TL;DR: High-growth companies are overbuying SaaS, with organisations over 1,000 employees using about 500 applications on average and wasting one-third of that budget on unused licenses, according to Zluri. The governance issue is no longer just cost containment: unmanaged app usage creates access, renewal, and control gaps that IAM teams cannot ignore.
At a glance
What this is: This is a SaaS spend management analysis that shows how app sprawl, license mismatch, and shadow IT inflate cost while weakening control over usage and access.
Why it matters: It matters to IAM, IGA, and security teams because unmanaged SaaS often becomes unmanaged identity, with users, apps, and entitlements drifting outside governance.
By the numbers:
- Organizations with over 1000 employees use 500 software applications on average, not to mention waste one-third of that budget on unused SaaS licenses.
- In 2018, a company spent around $343,000 on SaaS, which is a 78% increase compared to the previous year.
- around 33% of all SaaS software spend is wasted across organizations
- around 80% of employees
👉 Read Zluri's analysis of how high-growth companies can reduce SaaS spend
Context
SaaS sprawl is not just a finance problem. When organisations accumulate overlapping applications, premium licenses, and unapproved tools, they also create fragmented access paths that are harder to govern, review, and retire.
For IAM and security teams, the real issue is governance drift. Every unmanaged application can introduce separate identities, separate entitlements, and separate renewal decisions, which makes SaaS spend a proxy for how much control the organisation has over its identity surface.
Key questions
Q: How should security teams govern shadow IT in SaaS environments?
A: Start by treating shadow IT as an inventory and access problem, not just a policy violation. Build a complete application register, assign business ownership, and require review of any tool that processes company data or stores credentials. Without that control plane, renewals, offboarding, and audit evidence will all remain incomplete.
Q: Why do overlapping SaaS apps create more risk than simple budget waste?
A: Because each extra application adds its own identity boundary, permission model, and offboarding path. That fragmentation weakens governance even when the tools appear harmless. The practical risk is that users keep access in forgotten systems long after the business has stopped relying on them.
Q: What signals show that SaaS license management is working?
A: Look for fewer premium licenses left idle, a shorter gap between usage decline and downgrade, and a clear owner for every renewal decision. If teams can explain why each higher-tier license exists, governance is improving. If they cannot, spend control is still mostly reactive.
Q: How can organisations reduce SaaS spend without weakening access control?
A: Cut duplication first, then tie entitlements to actual use, and only then remove excess licenses. That sequence preserves business access while reducing waste. If you do it in the reverse order, you risk leaving users in the wrong tool or preserving a redundant application just because nobody wants to own the change.
Technical breakdown
SaaS duplication and overlapping entitlements
SaaS duplication happens when multiple tools perform the same job, but each carries its own subscription, access model, and administrative overhead. The risk is not only wasted budget. Redundant platforms also multiply identity sprawl because each application introduces its own user store, role mapping, and permission review workload. When teams buy around a business process instead of around a control model, access governance becomes inconsistent and expensive to maintain.
Practical implication: consolidate overlapping apps before trying to optimise permissions inside each one.
License right-sizing depends on actual usage data
License tiering only works when procurement and identity teams can see how people actually use each application. High-cost plans are often retained long after usage drops, which means organisations pay for capability they do not consume. In practice, this requires tying usage telemetry to contract data so entitlement level, renewal timing, and business need can be assessed together rather than in separate silos.
Practical implication: review premium licenses against observed usage before each renewal cycle.
Shadow IT creates unmanaged access and audit blind spots
Shadow IT is software adopted without stakeholder approval, and in SaaS environments it usually means identities, data, and billing are all created outside formal control. That makes ownership unclear and offboarding unreliable. Once a tool is used without procurement visibility, security teams may not know which accounts exist, who approved them, or whether the application still has valid access to company data.
Practical implication: force unapproved SaaS into inventory and ownership review before it becomes a persistent control gap.
NHI Mgmt Group analysis
SaaS sprawl is an identity governance problem disguised as cost leakage. The article treats waste as a budget issue, but the underlying failure is that every extra application adds another identity boundary, another lifecycle to manage, and another review queue to maintain. In that sense, software bloat becomes governance bloat. The practitioner conclusion is simple: if you cannot inventory the app, you cannot govern the identity surface attached to it.
