SaaS sprawl exposes hidden access and governance gaps at scale

At a glance

What this is: This is Zluri’s analysis of SaaS usage data, showing that application sprawl and unmanaged access create cost and security exposure at enterprise scale.

Why it matters: It matters because SaaS sprawl is also identity sprawl, and IAM, IGA, and PAM teams need visibility into who can access what before offboarding and compliance gaps widen.

By the numbers:

• A 100 employees company spends nearly $1 million on SaaS applications.
• 80% of employees have admitted using SaaS applications without the consent of the IT department.
• In some cases, it was even 13-15 times more than what they thought.

👉 Read Zluri's analysis of 150M+ SaaS usage transactions and app sprawl

Context

SaaS sprawl is the growth of applications outside formal IT and procurement control. In identity terms, every unmanaged app also introduces unmanaged accounts, tokens, and access paths, which makes the problem relevant to NHI governance, SaaS lifecycle control, and enterprise access review.

The article argues that spreadsheets and manual inventory methods break down once application count and user behaviour scale beyond what IT can observe directly. That is a typical enterprise pattern, not an edge case, and it is exactly where identity programmes lose sight of offboarding, redundancy, and third-party access.

Zluri’s own data is used to show that usage visibility and application governance are now intertwined. The core lesson for practitioners is that SaaS management is no longer a finance-only exercise; it is an identity and risk management problem.

Key questions

Q: How should teams govern SaaS sprawl when employees adopt apps without IT approval?

A: Teams should govern SaaS sprawl as an identity control problem, not a procurement-only issue. Build continuous discovery from SSO, expense, and integration data, assign every app an owner, and connect discovery to access review and offboarding. That makes unmanaged apps visible before they become stale access, duplicate spend, or compliance gaps.

Q: Why do unmanaged SaaS applications increase identity risk?

A: Unmanaged SaaS applications increase identity risk because they often retain their own accounts, tokens, and data access outside central controls. If IT cannot see the app, it cannot revoke access or confirm offboarding. The result is persistent access that survives user changes and expands the attack surface.

Q: What breaks when offboarding does not include SaaS discovery?

A: Offboarding breaks when discovery is missing because directory deprovisioning removes only the known identity record, not the unknown apps behind it. Former users may still hold access to direct SaaS logins, shared workspaces, or delegated permissions. That leaves both data exposure and audit blind spots in place.

Q: How do organisations know if SaaS governance is actually working?

A: SaaS governance is working when app inventory, usage, ownership, and offboarding outcomes stay aligned over time. A healthy programme can show which apps are active, which are idle, who owns them, and which accounts were revoked after departure. If those signals are missing, governance is mostly bookkeeping.

Technical breakdown

Why spreadsheet-based SaaS inventory fails

A spreadsheet can record only what someone knows at a given moment, which makes it a poor control surface for fast-moving SaaS estates. Employees can sign up for apps without approval, duplicate tools across departments, and keep stale accounts active long after the business case has changed. The result is not just incomplete inventory but broken lifecycle governance, because procurement, usage, access, and disposal diverge. In identity programmes, that means access reviews are operating on stale data and offboarding cannot reliably revoke what has not been discovered.

Practical implication: replace manual app lists with continuous discovery that ties usage, ownership, and access into one governance record.

How SaaS sprawl creates identity and offboarding risk

When employees leave, the risk is not limited to their email or SSO account. Hidden SaaS apps often retain direct credentials, delegated access, and stored data that sit outside standard identity workflows. If IT does not know the application exists, it cannot revoke access, rotate associated secrets, or confirm data removal. That is why SaaS sprawl becomes an NHI problem as much as a human identity problem: the shadow app often contains machine credentials or long-lived tokens that survive the employee relationship. Lifecycle governance fails when application discovery is incomplete.

Practical implication: map offboarding to application discovery, not just directory deprovisioning, so hidden entitlements are found and closed.

Why automated discovery matters more than manual governance

Zluri’s article describes layered discovery across SSO, expense systems, integrations, and endpoint signals. That matters because no single source of truth captures SaaS usage reliably once business units and employees buy tools independently. Automation does not replace governance decisions, but it does create the evidence needed for them. For IAM and IGA teams, the architectural lesson is that governance must be fed by continuous telemetry, not periodic questionnaires. The operational boundary moves from annual review cycles to ongoing detection and response.

Practical implication: use multi-source discovery to surface unmanaged apps before they become access, compliance, or audit problems.

Threat narrative

Attacker objective: The practical objective of the risk pattern is to retain access to business data and application privileges outside governance control for as long as possible.

