TL;DR: SaaS sprawl grows when teams adopt project tools outside procurement, then leave unused accounts, duplicate subscriptions, and unclear deprovisioning paths behind, according to 1Password. The security issue is not the bill alone, but the identity lifecycle gap that appears when access removal, data reassignment, and ownership are handled inconsistently.
At a glance
What this is: This is an analysis of SaaS optimization through the lens of identity lifecycle control, with deprovisioning and access ownership emerging as the key governance gaps.
Why it matters: It matters because redundant SaaS tools create both cost waste and access risk, forcing IAM, IGA, and PAM teams to manage user offboarding, entitlement cleanup, and app ownership more consistently.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read 1Password's guidance on SaaS optimisation and deprovisioning
Context
SaaS sprawl is an identity governance problem as much as a cost problem. When employees can create and pay for collaborative tools without procurement or IT oversight, organisations lose visibility into who has access, which applications are redundant, and how offboarding should work when those accounts are retired.
The article focuses on project-management applications, but the underlying pattern is broader: access appears first, governance comes later, and deprovisioning is often manual. That makes the lifecycle of a SaaS account look more like a shadow identity problem than a simple licensing exercise.
Key questions
Q: How should teams handle unused SaaS accounts without disrupting business work?
A: Treat unused SaaS accounts as lifecycle cases, not simple deletions. Confirm whether the user still needs occasional access, check whether the application retains tasks or files, and only then deprovision according to a documented offboarding rule. The safest path is to validate the data-handling outcome for each app before removing the account.
Q: Why does SaaS sprawl create identity governance risk as well as cost waste?
A: Because redundant apps create hidden access paths that IAM teams do not fully inventory. When people can sign up outside procurement, the organisation loses visibility into who has access, who owns the data, and whether offboarding was completed correctly. Cost reduction is only part of the problem; entitlement control is the bigger one.
Q: What do teams get wrong about SaaS deprovisioning?
A: They often confuse disabling a login with retiring access. In many tools, deprovisioning can delete data, transfer tasks, or simply mark an account inactive, and those outcomes are not interchangeable. Teams should test the application-specific result before removing accounts so business records and assigned work do not disappear unexpectedly.
Q: How can IAM teams support SaaS consolidation without causing user resistance?
A: Use usage evidence, user surveys, and login data to show why consolidation is happening and which tools remain necessary for specialised teams. Then phase the move so new work shifts to the approved platform while older work closes out naturally. Clear communication and staged migration reduce pushback and offboarding errors.
Technical breakdown
How SaaS sprawl creates hidden access governance gaps
SaaS sprawl starts when users can self-serve accounts, often through browser signup or social login, before IT has a record of the application. That creates fragmented ownership, duplicate spend, and inconsistent access review. In identity terms, the application becomes a separate control plane with its own users, entitlements, and offboarding rules. If procurement, IAM, and application owners do not share a common view, the organisation cannot reliably answer who is still active, who owns the data, or which accounts should be retired.
Practical implication: establish a discovery-to-ownership workflow that ties every SaaS app to an accountable owner before access review begins.
Deprovisioning, data transfer, and entitlement cleanup
Deprovisioning is not just disabling a login. In many SaaS tools, removing a user can mark the account inactive, delete data after a delay, or transfer tasks and files to another user. Those behaviours create operational risk if they are not tested in advance, because offboarding one user can break projects or orphan business records. The real control is not a deactivation click, but a validated runbook that defines what happens to access, content, and task ownership in each application.
Practical implication: document and test per-application offboarding steps so deactivation does not silently destroy or strand business data.
Standardisation works only when social login and usage data are visible
The article shows that standardising on one approved tool can improve logging, password policy enforcement, and single sign-on, but only if teams know which applications are actually in use. Social login telemetry, last-login data, and user surveys reveal where redundant subscriptions persist. Without that evidence, consolidation becomes guesswork and resistance increases because teams fear losing features they genuinely need. Identity governance here depends on usage evidence, not just contract negotiation.
Practical implication: use login and survey evidence to decide which applications to consolidate, rather than forcing blanket shutdowns.
NHI Mgmt Group analysis
Identity lifecycle is the real control plane behind SaaS optimisation. The article treats SaaS optimisation as a procurement and cost exercise, but the deeper issue is lifecycle governance. If users can create accounts outside central oversight, then joiner, mover, and leaver processes no longer describe the full state of access. Practitioners should treat every unsanctioned SaaS subscription as an unmanaged identity until it is discovered, assigned, and offboarded.
Shadow SaaS behaves like shadow NHI at the governance layer. Although the subjects are human users, the operational pattern mirrors NHI sprawl: accounts appear outside formal lifecycle controls, retain value after the original need ends, and become difficult to revoke cleanly. That is why the same governance disciplines used for non-human identities, especially ownership, visibility, and offboarding discipline, matter here. The practitioner conclusion is that identity inventory has to include apps, not just users.
