SaaS sprawl is breaking traditional identity and asset controls

At a glance

What this is: This is a SaaS management argument that says decentralised adoption, access control, and compliance needs have outgrown traditional ITAM and SAM.

Why it matters: It matters because IAM, IGA, and SaaS governance teams now have to manage access and offboarding across a distributed application surface, not a central software estate.

By the numbers:

• The cloud market has grown ~60x since 2008, reaching $375 billion in 2020.
• $832.1 billion market size by 2025.
• Cloud market was 5.56 billion USD in the early 2010s, before SaaS became the default consumption model.
• NHI outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Zluri's case for a SaaS management platform built for cloud-first adoption

Context

SaaS management is the governance problem created when software procurement, access, and renewal move out of central IT and into individual teams. In that model, traditional asset management loses visibility over who approved a tool, who still has access, and whether offboarding actually happened.

The article argues that this shift makes centralised SAM and ITAM controls increasingly ineffective for SaaS estates. For identity teams, the practical issue is not just licence cost but lifecycle control across human access, third-party data exposure, and recurring compliance obligations.

Key questions

Q: How should security teams govern SaaS access when employees can buy tools directly?

A: Security teams should treat SaaS as an identity governance problem, not just a procurement problem. The priority is to assign ownership, track who can grant access, and connect onboarding and offboarding to a controlled workflow. Without that, access can outlive business need and create audit and data exposure risk.

Q: Why do SaaS tools create more access risk than traditional software?

A: SaaS tools create more access risk because buying and provisioning are decentralised, so access can be created outside central IT visibility. That makes entitlement drift, orphaned accounts, and unmanaged integrations more likely. The result is a wider identity surface that is harder to certify and revoke consistently.

Q: What breaks when offboarding is not tied to SaaS subscription management?

A: When offboarding is disconnected from SaaS management, former users, contractors, and service accounts can keep access after the business need ends. That leaves audit gaps, data exposure, and unnecessary licence cost. The control failure is not just delayed removal, but the absence of a reliable revocation trigger.

Q: Who should own SaaS governance in an enterprise?

A: SaaS governance should be shared across IT, security, procurement, and business ownership, but identity teams need clear control authority over access and revocation. If no one owns the lifecycle, each group assumes another team is handling it, and the application becomes unmanaged in practice.

Technical breakdown

Why traditional SAM breaks in a SaaS-first environment

Traditional software asset management was built for owned or centrally licensed software, where inventory, renewal, and removal could be handled through a controlled catalogue. SaaS changes the operating model because adoption is frictionless, purchases are decentralised, and access can be granted without a single system of record. That means the governance problem shifts from counting installs to controlling subscriptions, entitlements, and dormant access across many business units. Once the buying motion is decentralised, the old asset lifecycle stops matching the actual identity lifecycle around the tool.

Practical implication: rebuild SaaS governance around entitlement visibility and offboarding, not just licence inventory.

SaaS access control is really identity lifecycle control

In SaaS environments, access is not just authentication into an app. It is a continuous lifecycle problem involving joiner, mover, and leaver events, plus privilege changes and revocation when the subscription ends or the business owner changes. The article highlights how hard it becomes to manage onboarding and offboarding when software is purchased outside IT. That is an identity governance issue, because stale access persists after the business reason for access has disappeared. The control gap is not only permission assignment, but the lack of reliable lifecycle ownership.

Practical implication: tie SaaS access to lifecycle ownership so revocation follows role change, contract end, and team departure.

Why SaaS creates compliance drift and data sprawl

When SaaS adoption spreads without central oversight, sensitive data and compliance obligations spread with it. Each application may introduce its own retention, logging, residency, and access expectations, while the organisation loses the ability to prove that those conditions are being met. The article frames this as a growing compliance burden, but the underlying issue is governance fragmentation. Data sprawl follows access sprawl, and both make it harder to enforce policy consistently across the enterprise software stack.

Practical implication: classify SaaS by data sensitivity and compliance impact before allowing broad self-service adoption.

NHI Mgmt Group analysis

Decentralised SaaS buying creates identity sprawl, not just software sprawl. The article is really describing a governance model where access is created faster than central teams can observe it. That is not a procurement issue alone, because every untracked subscription can also become an untracked identity path. Practitioners should treat SaaS adoption as an access governance problem with financial and compliance side effects.