1. Entry occurs when employees adopt SaaS tools outside formal IT review, creating unmanaged accounts and approval paths that bypass standard onboarding controls.
2. Escalation follows when those applications accumulate duplicate licenses, stale credentials, and retained access after employee changes or departures.
3. Impact appears as budget waste, shadow IT, compliance exposure, and persistent access to company data after offboarding.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shadow SaaS is really shadow identity. Once employees can adopt applications without IT consent, the governance problem is no longer just software sprawl. Every unmanaged app can carry its own accounts, tokens, and delegated access, which means lifecycle control has already failed before the security team sees the asset. Practitioners should treat SaaS discovery as identity discovery, not procurement cleanup.

Spreadsheet governance is a lifecycle assumption that no longer holds. The article shows why manual lists fail in environments where app adoption outpaces inventory updates. That model assumes the estate changes slowly enough for periodic correction, but SaaS usage changes continuously and often outside central control. The implication is that recertification based on static inventory is structurally incomplete, especially where offboarding depends on knowing the application exists.

Offboarding without application discovery is incomplete offboarding. The article’s warning about former employees retaining access to critical data captures a familiar failure mode: access revocation is only as good as the inventory behind it. That is not a tooling gap alone, but a governance gap in the joiner-mover-leaver process. Practitioners should read this as evidence that lifecycle closure must include app-level discovery and entitlement tracing.

Idle SaaS is identity debt with a financial face. Unused or under-used applications are not only budget leakage. They are dormant identities, lingering permissions, and forgotten data repositories that widen the attack surface over time. The named concept here is identity drift, where the control record no longer matches operational reality. Teams need to recognise that every stale app is a governance debt item, not just a cost line.

Automation is the only credible response to discovery lag. The article’s layered discovery model matters because no human process can reliably keep pace with thousands of applications spread across departments and devices. The broader lesson is that governance must be telemetry-led, with humans deciding exceptions rather than manually assembling the evidence base. For practitioners, that shifts the operating model from reactive inventory management to continuous control validation.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For a deeper control view: Review NHI Lifecycle Management Guide for the lifecycle and offboarding practices that close hidden access gaps.

What this signals

Identity teams should expect SaaS governance to keep collapsing into lifecycle governance. Once app adoption outpaces inventory, the control question shifts from who bought the software to who can still access it. The practical boundary for IAM, IGA, and PAM programmes is no longer the directory alone, but the full application and entitlement graph that sits behind it.

With 92% of organisations exposing NHIs to third parties, per our Ultimate Guide to NHIs, the same sprawl logic now extends beyond human accounts into vendor and workload access. That means SaaS discovery needs to connect to third-party access review, not just employee provisioning, because unmanaged application adoption often creates unmanaged external trust relationships.

Identity drift is the named concept to watch. In practical terms, drift appears when the recorded access model no longer matches actual usage, ownership, or offboarding status. Teams that can surface drift early will reduce both audit friction and hidden exposure, especially where SaaS tools store data outside the systems of record.

For practitioners

• Link SaaS discovery to identity governance Merge application discovery with access ownership, app usage, and lifecycle status so every SaaS record has an accountable business owner and a revocation path.
• Add SaaS offboarding to leaver workflows Require every departure process to check for hidden SaaS accounts, delegated access, and direct credentials beyond SSO before closure is approved.
• Replace spreadsheet inventories with continuous telemetry Use SSO, expense, and integration data together to detect unmanaged applications and stale subscriptions as they appear.
• Recast app sprawl as access sprawl Review duplicate or idle applications for orphaned identities, over-permissioned users, and retained data so budget cleanup also reduces exposure.

Key takeaways

• SaaS sprawl is an identity governance problem because unmanaged applications often keep their own accounts, tokens, and access paths.
• The article’s scale data shows why manual inventory fails, with one 100-employee company spending nearly $1 million on SaaS and usage often far above IT estimates.
• The control lesson is straightforward: continuous discovery and offboarding-linked access review are the only credible ways to close hidden SaaS exposure.

Key terms

• SaaS sprawl: SaaS sprawl is the uncontrolled growth of software subscriptions and accounts across teams, departments, and individuals. In identity terms, it creates a moving target for access review, offboarding, and entitlement ownership because the organisation no longer has a reliable inventory of what exists.
• Shadow IT: Shadow IT is technology adopted outside official approval or governance channels. In SaaS environments, it usually means employees sign up for tools directly, which creates hidden applications, unmanaged accounts, and data exposure that central identity and security processes cannot see until much later.
• Identity drift: Identity drift is the gap between recorded access state and real-world usage state. It appears when applications, accounts, permissions, or owners change faster than governance records are updated, leaving stale access, inaccurate recertification, and incomplete offboarding in place.
• Lifecycle governance: Lifecycle governance is the set of controls that manage identities from creation through change, review, and removal. For SaaS estates, it means every application, account, and entitlement must have an owner, a review path, and a revocation process that still works when the app was never formally approved.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by Zluri: SaaS Management What We Learnt Analyzing 150M+ SaaS Usage Transactions. Read the original.