TL;DR: Cost control, license visibility, and access governance are converging as one operational problem in SaaS spend management tools, especially where shadow apps, unused subscriptions, and risky access create both waste and exposure, according to Zluri’s 2026 review. The real lesson is that spend optimisation now depends on identity control, not procurement alone.
At a glance
What this is: This is a review of SaaS spend management tools that argues visibility, license control, and user access control are the core levers for reducing waste and risk.
Why it matters: It matters because IAM and governance teams increasingly have to connect application spend, access rights, and software sprawl across NHI, autonomous, and human identity programmes.
👉 Read Zluri’s review of the top SaaS spend management tools in 2026
Context
SaaS spend management is no longer just a finance problem. Once organisations lose track of subscriptions, duplicate apps, or dormant licenses, they also lose track of who or what still has access to those applications, which turns cost leakage into identity governance drift.
The article frames SaaS visibility as an operational control point, but the deeper issue is that unmanaged application growth creates hidden identity surfaces. That affects human users, service accounts, and any automated workflows tied into SaaS platforms, especially where access reviews and offboarding are already fragmented.
Key questions
Q: How should security teams connect SaaS spend management with IAM governance?
A: Security teams should treat SaaS spend data as identity evidence. The inventory, usage, and renewal signals from spend tools should feed access reviews, offboarding, and entitlement cleanup so finance, IAM, and application governance operate from the same dataset. That is the only way to prevent unused subscriptions from becoming unused but still active access.
Q: Why do shadow SaaS apps create identity risk as well as cost waste?
A: Shadow SaaS apps bypass normal procurement and governance controls, so they are often missing from access review, logging, and offboarding processes. That means users and non-human identities can retain access to tools that security teams do not even know exist, which is both an audit problem and a privilege problem.
Q: When should organisations revoke SaaS access instead of just removing licenses?
A: Organisations should revoke access whenever a user, integration, or service account no longer has an active business purpose, even if the subscription remains in place. Removing the license alone does not guarantee the identity is gone, and leaving access intact preserves risk across the application estate.
Q: What should teams do when SaaS discovery finds duplicate or unused apps?
A: Teams should validate ownership, review who still has access, and fold the app into a rationalisation decision that includes entitlement cleanup and offboarding. The goal is not just to reduce spend. It is to eliminate orphaned access paths before they become long-lived governance blind spots.
Technical breakdown
SaaS discovery and shadow IT visibility
SaaS discovery is the process of identifying which cloud applications are actually in use across an organisation, including tools that never passed through procurement. In practice, discovery has to pull from identity providers, browser signals, finance systems, and device telemetry to build a usable inventory. Without that inventory, spend management becomes guesswork and access governance misses the apps that matter most because they are the least visible. The identity problem is not just cost waste. It is that unknown applications create unknown credential paths, which prevents reliable recertification and offboarding.
Practical implication: build a verified SaaS inventory before trying to rationalise licenses or certify access.
License management and standing access
License management in SaaS is really entitlement management by another name. A paid subscription often implies access, but access does not always disappear when the business need ends, which creates standing privilege in application form. When teams fail to reconcile usage against entitlement, they keep paying for identities that no longer need access and retain risk on accounts that should have been removed. That is why license review, access review, and offboarding need to operate as one governance motion rather than separate workflows.
Practical implication: tie renewal decisions to actual usage and revoke dormant entitlements at the same time.
User access control in spend tools
User access control is the bridge between procurement and IAM. A spend platform that can see who is using which application can also help identify over-assigned permissions, unauthorized application use, and accounts that should be moved into least-privilege treatment. For non-human identities, the same logic applies to tokens, integrations, and service accounts that keep a SaaS tool connected long after the original owner has changed role. The control plane is only effective if access data is current and role changes are fed back into governance processes quickly.
Practical implication: use access data from SaaS spend tooling as input to IAM, IGA, and offboarding workflows.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SaaS spend management has become an identity governance problem disguised as a finance category. The article is framed around cost control, but the controls it praises, discovery, license tracking, and access control, are all identity controls in practice. Once SaaS sprawl outpaces governance, organisations stop knowing which users, service accounts, and automations still hold access. Practitioner implication: treat spend management as an identity inventory problem first and a procurement optimisation problem second.
