TL;DR: SaaS spend management becomes an identity governance problem when duplicate apps, unrevoked subscriptions, and unmanaged renewals let access and spending drift outside IT control, according to Zluri. The operational issue is not just cost control, but whether organisations can actually see, right-size, and retire application access before waste becomes risk.
At a glance
What this is: This article argues that SaaS overspending is driven by weak visibility into app usage, renewals, and ownership, with the key finding that unmanaged subscriptions and licenses create avoidable waste.
Why it matters: It matters because the same control gaps that waste SaaS budget also weaken IAM, NHI governance, and lifecycle oversight across employee, service, and workflow access.
By the numbers:
- The global SaaS spend management market size was valued at US$ 611 million in 2022 and is projected to reach US$ 2456.8 million by 2029, growing at a CAGR of 22.0% from 2023 to 2029.
- SaaS occupies nearly 6-10% of the budget for 31% of IT decision-makers.
👉 Read Zluri's analysis of SaaS spend management and overspending
Context
SaaS spend management is the discipline of tracking application subscriptions, license consumption, renewals, and ownership so organisations can stop paying for software they no longer use. In identity terms, the problem is not just budget leakage, but unmanaged entitlements that outlive their business need and escape central review.
The article frames SaaS overspending as a governance failure caused by shadow IT, abandoned apps, unrevoked licenses, and missed enterprise pricing opportunities. That makes it relevant to IAM, IGA, and lifecycle teams because the same visibility gap affects who has access, which apps remain active, and when access should be removed.
Key questions
Q: How should security teams handle SaaS applications that are bought outside IT?
A: They should bring those apps into a managed inventory, assign business ownership, and require renewal review before the contract continues. The goal is not only cost control. It is also making sure unsanctioned tools do not become unmanaged access paths that bypass lifecycle governance and create shadow IT risk.
Q: Why do abandoned SaaS licenses matter to IAM teams?
A: Abandoned licenses matter because they show that access and spend are no longer tied to a current business need. When a license stays active after the user no longer uses it, the organisation loses lifecycle control and may also retain unnecessary access to data, integrations, or downstream systems.
Q: When should organisations prioritise renewal governance over retrospective spend reporting?
A: They should prioritise renewal governance before the contract rolls over, because that is the point where cost and access are still reversible. Retrospective reporting explains the overspend after it happens, but renewal controls stop the same access and budget from carrying forward by default.
Q: How can teams reduce SaaS waste without creating more manual work?
A: They should automate inventory discovery, usage review, and renewal alerts so the control process scales with the number of applications. A manual spreadsheet approach breaks down as the portfolio grows, while automated review lets teams focus on deciding what to keep, retire, or consolidate.
Technical breakdown
Why spreadsheet-based SaaS tracking fails at scale
Spreadsheets can record purchases, but they do not maintain reliable state when app ownership changes, users leave, or teams self-provision new tools. Once usage data, renewal dates, and department ownership are split across files and inboxes, the organisation loses a trusted source of truth. That is the core mechanism behind SaaS overspend: the control environment cannot answer basic questions about who bought an app, who still uses it, and whether it should remain in the portfolio. Practical implication: move subscription and ownership data into a managed inventory before renewal decisions are made.
Practical implication: Move subscription and ownership data into a managed inventory before renewal decisions are made.
How duplicate apps and abandoned licenses create hidden access sprawl
Duplicate applications emerge when different teams adopt separate tools to solve the same problem, while abandoned licenses persist because no one reconciles consumption against entitlement. This is a governance pattern, not just a procurement issue. In IAM terms, it mirrors entitlement sprawl: access continues because there is no authoritative process to confirm that the business need still exists. When that happens, the organisation pays for dormant access and loses leverage over standardisation. Practical implication: tie application approval, usage review, and offboarding to one renewal workflow.
Practical implication: Tie application approval, usage review, and offboarding to one renewal workflow.
Why renewal control is the real cost-control mechanism
Auto-renewals turn SaaS into a standing commitment unless someone intervenes before the contract rolls over. That is why renewal governance matters more than retrospective cost analysis. The article’s logic is clear: if procurement, IT, and business units do not coordinate ahead of renewal, sub-optimal plans and overlapping tools continue by default. The identity parallel is important because contract renewal often preserves application access even when the original use case has changed. Practical implication: set renewal thresholds, ownership checks, and approval gates well before the contract date.
Practical implication: Set renewal thresholds, ownership checks, and approval gates well before the contract date.
NHI Mgmt Group analysis
SaaS overspending is really entitlement sprawl in financial form. The article describes a budget problem, but the underlying failure is identity governance: applications are acquired, used, and forgotten faster than the organisation can reconcile them. That is the same condition that produces lingering access in IAM and dormant accounts in NHI estates. Practitioners should treat SaaS spend review as an entitlement control problem, not a finance-only exercise.
