SaaS sprawl is breaking both identity governance and cost control

At a glance

What this is: This is an analysis of how SaaS sprawl creates parallel failures in SaaS management and identity governance by hiding applications until after they are already adopted and in use.

Why it matters: It matters because IAM, IGA, and NHI programmes all depend on knowing what exists before they can govern access, revoke accounts, or reduce risk.

By the numbers:

• The actual number is 247.

👉 Read Zluri's analysis of SaaS sprawl and identity governance failure

Context

SaaS sprawl is the growth of applications outside the systems that finance and identity teams use for control. In this article, the core problem is not count accuracy, but the fact that discovery happens after adoption, after purchase, or after SSO integration, which means both spend and access governance begin too late.

For IAM and IGA teams, that timing gap creates incomplete access reviews, missed offboarding, and provisioning rules built on partial application inventories. For finance teams, it creates hidden spend, duplicate tools, and weak negotiation leverage. The starting position described here is common in mid-market environments, not an edge case.

Key questions

Q: What breaks when SaaS sprawl is not in your identity catalogue?

A: Access reviews, provisioning, and offboarding all become partial controls. Teams certify and revoke access only for the applications they know about, while shadow applications remain outside governance. The result is a false sense of coverage: the workflow looks complete, but actual employee access is wider than the identity record shows.

Q: Why do SaaS sprawl and identity governance fail in the same place?

A: They both depend on discovery happening before control. If applications are only found at purchase or SSO integration, finance cannot manage spend early and security cannot govern access early. The shared failure is late visibility, which turns both disciplines into cleanup functions instead of preventive ones.

Q: How do you know if access reviews are actually covering your SaaS environment?

A: Compare the number of applications in review workflows with the number of applications employees actually use. If your IGA system covers only integrated tools, then review completion rates can look healthy while most access remains outside certification. Coverage, not workflow completion, is the real metric.

Q: What should teams do when they discover an application after employees are already using it?

A: Treat the discovery as a governance event, not just an inventory update. Confirm owners, verify whether accounts were created outside approved workflows, check for duplicate spend, and include the application in offboarding and recertification before the next access cycle closes.

Technical breakdown

Five-stage SaaS sprawl and where discovery fails

The article describes a five-stage adoption path: signup, team adoption, purchase, IT discovery, and SSO integration. The important mechanism is that each control plane sees the application at a different point in the lifecycle. Finance usually sees it at purchase, IGA sees it at SSO integration, and neither sees the early stages where risk and duplication begin. That means the same application can be active for weeks or months before any governance workflow includes it.

Practical implication: Treat Stage 1-3 discovery as the control objective, not Stage 5 integration.

Why access reviews miss real application exposure

Access reviews only certify what is present in the identity system. When employees create accounts in tools that are not integrated, managers review a partial inventory and sign off on a false picture of access. This is not a review-quality problem first. It is a discovery problem. The review may be executed correctly and still fail because the application universe is incomplete.

Practical implication: Measure review coverage against actual application use, not only against the IGA catalogue.

SaaS management and IGA fail for the same root cause

SaaS management and identity governance are often treated as separate functions, but the article shows they break at the same point: late application discovery. Finance cannot optimize costs it does not see, and security cannot govern access it does not inventory. The technical lesson is that inventory quality sits upstream of both spend control and access control.

Practical implication: Build one discovery layer that feeds both spend analysis and access governance.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Late discovery is the shared failure mode behind SaaS sprawl. The article shows that finance and security are not facing separate problems but one visibility failure expressed in two different control domains. Application discovery at Stage 3 or Stage 5 is already too late for cost containment and governance completeness. Practitioners should treat early discovery as a prerequisite control, not an operational convenience.

Application inventory is now an identity governance control, not just an asset management input. When the IGA catalogue misses 60% of actual access, the issue is not merely administrative drift. It means recertification, provisioning, and offboarding are built on an incomplete object model. The implication is that identity programmes need a broader application discovery boundary than traditional SSO-based inventory provides.