Traditional SAM assumes a controllable asset lifecycle, and that assumption fails in SaaS. The old model was designed for software that could be inventoried, renewed, and retired centrally. That assumption breaks when teams buy tools directly and manage access outside IT, because the lifecycle becomes distributed across business owners, vendors, and users. The implication is that identity governance must move closer to the purchasing and offboarding flow.

Access control and compliance are now coupled in every SaaS decision. SaaS tools do not merely increase application count, they multiply the number of places where permission drift, data exposure, and audit failure can occur. That is why lifecycle visibility and policy enforcement matter as much as commercial governance. Teams that separate software management from identity management will miss the control gap entirely.

Identity surface expansion: SaaS adoption turns application growth into governance growth, because every new subscription creates another access path, another offboarding obligation, and another audit dependency. The practical consequence is that IGA and SaaS operations need a shared control view. If the organisation cannot trace who owns access, who revoked it, and where the data lives, the programme is already behind.

Self-service procurement changes the security boundary. Once users can buy software directly, the boundary is no longer the central IT gate. It becomes the combination of policy, visibility, and revocation discipline across many teams. Practitioners should expect that the weakest part of the process is usually not authentication, but the lack of a governed lifecycle around the application itself.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For the broader lifecycle lens, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be governed as one continuous control chain.

What this signals

Identity surface expansion: SaaS adoption turns application growth into governance growth, because every new subscription adds another access path, another owner, and another revocation dependency. That is why SaaS programmes should be measured by lifecycle visibility, not by the number of apps onboarded.

Teams should expect the control boundary to shift from central IT to business-owned procurement unless policy is enforced at the point of purchase. Once that happens, the only durable control is a lifecycle process that ties ownership, access, and termination together.

For a broader control baseline, the Top 10 NHI Issues framing helps teams separate inventory sprawl from governance failure. The lesson is simple: when access is decentralised, the security programme must become more explicit about who can approve, revoke, and evidence each entitlement.

For practitioners

• Map every SaaS app to an owner and offboarding path Create a system of record that ties each SaaS subscription to a business owner, renewal date, data class, and revocation workflow. If an app has no named owner, treat it as unmanaged until the gap is closed.
• Separate procurement approval from access governance Require a security and identity review before users can expand SaaS access beyond the initial purchase. The review should confirm who can grant access, how access is removed, and where audit evidence is stored.
• Build lifecycle triggers into SaaS access removal Connect leaver, mover, and contract-end events to automated revocation for SaaS accounts and connected integrations. Use the access event trail to verify that termination actually removed active privileges.
• Classify SaaS by data and compliance exposure Score each application for the sensitivity of the data it stores, the regulatory obligations it creates, and the logging evidence it can produce. Prioritise remediation where sensitive data sits outside standard controls.
• Review dormant subscriptions before renewal cycles Use renewal windows to identify unused or duplicate tools, dormant accounts, and orphaned data stores. Tie renewal approval to proof of active business use and documented access ownership.

Key takeaways

• SaaS sprawl is also identity sprawl, because every unmanaged subscription creates a new access lifecycle to govern.
• The scale of the problem is growing as cloud and SaaS adoption pull software decisions away from central IT and into the business.
• Enterprises need ownership, offboarding, and compliance controls tied to SaaS entitlements if they want visibility that survives decentralised buying.

Key terms

• SaaS governance: SaaS governance is the set of controls used to approve, track, secure, and retire cloud applications across the enterprise. It combines procurement oversight, identity lifecycle management, compliance evidence, and data protection so decentralised buying does not create unmanaged access or hidden risk.
• Identity lifecycle: Identity lifecycle is the end-to-end management of an identity from creation to removal, including access changes along the way. In SaaS environments, it must cover joiners, movers, leavers, and subscription changes because access often persists beyond the business need if no one owns revocation.
• Entitlement drift: Entitlement drift is the gradual mismatch between the access a user or account has and the access it should have. In SaaS estates, it happens when permissions accumulate across self-service tools, business-managed onboarding, and incomplete offboarding, making review and remediation harder over time.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by Zluri: The Case for Building a SaaS Management Tool Ground Up. Read the original.