Lifecycle control is the missing control plane for SaaS portfolios. The article repeatedly returns to renewals, offboarding, and usage review because those are the points where access and spending either converge or drift apart. Zluri states that employees now self-select tools, which means the old IT-first procurement model no longer captures the full application surface. The implication is that lifecycle governance must extend across applications, not just identities.
Shadow IT creates a dual risk surface for cost and access. When teams bypass central procurement, they do not just duplicate spend. They also create unmanaged access paths, fragmented ownership, and blind spots that make recertification and deprovisioning unreliable. That is especially relevant where SaaS applications hold sensitive data or integrate with downstream systems. Practitioners should read shadow IT as a lifecycle and exposure signal, not only an inventory problem.
Renewal governance is where IAM, procurement, and finance finally intersect. The article shows that the same decision point controls both wasted spend and continuing access. Once an app auto-renews, the organisation often keeps paying for stale usage while leaving entitlements intact. That means the strongest governance model is not periodic review in isolation, but a shared renewal decision process with ownership, usage evidence, and explicit retirement criteria. The practitioner conclusion is straightforward: if renewal is uncontrolled, lifecycle control is incomplete.
“Identity perimeter” is the right concept for SaaS governance. The article’s move from network perimeter language to identity perimeter language is directionally correct because SaaS access is governed more by who can sign up, assign, and retain entitlements than by where the app is hosted. That reframes spend management as a control problem across identity, procurement, and access policy. Practitioners should adopt portfolio governance that follows identity ownership rather than asset location.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For lifecycle grounding, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be governed across machine identities.
What this signals
Identity perimeter is the right way to think about SaaS portfolios now. When employees can self-provision applications and renewals can continue without central review, the boundary that matters is who can create, approve, and retain access, not where the software runs.
With 72% of organisations already reporting or suspecting NHI breaches in NHIMG research, the governance lesson extends beyond SaaS costs: unmanaged entitlements rarely stay isolated to one budget line. Once access and ownership drift, the same blind spot can affect machine identities, integrations, and downstream data exposure.
Teams should expect SaaS spend control to converge with identity lifecycle management. The more apps are purchased outside IT, the more renewal governance, access review, and offboarding need to be handled as one control pattern rather than separate operational chores.
For practitioners
- Centralise SaaS ownership and renewal data Create a single inventory that maps app name, business owner, contract date, renewal date, user count, and billing cadence so no subscription sits outside review.
- Tie app usage evidence to renewal decisions Require current usage metrics before any auto-renewal is approved, and cancel apps that show duplication, inactivity, or weak feature adoption.
- Route shadow IT into approval workflows Use intake and reconciliation processes to surface unsanctioned tools early, then assign ownership before they become unmanaged entitlements.
- Align offboarding with license revocation Remove licenses when employees leave or move roles, and verify that dormant subscriptions cannot continue to bill on corporate payment methods.
Key takeaways
- SaaS overspending is a governance symptom, not just a finance issue, because unmanaged subscriptions and licenses reflect weak lifecycle control.
- Shadow IT, duplicate tools, and auto-renewals create the same kind of entitlement drift that identity teams already fight in access governance.
- The practical fix is a shared renewal workflow that combines ownership, usage evidence, and offboarding before contracts roll over.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unmanaged SaaS renewals mirror weak NHI rotation and lifecycle control. |
| NIST CSF 2.0 | PR.AC-1 | Access and subscription sprawl reflects weak identity-controlled asset governance. |
| NIST Zero Trust (SP 800-207) | AC-4 | Centralised enforcement is needed when users self-provision apps outside IT. |
Reconcile SaaS ownership and renewal timing with NHI-03 style lifecycle controls before contracts auto-renew.
Key terms
- SaaS Spend Management: SaaS spend management is the practice of tracking subscriptions, licenses, renewals, and application ownership so organisations can control software cost and usage together. In mature programmes, it also becomes a lifecycle discipline because unused or redundant access can persist even after the business need disappears.
- Shadow IT: Shadow IT is software adopted outside central approval or visibility, usually by business teams trying to solve a problem quickly. In identity terms, it creates unmanaged ownership, inconsistent access review, and renewal risk because the organisation cannot reliably see who sanctioned the app or why it remains active.
- Renewal Governance: Renewal governance is the process of deciding whether an application should continue before an auto-renewal or contract extension occurs. It combines usage evidence, ownership, budget approval, and offboarding checks so that access and spend do not continue by default when the original need has changed.
- Entitlement Sprawl: Entitlement sprawl is the accumulation of unnecessary or duplicate access rights across applications, licenses, and services. In SaaS environments, it appears when teams buy tools independently, leave old subscriptions active, or fail to remove licenses after users move or exit, creating both waste and control drift.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management SaaS Spend Management: Win the Battle Against SaaS Overspending. Read the original.
Published by the NHIMG editorial team on 2025-09-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