Shadow SaaS creates a blind spot that conventional access review cycles cannot close. If an application is not in the inventory, it will not be reviewed, recertified, or offboarded on time. That is the same failure pattern seen in broader NHI governance, where unmanaged accounts persist outside formal lifecycle control. Practitioner implication: discovery has to feed governance continuously, not as a periodic clean-up exercise.
License rationalisation only works when entitlement, usage, and offboarding are linked. Cutting unused seats without revoking access leaves dormant identities behind, while revoking access without matching the license model leaves spend waste intact. The discipline here is lifecycle governance across the application estate, not isolated cost trimming. Practitioner implication: align SaaS renewal, access removal, and access certification into one operational workflow.
Oversight of SaaS spending reveals how weak the boundary is between human IAM and NHI governance. The same tools that track employee subscriptions also surface machine-generated usage, integrations, and long-lived application connections. That matters because many organisations still govern those identities separately even when the operational evidence sits in one platform. Practitioner implication: use SaaS spend reviews to expose where human and non-human access are managed in disconnected systems.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- For a broader governance lens, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.
What this signals
License rationalisation is becoming a proxy for identity hygiene. As SaaS estates expand, the question is no longer just which tools are paid for but which identities still hold effective access. That is why spend management programmes increasingly overlap with access governance, offboarding, and lifecycle controls across human and non-human accounts.
A useful next step is to connect application discovery with governance reporting, then use a standard like the NIST Cybersecurity Framework 2.0 to structure identify, protect, detect, and recover activities around SaaS sprawl.
The named concept here is identity-coupled spend drift: when software spend, entitlement sprawl, and unmanaged access grow together. If teams do not surface that drift early, they end up paying for both unused subscriptions and residual access rights.
For practitioners
- Implement a verified SaaS inventory Pull application data from identity providers, finance systems, device telemetry, and direct integrations so the inventory reflects actual usage rather than purchase history.
- Merge license review with access review Evaluate paid entitlements, active users, and dormant accounts in the same review cycle so renewals do not preserve unnecessary access.
- Use offboarding as a spend control Remove user access, integrations, and service connections when the business need ends, then confirm the related subscription is no longer carrying hidden entitlement.
- Map unmanaged apps into IAM workflows Feed discovery findings into IGA and recertification processes so shadow SaaS does not remain outside governance simply because it entered through a side door.
Key takeaways
- SaaS spend management now sits at the intersection of cost control and identity governance, not finance alone.
- Discovery, license review, and access control have to operate as one lifecycle, or shadow apps and dormant access will persist.
- Teams that use spend tooling as identity evidence can cut waste without leaving orphaned permissions behind.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | License drift and unmanaged SaaS access map to weak credential lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed consistently across SaaS applications. |
| NIST Zero Trust (SP 800-207) | AC-2 | Continuous verification depends on knowing which SaaS identities still exist. |
Reduce standing access by linking app discovery to identity governance and removal workflows.
Key terms
- SaaS Discovery: SaaS discovery is the process of finding all software-as-a-service applications in use across an organisation, including approved and unapproved tools. It combines signals from identity, finance, device, and browser sources to create an inventory that can support governance, access review, and spend control.
- License Rationalisation: License rationalisation is the practice of matching paid software entitlements to actual business use so organisations stop paying for excess capacity. In identity terms, it also helps reveal which accounts or integrations still have access even after the need has ended.
- Shadow SaaS: Shadow SaaS refers to cloud applications that enter the organisation outside formal approval, procurement, or security review. These tools often sit outside normal access governance, which makes them a common source of unmanaged identities, hidden data flows, and audit blind spots.
Deepen your knowledge
SaaS discovery, license governance, and offboarding discipline are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to align spend control with identity governance, it is a relevant place to start.
This post draws on content published by Zluri: SaaS Management Top 10 SaaS Spend Management Tools in 2026. Read the original.
Published by the NHIMG editorial team on 2026-03-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