Access removal is not the same as access retirement. The article’s deprovisioning examples show that a SaaS account can remain a data container, a task owner, or a reversible inactive record after the login is disabled. That distinction matters for IAM and IGA teams because lifecycle closure is incomplete until business data and delegated work are reassigned or explicitly retained. Practitioners should define retirement states, not just disable states.
Incremental consolidation is a governance strategy, not just an implementation choice. The article makes a strong case against big-bang migration because different applications have different contract terms, data-transfer behaviours, and user expectations. That is a lifecycle lesson for identity programmes: consolidation succeeds when entitlement cleanup, user communications, and application ownership change in sequence. The implication is that programme teams should align deprovisioning and migration plans, not run them as separate workstreams.
Visibility into usage is the prerequisite for entitlement rationalisation. The article shows that last-login data, user surveys, and social login analysis are what make consolidation defensible. Without that evidence, teams cannot separate abandoned access from genuine business dependency. For identity leaders, the takeaway is clear: entitlement reduction works only when usage telemetry is reliable enough to support removal decisions.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Use NHI Lifecycle Management Guide to align offboarding, rotation, and visibility with a lifecycle process that can be audited end to end.
What this signals
Identity teams should treat SaaS consolidation as a lifecycle programme, not a software rationalisation exercise. The practical signal is that application inventory, user ownership, and deprovisioning outcomes need to be governed together. Where social sign-in, last-login data, and shadow subscriptions are not visible, access retirement will remain partial and audit evidence will stay weak.
The broader lesson is that account closure must be modelled as a business process with data transfer, retention, and task reassignment built in. That is where NHI Lifecycle Management Guide becomes relevant even for human-facing SaaS: the governance pattern is the same, even if the actor differs.
Consolidation debt: redundant applications are a form of identity debt when no one can prove who owns them or how they are retired. Once that debt accumulates, IAM and IGA teams spend more time cleaning up stale access than governing active access, and the control gap grows with every untracked signup.
For practitioners
- Map every SaaS app to an accountable owner Create a register that ties each collaborative application to a business owner, technical owner, and offboarding approver. Use that register to decide who can confirm whether an unused account should be removed or retained for business reasons.
- Test deprovisioning before you automate it Validate what happens when an account is deactivated in each application. Check whether content is deleted, reassigned, or left intact, and record those outcomes in the offboarding runbook before enabling bulk removal.
- Use last-login and survey data to identify true redundancy Compare user survey responses with login telemetry and social sign-in data to find applications that are genuinely unused. Treat duplication as evidence-based cleanup, not a blanket shutdown exercise.
- Phase consolidation around contract boundaries Align migration schedules to renewal dates, then move users in stages so new work lands in the approved platform while older tasks are closed out in the legacy tool. This reduces disruption and makes access retirement easier to verify.
- Separate inactive accounts from retired access Define whether an account is reversible, archived, deleted, or transferred before deprovisioning begins. That distinction prevents accidental data loss and ensures that access removal matches the actual business outcome.
Key takeaways
- SaaS sprawl is an identity lifecycle problem because access, ownership, and offboarding often sit outside formal governance.
- Deprovisioning must be tested per application because inactive, deleted, and transferred accounts do not behave the same way.
- Usage telemetry and user surveys are the evidence base for consolidation, not just a license cost lever.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | SaaS sprawl weakens user and account inventory visibility across applications. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Consolidation depends on enforcing least privilege and removing stale access paths. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding and revocation are central to lifecycle governance, even in SaaS access contexts. |
Apply least-privilege reviews before migration and retire excess access as part of the cutover.
Key terms
- SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software subscriptions across teams, often outside central IT or procurement oversight. It creates duplicate spend, fragmented ownership, and inconsistent access governance because each app becomes its own mini identity environment with separate users, data, and offboarding rules.
- Deprovisioning: Deprovisioning is the process of removing a user’s access and handling what happens to their account, data, and delegated work afterward. In SaaS environments, it may mean disabling login, transferring tasks, deleting records after a retention period, or reassigning assets to another user.
- Identity Lifecycle Management: Identity lifecycle management is the discipline of governing access from creation through change and retirement. It applies to human users, service accounts, and SaaS accounts alike, and it only works when ownership, visibility, and offboarding are handled as one continuous process.
- Access Retirement: Access retirement is the point at which access is no longer merely inactive but formally ended in a way the business can rely on. It goes beyond disabling a login by ensuring that data retention, task ownership, and recovery expectations have been addressed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Password: SaaS optimization in project management tools. Read the original.
Published by the NHIMG editorial team on 2025-11-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