Shadow IT is the clearest signal that procurement controls and access controls have diverged. When employees adopt tools without approval, they create unsanctioned access paths that sit outside normal joiner-mover-leaver discipline. That gap matters more than the spend itself because it means identity, data, and renewal ownership are no longer aligned. The practical conclusion is that SaaS visibility and access governance must be managed as one operating model.
License optimisation only works when entitlement decisions are tied to actual behaviour. The article’s right-sizing examples show that many organisations buy for projected need and then never revisit the mismatch. That is a stale assumption about consumption, not just a finance oversight. The practitioner conclusion is to treat usage telemetry as a governance signal, not merely a cost metric.
Identity sprawl tax: every unreviewed SaaS app adds one more access model, one more renewal decision, and one more place for control failure. High-growth firms feel this first because speed outpaces standardisation. The result is that cost, access, and auditability degrade together. The practitioner conclusion is to reduce app count before trying to tune entitlement detail.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- That pattern makes NHI Lifecycle Management Guide a useful next step for teams trying to reduce unmanaged exposure across the identity lifecycle.
What this signals
Identity sprawl tax: when SaaS usage expands faster than governance, every new tool increases the number of access paths, renewal events, and offboarding points that have to be controlled. For practitioners, the operational signal is not spend alone but the growing mismatch between application count and accountable ownership.
The article’s shadow IT examples point to a broader programme issue: procurement and identity governance cannot be run as separate processes. When unapproved tools enter the estate, access control, auditability, and lifecycle management all inherit the same blind spot.
For teams using NIST Cybersecurity Framework 2.0, the lesson is to tighten the identify and protect functions together, because app inventory without entitlement control leaves the control picture incomplete.
For practitioners
- Inventory all SaaS applications and owners Create a single register that includes sanctioned and unsanctioned tools, named business owners, renewal dates, and the identities tied to each app. If ownership is missing, the application should be treated as unmanaged until it is assigned.
- Right-size licenses from observed usage Compare premium tiers against actual feature consumption and downgrade roles that do not use advanced capability. Recheck this before each contract renewal, not only at budget season.
- Eliminate overlapping tools before entitlement tuning Map duplicate functionality across collaboration, file storage, task management, and analytics tools, then retire the weaker or unused option. Reducing the app count lowers both cost and the number of access models to review.
- Bind shadow IT to formal approval and offboarding Require any unapproved SaaS discovered in the estate to go through procurement, security review, and offboarding planning. If it cannot be governed, it should not remain connected to company data.
Key takeaways
- SaaS overspend becomes an identity governance issue once unapproved apps, duplicate tools, and unused licenses create separate access and ownership gaps.
- The scale is material, with large organisations averaging 500 applications and wasting one-third of SaaS budget on unused licenses.
- The fix is not only cost cutting. It is building a single operating view of app inventory, entitlement usage, ownership, and renewal control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-01 | SaaS sprawl starts with incomplete asset inventory and ownership. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | SaaS spend control and access control both depend on least privilege. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged SaaS often creates unmanaged non-human identity exposure. |
Track service and app identities attached to SaaS tools and govern their lifecycle.
Key terms
- SaaS sprawl: The uncontrolled growth of software-as-a-service applications across the business. It becomes a governance problem when overlapping tools, duplicate licenses, and unclear ownership make it difficult to manage access, renewal, and accountability across the application estate.
- Shadow IT: Technology adopted without formal approval or oversight. In SaaS environments, shadow IT creates hidden identities, hidden data flows, and hidden renewal obligations, which means security and finance teams lose control over who has access and why.
- License right-sizing: The process of matching SaaS subscription tiers to actual user need. It combines usage data, entitlement review, and business justification so organisations do not pay for capability that is not being used or for access that no longer has a purpose.
- Application ownership: The assignment of clear accountability for a SaaS tool’s security, procurement, renewal, and retirement. Without ownership, no one can reliably approve access, review usage, or offboard the application when it is no longer needed.
Deepen your knowledge
NHI governance, IAM, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
This post draws on content published by Zluri: SaaS Management How High-Growth Companies Can Reduce SaaS Spend. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
