenses.

Duplicate SaaS apps create overlapping access and fragmented control

Duplicate applications are rarely just a cost problem. When different teams use overlapping tools for the same function, access decisions, audit trails, and offboarding responsibilities fragment across multiple platforms. That makes it harder to answer which app is authoritative, which account should be closed, and where data still lives after a user or team changes tools. This is where SaaS governance meets identity governance: the organisation is effectively managing several parallel access domains with inconsistent lifecycle controls. Practical implication: standardise approved application paths and map each app to a named owner and retirement process.

Practical implication: assign app owners and retirement workflows to every overlapping SaaS category.

Auto-renewals and abandoned apps show where offboarding breaks down

Auto-renewal becomes a control failure when an app remains active after the business need has ended. The article’s abandoned app examples show a classic lifecycle gap: an employee or team starts a subscription, the work ends, but the contract and access remain live. That leaves both financial leakage and security exposure, because dormant apps often keep their permissions, data access, and linked accounts intact. The technical issue is not the renewal mechanism itself. It is the missing offboarding trigger that should disconnect ownership, access, and payment at the same time. Practical implication: tie app termination to offboarding and project closure, not to calendar reminders alone.

Practical implication: tie subscription termination to offboarding and project closure workflows.

NHI Mgmt Group analysis

App abandonment is an identity lifecycle failure, not a procurement oversight. The article shows that subscriptions continue after employees leave or projects end because ownership and offboarding are not joined up. That creates a governance gap where access, payment, and accountability all outlive the business need. The practitioner lesson is to treat abandoned SaaS as a lifecycle control defect.

Duplicate SaaS creates identity sprawl that finance alone cannot clean up. When three tools overlap on the same workflow, the organisation does not just pay twice. It also multiplies entitlement tracking, access reviews, and evidence gathering across disconnected platforms. That is why SaaS rationalisation belongs inside IGA and application governance, not only in cost reduction programmes. Practitioners should make application ownership part of identity governance records.

Standing SaaS subscriptions behave like standing privilege when nobody revisits them. Auto-renewal keeps an app, its access, and its data relationship alive long after the operational need has ended. The control failure is not the renewal notice. The failure is the absence of a mandatory retirement decision that closes the account, contract, and dependency together. Practitioners should align offboarding, review, and contract termination into one governance path.

Unused licenses are a measurable symptom of weak application governance maturity. If an organisation cannot say how many licenses are active, abandoned, or duplicated, it has no reliable basis for cost optimisation or access control. The article makes clear that real-time visibility is the prerequisite for both savings and security. Practitioners should measure SaaS rationalisation as a governance outcome, not just a finance initiative.

SaaS spend control is now part of identity surface management. The more applications employees can adopt without central approval, the more the identity perimeter extends beyond formal IAM tooling. That means finance, IT, and security are all operating on the same control plane, whether they acknowledge it or not. Practitioners should govern SaaS as part of the broader identity estate.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to 2024 ESG Report: Managing Non-Human Identities.
• For deeper control design, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that close ownership gaps.

What this signals

SaaS rationalisation is increasingly an identity governance exercise because subscription sprawl and access sprawl now move together. With 44% of organisations reporting any policies to manage AI agents, the broader lesson is that governance maturity still lags behind how fast organisations adopt new digital workers and tools.

The practical signal for programme owners is that contract review, access review, and application retirement need to operate as one control loop. When those activities are separated, cost leakage and orphaned access become the same problem viewed from different teams.

As identity estates widen, the strongest control point is not a finance report. It is the ability to prove who owns each application, who can access it, and who is responsible for shutting it down when its business purpose ends.

For practitioners

• Reconcile licenses against live accounts Build a monthly process that compares purchased subscriptions with active users, recent usage, and business owner confirmation so unused licenses can be removed before renewal.
• Assign an owner to every SaaS application Require a named business and IT owner for each app so renewal, access review, and termination decisions have a clear accountable party.
• Link offboarding to subscription termination Make app retirement part of employee exit and project closure workflows so abandoned accounts, linked data access, and renewals are closed together.
• Review overlapping apps by business function Map tools by use case, such as project management or collaboration, and retire duplicate products where one approved platform can meet the same need.

Key takeaways

• SaaS overspend is often a lifecycle problem in disguise, because abandoned subscriptions usually reflect missing ownership and offboarding controls.
• Duplicate apps and unused licenses create measurable waste, but they also fragment access governance across tools, teams, and audit trails.
• The strongest response is a joined-up process that links inventory, access review, renewal approval, and termination into one accountable workflow.

Key terms

• SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software subscriptions across teams, departments, and individual users. It creates duplicated tools, inconsistent ownership, and weak lifecycle governance, which makes both cost control and access control harder to maintain across the organisation.
• App Offboarding: App offboarding is the process of retiring an application, closing its subscriptions, and removing associated access when it is no longer needed. In identity programmes, it should include ownership transfer, data retention checks, entitlement removal, and confirmation that renewals will not continue automatically.
• License Rightsizing: License rightsizing is the practice of aligning purchased seats or subscriptions with actual usage. It combines usage data, active account counts, and business ownership to reduce waste without leaving users under-provisioned or creating unmanaged access paths.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Vendor Management How CFOs can Leverage SMPs to Optimize SaaS Spending? Read the original.