TL;DR: More than 30% of SaaS spend is wasted each year, according to Zluri research, while the post argues that unused, duplicate, and abandoned subscriptions also create security and compliance drag as SaaS adoption accelerates. The practical issue is not just cost control. It is governance over app access, lifecycle, and entitlement cleanup before shadow subscriptions become shadow identities.
At a glance
What this is: This is a founder story about discovering forgotten SaaS subscriptions, with the key finding that SaaS sprawl creates both waste and governance exposure.
Why it matters: It matters because SaaS sprawl affects human IAM, NHI lifecycle cleanup, and access governance in the same environment, so teams need one programme that can see usage, entitlement, and offboarding together.
By the numbers:
- 30% of the SaaS is wasted every year, every year, confirms Gartner's research.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read Zluri's story on forgotten subscriptions and SaaS management
Context
SaaS sprawl becomes an identity problem when organisations lose track of who or what is still entitled to access applications, subscriptions, and connected data. The core issue is not just unused licences. It is the absence of reliable lifecycle control across human users, service accounts, and the shadow systems that keep old access alive.
In practice, subscription waste often signals a deeper governance gap: access was granted faster than it was reviewed, and offboarding did not keep pace with application growth. That creates the same pattern IAM teams see in broader identity programmes, where visibility, ownership, and revocation break down together.
For teams managing SaaS-heavy estates, the right mental model is lifecycle governance rather than finance cleanup. The question is how quickly access can be discovered, justified, recertified, and removed before dormant subscriptions turn into dormant privilege.
Key questions
Q: How should security teams govern SaaS subscriptions that are no longer in use?
A: Treat unused subscriptions as active identity assets until they are formally removed. Security teams should require an owner, a recertification point, and a revocation path for every app, then connect those controls to joiner, mover, and leaver workflows. If a subscription cannot be justified, it should be disabled and deprovisioned, not left as dormant access.
Q: Why do forgotten subscriptions create more than just financial waste?
A: Because an unused subscription can still hold live authentication links, delegated admin rights, or connected data access. That means the organisation may be paying for an app that still has the ability to reach sensitive systems. The security issue is persistence of access after business need has ended, which is a lifecycle failure.
Q: What do organisations get wrong about SaaS inventory management?
A: They often track licences without tracking access. A list of subscriptions does not tell you whether the app is still used, who owns it, whether it has privileged connections, or how it will be removed. Effective governance requires entitlement data, ownership data, and offboarding data in the same workflow.
Q: How can teams tell whether SaaS sprawl is becoming an identity governance problem?
A: Look for mismatches between application count, active usage, and revocation speed. If apps keep renewing after adoption falls, if ownership is unclear, or if offboarding does not remove access quickly, SaaS sprawl has moved from cost inefficiency to governance exposure. That is the point where IAM and procurement must act together.
Technical breakdown
SaaS subscription sprawl and entitlement drift
Subscription sprawl is what happens when applications are bought, trialled, duplicated, and forgotten faster than they are governed. Each app may look harmless on its own, but the combined effect is a growing entitlement surface that no one owns end to end. In identity terms, the problem is not just spend leakage. It is that access rights, payment records, and application ownership diverge, leaving dormant access in place long after business use ends. That is why SaaS management becomes an identity governance function, not simply a procurement report.
Practical implication: map every paid application to an accountable owner and a revocation path before entitlement drift becomes permanent.
Why abandoned subscriptions become access risk
An abandoned subscription still represents an active trust relationship if its credentials, seats, or integrations remain valid. Many organisations focus on whether software is used, but the security question is whether the account, token, or linked access path can still reach business data. Unused apps are often backed by active identity artefacts, including SSO assignments, API keys, and delegated admin roles. Once those artefacts persist, the organisation has paid to keep an access path open even after the business case disappeared. That is a governance failure, not just a cost inefficiency.
Practical implication: review abandoned subscriptions for live authentication paths, not just usage metrics.
SaaS management as lifecycle control
The strongest way to manage SaaS sprawl is to treat every subscription as part of the identity lifecycle. Joiner, mover, and leaver events should drive access changes, while periodic recertification should confirm whether the app still has a business purpose. This is especially important where SaaS tools are connected to broader identity infrastructure through SSO, OAuth, or delegated administration. When lifecycle control is weak, organisations retain both wasted licences and ungoverned access. The operational fix is not a spreadsheet. It is a governed inventory tied to ownership, review, and removal.
Practical implication: connect SaaS inventory to joiner-mover-leaver and recertification workflows so unused access is removed on schedule.
NHI Mgmt Group analysis
SaaS sprawl is really entitlement sprawl. Once subscriptions outnumber the team that owns them, the governance problem is no longer procurement alone. Access and ownership drift apart, and that creates conditions where dormant applications still retain active identity paths. The implication is that SaaS management must be treated as an access governance discipline, not a finance hygiene exercise.
