SaaS sprawl exposes access and governance gaps across IT

At a glance

What this is: This is an analysis of how SaaS sprawl creates governance, access, and spend-control gaps when apps proliferate outside IT oversight.

Why it matters: It matters because the same unmanaged SaaS footprint that drives licence waste also weakens identity governance, offboarding, and audit readiness across human and non-human access.

By the numbers:

• Within a matter of minutes, Leon Weavers got a complete view of over 1,000 apps in use.
• 1Password SaaS Manager has 350+ integrations with the most commonly used business applications and finance tools for usage data and entitlements.
• Zuora achieved a 10x return on investment with 1Password SaaS Manager.

👉 Read 1Password's analysis of SaaS sprawl, access reviews, and licence waste

Context

SaaS sprawl is what happens when teams adopt applications outside central IT and procurement oversight, creating a fragmented access estate that is hard to inventory, govern, and retire. The primary identity problem is not app count alone, but the loss of clear ownership, consistent provisioning, and reliable deprovisioning across the SaaS layer.

For IAM and governance teams, that means access reviews become an exercise in reconstruction rather than control. When apps are not tied to SSO or to a central system of record, entitlement data, offboarding, and audit evidence drift apart, leaving compliance teams to reconcile spreadsheets with reality.

Key questions

Q: How should security teams govern SaaS sprawl across their identity programme?

A: Security teams should treat SaaS sprawl as an identity governance problem, not only a procurement issue. The first step is a continuously updated inventory that links applications to owners, users, and lifecycle events. From there, teams can enforce onboarding, offboarding, and access reviews against the actual app estate instead of against outdated spreadsheets.

Q: Why do unmanaged SaaS apps create compliance risk?

A: Unmanaged SaaS apps create compliance risk because they weaken the evidence chain behind access decisions. When applications are adopted outside IT oversight, ownership, deprovisioning, and review records become inconsistent. Auditors then see gaps between who should have access and who actually does, which undermines repeatability and accountability.

Q: What breaks when SaaS offboarding is handled manually?

A: Manual offboarding breaks the link between the identity lifecycle and the application estate. Accounts can remain active after a role change or departure, licences stay assigned, and ownership records drift. That creates residual access, makes review outcomes unreliable, and turns revocation into a best-effort task rather than a controlled process.

Q: How do organisations know if SaaS licence optimisation is actually working?

A: It is working when assigned licences closely match real usage, duplicate tools are retired, and removal decisions are tied to business ownership rather than ad hoc cleanup. The strongest signal is that licence reduction also lowers the number of unmanaged applications and unsupported access paths.

Technical breakdown

Why SaaS discovery breaks down without a control plane

SaaS discovery is the process of identifying which applications are actually in use, who is using them, and how they are connected to identity systems. In unmanaged environments, discovery data is incomplete because users can sign up directly, bypassing procurement, SSO, and approved workflows. That creates an inventory problem, but also an authorisation problem because the organisation cannot reliably tell which apps carry corporate data, which identities have access, or which tools should be in scope for review. A spreadsheet can record what people say exists, but it cannot continuously validate the live estate.

Practical implication: build a continuously updated discovery layer before trying to rationalise licences or run access reviews.

How unmanaged SaaS credentials undermine offboarding and auditability

When SaaS access is created outside a governed lifecycle, provisioning and deprovisioning become inconsistent. That matters because access ownership gets murky, old accounts can persist after role changes, and auditors lose a clean record of who approved access, when it was removed, and whether the process was repeatable. In practice, the control failure is not only missed deactivation, but the absence of a trusted workflow that links the identity lifecycle to the application estate. Without that link, offboarding is reactive and access reviews become evidence gathering after the fact.

Practical implication: tie onboarding, mover events, and offboarding to the actual SaaS inventory rather than to manual spreadsheets.

Why SaaS sprawl turns licence optimisation into a security issue

License optimisation is often treated as a finance task, but the article shows it is also an identity governance signal. Underused or duplicate apps indicate unmanaged adoption, while dormant licences and duplicate tools increase the likelihood that access persists longer than needed. When activity data is missing, teams cannot distinguish active business use from wasted entitlement, and they also cannot confidently decide what should be removed without disrupting work. In security terms, unused SaaS is not just spend waste. It is evidence that access scope and ownership are not being enforced consistently.

Practical implication: use usage telemetry and entitlement data together so licence cleanup also reduces unnecessary access exposure.