Discovery debt is the right named concept for this problem. The environment accumulates unmanaged applications faster than governance can absorb them, and every delayed discovery event increases both cost leakage and access exposure. That debt is paid later through cleanup, migration, and audit remediation. Practitioners should stop measuring success only by integration count and start measuring how early applications become visible.

SaaS sprawl exposes the limits of control planes that assume formal adoption precedes use. That assumption holds in centrally managed software estates, but it fails when employees can create accounts with a corporate email address in minutes. The implication is that cost control, access reviews, and offboarding all need an earlier detection model than procurement or SSO integration can provide.

Cross-domain governance is the only coherent response to shadow application growth. Finance, security, and identity teams are all acting on different slices of the same environment. The article makes clear that duplicated tooling, hidden spend, and orphaned access all come from the same root condition. Practitioners should align discovery, lifecycle, and access governance around a single application truth source.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• That remediation lag is one reason teams should read NHI Lifecycle Management Guide alongside the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Discovery debt is becoming the governing constraint for both SaaS management and identity programmes. If applications surface only after purchase or integration, the organisation cannot rely on annual reviews or quarterly controls to create a complete picture. The practical shift is toward continuous discovery across finance, endpoint, and identity signals, with Top 10 NHI Issues useful as a broader map of governance blind spots.

With 71% of NHIs not rotated within recommended time frames, according to the Ultimate Guide to NHIs, delayed visibility is not a narrow SaaS problem. It is part of a wider pattern in which identity programmes learn about assets after exposure has already accumulated.

Application discovery now sits inside the same control story as NHI inventory, offboarding, and zero trust. Teams that can see new tools early can also govern service accounts, API tokens, and leaver access earlier. That convergence is why identity programmes need one operating view across spend, access, and lifecycle instead of separate late-stage reconciliations.

For practitioners

• Expand discovery before formal adoption Use browser, endpoint, CASB, MDM, and finance-system signals to identify applications while employees are still testing or sharing them. Stage 1-2 visibility is the only way to catch duplicate tools before they become embedded.
• Tie access reviews to real application use Compare your IGA review list against observed application activity, not just SSO integrations. If managers can only certify what is in Okta, the review is incomplete by design.
• Route purchase data into governance workflows Map spend events, reimbursement records, and discretionary card transactions into identity governance queues so new tools are assessed before they become business-critical.
• Unify offboarding across discovered and undiscovered apps Assume leavers still hold accounts in tools outside the current IGA catalogue and build a discovery-driven offboarding sweep for every exit case.

Key takeaways

• SaaS sprawl breaks both finance and identity governance because discovery happens too late.
• The article’s evidence shows that applications can be active long before they appear in spend or access systems.
• Earlier discovery is the practical control lever, because it improves both cost control and offboarding completeness.

Key terms

• SaaS sprawl: SaaS sprawl is the uncontrolled growth of software subscriptions and user accounts across an organisation. It becomes an identity problem when applications are adopted outside formal governance, leaving finance, security, and IT with incomplete visibility into who is using what and where accounts need to be revoked.
• Discovery gap: The discovery gap is the time between when people start using an application and when governance systems first record it. In identity and SaaS management, that gap is what allows hidden spend, unreviewed access, and incomplete offboarding to accumulate before any control plane can act.
• Access review coverage: Access review coverage measures how much of the real application estate is actually included in certification workflows. A review can be executed correctly and still fail if it only covers integrated tools, because untracked applications remain outside the decision set and outside accountability.
• Shadow application: A shadow application is a tool in active use that has not been formally discovered, integrated, or governed. These applications often begin as individual signups and later become team dependencies, which makes them difficult to remove and easy to overlook during offboarding or audit preparation.

Deepen your knowledge

SaaS sprawl, application discovery, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still relying on late-stage integration to find applications, this is a useful place to start.

This post draws on content published by Zluri: SaaS Management The Problem of SaaS Sprawl: Where SaaS Management and Identity Governance Meet (And Both Fail). Read the original.