SaaS sprawl creates cost waste and hidden access risk

At a glance

What this is: This is a SaaS cost optimisation guide that shows how app discovery, renewal control, licence rightsizing, and vendor negotiation reduce waste and improve control over the software estate.

Why it matters: It matters to IAM and governance teams because unmanaged SaaS purchasing creates both budget leakage and identity sprawl, especially where app access is granted outside formal review.

By the numbers:

• Zluri says its platform discovers 100% of apps across the organisation using five discovery methods.
• By default, Zluri sends contract alerts 30, 15, 7, and 1 days before renewal, and payment alerts 7 and 1 days before renewal.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Zluri's guide to SaaS cost optimisation during recession

Context

SaaS sprawl is not just a finance problem. When employees buy tools outside IT processes, organisations lose visibility into who has access, what is licensed, and which apps are still active after the original need has passed. That creates a governance gap that spans spend, entitlements, and shadow IT.

For IAM and SaaS governance teams, the practical issue is control drift. Duplicate apps, auto-renewing subscriptions, and rightsized or oversized licence tiers all reflect the same underlying weakness: access and procurement decisions are being made faster than the organisation can review them.

Key questions

Q: How should teams govern SaaS renewals to avoid wasted spend?

A: Treat renewals as a governance checkpoint, not an accounting event. Every renewal should require an owner, current usage evidence, and a decision to continue, downgrade, or cancel. That prevents dormant subscriptions from renewing automatically and turns spend review into a lifecycle control rather than a reactive finance task.

Q: Why do duplicate SaaS apps create identity and access risk?

A: Duplicate apps create multiple entitlement paths for the same business function, which makes ownership, offboarding, and audit review harder. If the organisation cannot see which app is authoritative, it also cannot reliably revoke access when users move roles or leave. The result is hidden access persistence and avoidable control drift.

Q: How do organisations know if SaaS rightsizing is working?

A: Look for fewer duplicate licences, lower renewal rates for unused tiers, and a tighter link between role needs and feature consumption. If premium features remain broadly assigned but rarely used, rightsizing is not working. The best signal is whether spend falls without disrupting the business process.

Q: Who should own SaaS spend and access decisions?

A: Ownership should be shared, but responsibility must be explicit. Finance can track spend, procurement can negotiate terms, and IAM or IT can govern access and inventory. If those functions are disconnected, the organisation will keep paying for software that no longer matches user need or policy intent.

Technical breakdown

SaaS discovery is the control plane for spend and access

Effective SaaS cost governance begins with discovery because you cannot rationalise licences, app ownership, or user access until you know what is present. Discovery across SSO, APIs, finance systems, browser extensions, and endpoint agents gives a more complete view than procurement records alone. In practice, SaaS discovery is also identity discovery, because every application instance implies users, permissions, and potential orphaned access paths.

Practical implication: build one inventory that ties every SaaS app to owners, users, and renewal dates before trying to reduce spend.

Auto-renewals turn stale access into recurring waste

Auto-renewal is a governance problem because it keeps paying for software after the business value has ended. Where employees can subscribe on a card without central review, the organisation may continue funding accounts long after use has stopped. The technical issue is not just billing. It is the absence of a feedback loop between usage telemetry, entitlement review, and contract cancellation.

Practical implication: connect usage signals to renewal workflows so dormant subscriptions can be cancelled before the next billing cycle.

Licence tiering is a form of entitlement right-sizing

Licence rightsizing works like access governance at the application layer. Many SaaS suites bundle premium features that only a subset of users actually need, so over-provisioning creates avoidable spend and a broader permission surface. The right control is to compare feature usage against role needs and downgrade only where the business process still works without the higher tier.

Practical implication: review premium feature usage by role and downgrade only after verifying the business outcome does not depend on the extra entitlements.

NHI Mgmt Group analysis

SaaS cost optimisation is identity governance in another form. The article treats app spend as a procurement problem, but the deeper issue is that every unmanaged subscription also creates unmanaged access. When employees can buy software directly, the organisation loses entitlement oversight, offboarding discipline, and visibility into who can still use what. The practitioner conclusion is that SaaS rationalisation must sit inside IAM and IGA, not beside them.