NHI Mgmt Group analysis

SaaS sprawl is an identity governance failure before it is a procurement failure. The article makes clear that uncontrolled app adoption creates visibility gaps, inconsistent provisioning, and unclear ownership. Those are governance failures because the organisation no longer has a dependable answer to who has access to what and why. The practical conclusion is that SaaS inventory belongs inside identity governance, not only in finance or procurement workflows.

Access reviews collapse when the inventory cannot be trusted. Quarterly certification only works when the underlying application list, entitlements, and ownership records are current. When apps are added outside IT oversight, the review process becomes a manual reconciliation exercise that can certify stale or incomplete data. The implication is that access review quality depends on discovery quality, not just on review cadence.

Lifecycle blind spot: SaaS offboarding is the control boundary most teams underestimate. This article shows that deprovisioning is still handled through spreadsheets and email in many organisations, which means access removal is detached from the lifecycle events that created it. When leavers, movers, or redundant apps are not removed through a governed process, access outlives business need. Practitioners should treat offboarding as the point where SaaS sprawl becomes measurable risk.

Usage telemetry is the bridge between cost control and security control. The most useful licence data is not only who is assigned a seat, but who actually uses the tool and whether the app is connected to the organisation's identity stack. That creates a single control view across spend, exposure, and lifecycle. The implication is that teams should stop separating software optimisation from access governance.

Spreadsheets are useful records, but they are not a control system. The article repeatedly shows that spreadsheet-based tracking cannot sustain the volume and change rate of modern SaaS adoption. That leaves organisations with duplicate apps, weak audit trails, and reactive administration. The implication is that governance must move from recordkeeping to continuous control enforcement.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
• Our research also shows: Only 5.7% of organisations have full visibility into their service accounts, which is why discovery gaps persist long after teams believe they have inventory under control.
• For the next step: Read the NHI Lifecycle Management Guide to connect discovery, offboarding, and rotation into one governed process.

What this signals

Identity teams should treat SaaS discovery as a control prerequisite, not a reporting layer. When apps can appear outside central oversight, every downstream process, from review to removal, inherits uncertainty. The organisations that stabilise this first will have a far easier path to clean access governance and lower audit friction.

Licence optimisation and access governance are converging. The same data that shows waste also shows where ownership and revocation are weak. Teams that connect usage telemetry to lifecycle workflows will be able to reduce spend without creating new blind spots.

The operating model is shifting away from periodic spreadsheet reconciliation toward continuous entitlement validation. That aligns with the broader identity direction in which governance lives closer to the point of access, not in after-the-fact reporting.

For practitioners

• Create a continuously validated SaaS inventory Pull application discovery from identity, finance, and endpoint sources so the inventory updates as users adopt or abandon tools. Use it as the system of record for access review scope, renewal decisions, and application ownership.
• Bind offboarding to app-level deprovisioning Map leaver and mover events to the actual SaaS estate, then verify that accounts, licences, and delegated access are removed from each application rather than only from the HR record.
• Use usage data to retire unused entitlements Compare last-login and activity data with assigned licences, then remove seats that no longer support a business function before renewal cycles lock in waste.
• Route audit evidence from the control plane, not email Preserve access requests, approvals, and revocations in a governed workflow so auditors can trace each entitlement to a business owner and a removal event.

Key takeaways

• SaaS sprawl becomes an identity problem when app adoption outpaces ownership, discovery, and deprovisioning.
• Access reviews and licence optimisation both fail when the underlying SaaS inventory is incomplete or stale.
• Teams that connect discovery, lifecycle, and usage data can cut waste while reducing unmanaged access exposure.

Key terms

• SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software applications adopted across teams without central visibility or governance. It creates fragmented ownership, inconsistent access control, and hidden data exposure because the organisation can no longer reliably account for every app, user, or entitlement.
• Access Review: An access review is a formal check that compares who has access to a system with who actually needs it. In SaaS environments, the review only works when the inventory, ownership, and entitlement data are current enough to support a real decision, not just a paperwork exercise.
• Deprovisioning: Deprovisioning is the process of removing access, licences, and related permissions when an identity no longer needs them. For SaaS programmes, it must be tied to lifecycle events and validated at the application level, or access can persist after role changes and departures.
• Usage Telemetry: Usage telemetry is activity data that shows whether a user or organisation is actually using a SaaS application or licence. It helps teams distinguish active business value from dormant entitlement, and it is most useful when combined with ownership and lifecycle records.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: how SaaS sprawl creates security, audit, and cost gaps. Read the original.