Lifecycle control, not spreadsheet tracking, is the missing control plane. Spreadsheets can document subscriptions, but they do not enforce joiner, mover, and leaver decisions, nor do they certify whether an application still has an owner. That gap is where unused SaaS becomes unmanaged access. Practitioners need governance that ties inventory to ownership and revocation, not just reporting.
Shadow subscriptions create shadow identities. A forgotten licence is often a symptom of a forgotten account, token, or admin role. That pattern is familiar across human IAM and NHI programmes, where visibility fails first and cleanup follows too late. The practitioner lesson is that SaaS growth should be measured against entitlement removal velocity, not just app count.
Security teams should read SaaS waste as a lifecycle signal. The same environment that produces duplicate or abandoned subscriptions usually contains stale access, poor recertification discipline, and unclear application ownership. Those conditions increase audit friction and make least-privilege claims hard to defend. The field should stop separating software spend from identity governance, because the operational failure is shared.
Identity programmes need one inventory for people, apps, and machine access. SaaS sprawl is the easiest place to see why separated tooling fails. Human accounts, SaaS seats, and service access all age differently, but they break down through the same lifecycle gaps. The conclusion for practitioners is straightforward: governance succeeds when ownership, usage, and revocation are managed as one system.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage.
- For the lifecycle angle, review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the provisioning and offboarding controls that keep stale access from lingering.
What this signals
Subscription waste is a leading indicator of governance drift. When organisations cannot reliably name who owns an app, they usually cannot confidently say when access should end. That is why the problem belongs in identity programme planning, not just SaaS cost management. The governance model should treat every subscription as an entitlement with a lifecycle, and the supporting control set aligns closely with OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0.
Shadow subscriptions and shadow accounts tend to appear together. Once SaaS adoption outpaces inventory discipline, teams usually inherit stale seats, shared admin access, and forgotten integrations in the same estate. That is why entitlement review should be built into change management and offboarding, not handled as a one-off cleanup. A useful benchmark is that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means the same visibility discipline must extend beyond human users.
The practical signal for mature teams is not whether they own a spreadsheet. It is whether they can prove that application ownership, renewal, and revocation are tied to the same control plane. Where that linkage is missing, the programme will continue to carry dead access even if software spend is trimmed.
For practitioners
- Build a governed SaaS inventory Record every subscription with a business owner, technical owner, renewal date, authentication method, and revocation path. Reconcile that inventory against finance records and SSO assignments so you can identify apps that are paid for but not actively governed.
- Tie offboarding to application removal When an employee leaves or a team changes tools, remove the subscription assignment, disable linked logins, and revoke any delegated admin access. Use the same leaver workflow for SaaS seats, API keys, and shared accounts so orphaned access does not survive the business change.
- Run periodic access recertification on SaaS apps Review high-value applications on a fixed cadence to confirm usage, ownership, and necessity. Prioritise tools with customer data, finance data, or admin privilege, because these are the subscriptions most likely to persist after the original business need has disappeared.
- Measure entitlement removal velocity Track how quickly unused subscriptions, stale seats, and orphaned permissions are removed after inactivity or offboarding. If removal takes weeks or months, the issue is not visibility alone but governance latency across the lifecycle.
Key takeaways
- Forgotten subscriptions are not just a cost problem. They are a sign that access ownership and application lifecycle control have drifted apart.
- SaaS sprawl becomes a security issue when active identity paths remain after business use has ended, creating dormant but real access.
- The corrective action is governed entitlement management, where inventory, recertification, and offboarding work as one lifecycle process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Subscription waste often masks stale credentials and poor rotation discipline. |
| NIST CSF 2.0 | PR.AC-4 | Application entitlements must reflect least privilege and active ownership. |
| NIST Zero Trust (SP 800-207) | SaaS sprawl breaks continuous verification when access outlives business need. |
Tie SaaS inventory to NHI rotation and deprovisioning checks whenever subscriptions lapse or are abandoned.
Key terms
- SaaS sprawl: The uncontrolled growth of software subscriptions across teams, functions, and business units. In identity terms, SaaS sprawl creates duplicated entitlements, unclear ownership, and stale access paths that outlive the original business need, making governance harder than the licence count suggests.
- Entitlement drift: The gradual mismatch between who should have access and who actually retains it. It often appears when subscriptions, roles, and offboarding processes are not aligned, leaving access active after the business purpose has changed or disappeared.
- Lifecycle governance: The discipline of managing access from creation through review and removal. It applies to human users, service accounts, and application subscriptions alike, and it only works when ownership, justification, and revocation are enforced as part of the same process.
- Shadow access: Access that remains active without clear oversight, ownership, or recent review. It can exist in human accounts, machine identities, or SaaS subscriptions, and it becomes a risk when organisations can no longer prove why the access still exists.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: The Story of Forgotten Subscriptions & the Birth of Zluri. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