Auto-renewal creates standing privilege at the subscription layer. A subscription that renews without review is a persistent entitlement with billing attached. That matters because the same control failure that leaves unused software in place also leaves dormant access in place. The practitioner conclusion is that renewal governance should be treated as a lifecycle control, not a finance admin task.

License rightsizing is a proxy for access policy maturity. When organisations cannot map role needs to feature tiers, they usually cannot map users to least-privilege application access either. The article’s cost logic therefore exposes a wider governance pattern: if entitlement granularity is poor, both spend and risk rise together. The practitioner conclusion is that licence tier review can be used as an early signal of IAM maturity.

Visibility, not negotiation, is the first control gap this article exposes. Vendor bargaining may reduce costs, but it does not solve the upstream problem of fragmented app ownership and shadow procurement. That is why the most durable savings come from tying SaaS discovery to identity data and renewal governance. The practitioner conclusion is that finance wins should be measured only after access inventory is clean.

SaaS entitlement fragmentation: The article shows how duplicate apps, separate purchase paths, and disconnected renewals create a fragmented control surface. Fragmentation weakens both cost discipline and access governance because no single team can see the full lifecycle of an app from purchase to cancellation. The practitioner conclusion is that SaaS inventory and identity inventory need to converge.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For a broader view of how identity sprawl and entitlement drift accumulate, see Ultimate Guide to NHIs, which connects discovery, lifecycle, and governance.

What this signals

SaaS entitlement fragmentation: as more software is bought outside IT, the control problem shifts from licence count to identity and lifecycle visibility. Teams that already struggle to reconcile app ownership will find that spend optimisation fails unless it is built on the same inventory used for access review and offboarding.

With 6 distinct secrets manager instances on average, fragmentation is already a pattern in adjacent identity disciplines, and SaaS estates often behave the same way when procurement is decentralised. That means the next maturity step is not another dashboard, but a cleaner join between app discovery, identity data, and renewal governance.

If your programme still treats SaaS cost management as a finance-only activity, the operating model is too narrow. IAM, IGA, and procurement need a shared view of application lifecycle so that duplicate tools, orphaned subscriptions, and hidden access paths are handled in one control loop.

For practitioners

• Build a single SaaS inventory Join procurement, finance, SSO, and endpoint data so every app has an owner, user set, and renewal date. Without that joined view, duplicate licences and orphaned access will remain hidden.
• Tie renewal review to usage evidence Require usage telemetry and business owner sign-off before any auto-renewal proceeds. This is especially important for tools purchased outside central IT controls and paid for with corporate cards.
• Rightsize premium tiers by role Compare feature consumption by department and role before each renewal, then downgrade licences that carry unused premium features. Verify the lower tier still supports the workflow before changing the contract.
• Block unsanctioned card-based procurement Set policy and payment controls so individual employees cannot create recurring software spend without review. If a card purchase is unavoidable, route it into the same inventory and approval workflow as centrally bought apps.

Key takeaways

• SaaS cost overruns often signal a governance gap, not just a procurement problem, because unmanaged apps also create unmanaged access.
• Discovery, renewal review, and licence tiering are the three controls that turn scattered SaaS buying into a governed lifecycle.
• IAM and procurement teams need a shared inventory, or duplicate tools and dormant entitlements will keep resurfacing as recurring waste.

Key terms

• SaaS sprawl: SaaS sprawl is the uncontrolled growth of software subscriptions across teams, business units, and payment channels. It becomes an identity issue when each app adds users, permissions, and lifecycle obligations that no single function can see or govern cleanly.
• Licence rightsizing: Licence rightsizing is the practice of matching software tiers to actual business need rather than purchasing the highest tier by default. In identity terms, it is entitlement minimisation at the application layer, where unused features still represent excess access and wasted spend.
• Auto-renewal governance: Auto-renewal governance is the control of recurring subscription renewals through review, ownership, and usage evidence. It prevents software from remaining active by default after the original need has passed, which is essential when spend and access are tightly linked.
• Shadow IT: Shadow IT is technology bought or used outside approved governance processes. It matters to identity security because unsanctioned apps often bypass standard onboarding, offboarding, and access review steps, leaving the organisation with incomplete visibility into who can use them.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management 5 Ways for SaaS Cost Optimization During Recession. Read the original.