SaaS sprawl is now a financial and identity governance problem

At a glance

What this is: This article argues that unmanaged SaaS growth creates budgeting, renewal, visibility, and governance problems that affect FP&A and identity control.

Why it matters: It matters because SaaS sprawl changes not just spend forecasting but also who has access, what is monitored, and where IAM, IGA, and NHI oversight can fail.

By the numbers:

• According to Gartner's report, cloud software spending increased by 23% in 2021, from $270 billion to $330 billion.
• The total SaaS spending is estimated to increase from $100 billion in 2020 to $140 billion in 2022.

👉 Read Zluri's analysis of SaaS challenges affecting FP&A

Context

SaaS sprawl is the condition where applications accumulate faster than finance, security, and IT can govern them. In practice, that means the same decentralisation that helps teams move quickly also weakens visibility into subscriptions, renewals, licences, and application-level access.

For IAM and NHI programmes, the issue is not just cost control. Every unmanaged SaaS app can carry dormant accounts, over-broad entitlements, third-party access, and shadow approvals that complicate access reviews and offboarding across the identity lifecycle.

Key questions

Q: How should teams govern SaaS sprawl without losing budget control?

A: Start with a shared inventory that merges finance, SSO, and application discovery data. Then assign lifecycle ownership for each app so renewals, access reviews, and offboarding happen against one record. That prevents budget surprises and reduces the chance that inactive SaaS tools keep carrying unmanaged access.

Q: Why does SaaS renewal management matter to IAM teams?

A: Because renewals often preserve active accounts, licences, and permissions even when the business case has ended. If IAM and procurement do not work from the same data, the organisation can keep paying for access it no longer needs. Renewal control is therefore part of lifecycle governance, not just spend management.

Q: What breaks when SaaS apps are managed manually?

A: Manual tracking produces stale data, missed renewals, and inconsistent ownership records. In identity terms, that means access reviews are based on partial information and offboarding can miss apps that still expose data. The failure is not only operational inefficiency but weak evidence for governance decisions.

Q: How do organisations know if SaaS governance is actually working?

A: Look for three signals: a current application inventory, renewal decisions tied to usage and ownership evidence, and access review findings that decline over time. If finance, security, and identity teams all see the same app list, governance is becoming measurable rather than assumed.

Technical breakdown

SaaS decentralisation and shadow access

When business units choose SaaS tools independently, the organisation often loses a reliable inventory of applications, users, and data flows. That creates shadow IT, but it also creates shadow access: entitlements that are granted outside normal review cycles and never fully reconciled with identity governance records. The result is a control gap between procurement, finance, and IAM. A SaaS management layer can improve discovery, but the technical issue remains the same: if the app is not tied back to authoritative identity data, access decisions become incomplete.

Practical implication: connect SaaS discovery to identity sources so access reviews can cover the real application estate, not the assumed one.

Auto-renewals and licence drift

Auto-renewal turns software contracts into standing commitments unless someone actively intervenes. Technically, this matters because renewals often preserve unused licences, inactive accounts, and inherited app ownership long after business need has changed. Licence drift is not just wasteful spend. It is a governance signal that the organisation has lost control over lifecycle state, ownership, and offboarding. In identity terms, the subscription may be current while the access model is stale.

Practical implication: tie renewal review to licence utilisation and ownership data so dormant subscriptions are challenged before renewal dates.

Manual SaaS management and weak control evidence

Spreadsheet-based management cannot keep pace with dynamic SaaS environments because it depends on periodic, manually assembled snapshots. That creates lag between actual usage and reported usage, which weakens forecasting and makes control evidence fragile. For security and governance teams, the technical problem is not only incomplete data but also stale data. If you cannot reliably show which apps exist, who uses them, and what they cost, then you cannot defend budget decisions or access decisions with confidence.

Practical implication: automate SaaS inventory and usage evidence collection so finance and identity teams are working from the same current record.

Threat narrative

Attacker objective: The practical objective is not a single exploit but the persistence of unmanaged software and access state that expands cost, compliance, and identity risk.

1. Entry occurs when employees adopt SaaS applications outside formal IT approval, creating unmanaged accounts and fragmented visibility.
2. Escalation follows as those apps retain active licences, broad permissions, or unreviewed third-party access after business need changes.
3. Impact appears as budget waste, compliance exposure, and poor access governance because finance and IAM no longer share a trustworthy control picture.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS sprawl is an identity governance problem before it is a finance problem. When organisations cannot see all the apps in use, they cannot reliably govern the identities attached to them. The article correctly links spend control to visibility, but the deeper issue is that every unmanaged app can carry untracked accounts, tokens, and permissions that sit outside review. Practitioners should treat SaaS discovery as an identity control surface, not a procurement report.

Licence drift creates a standing access problem disguised as a renewal issue. The renewal date often becomes the only moment when an organisation discovers that the app still exists but the business case does not. That is a lifecycle failure, because access, ownership, and spend have diverged for too long. The implication is that SaaS governance must join procurement, IAM, and entitlement review into one operating model.

Shadow SaaS ownership: when no single team owns discovery, renewal, and access review, governance fractures across finance and identity. This article shows how quickly that fracture produces duplicate apps, abandoned subscriptions, and unreliable evidence for decision-making. The named failure mode is not just decentralisation, but ownership without lifecycle accountability. Practitioners should assign one control owner for the full SaaS lifecycle.

FP&A teams now need identity-grade evidence to budget correctly. A budget forecast is only as strong as the usage and ownership data behind it. If the organisation cannot reconcile who uses a tool, why it exists, and whether it is still needed, the forecast is really an estimate over unknown access state. Identity teams should make access data part of financial governance, not a separate compliance task.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Another finding from Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows that only 20% have formal processes for offboarding and revoking API keys.
• For a broader control baseline, review the Top 10 NHI Issues for the governance gaps that most often persist when identities are not lifecycle-managed.

What this signals

Shadow SaaS ownership: the more teams can buy software independently, the more identity governance has to shift from periodic review to continuous discovery. If the same app list is not shared across finance, security, and IAM, budget control and access control will continue to diverge. Practitioners should expect discovery projects to become a standing part of governance, not a one-off clean-up.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations, the broader lesson is that unmanaged software often becomes unmanaged identity too. SaaS programmes that ignore identity evidence tend to miss the access state hiding behind subscriptions, integrations, and admin accounts. That is where control drift starts to compound.

For teams building out governance maturity, the practical pivot is clear: connect renewal, ownership, and entitlement evidence into one operating view. The NHI Lifecycle Management Guide is the right companion resource when the question becomes how to make identity lifecycle data usable across procurement and security.

For practitioners

• Build a single SaaS inventory from identity and finance sources Combine SSO, expense, and direct application discovery into one inventory so renewals and access reviews use the same authoritative record.
• Tie renewal reviews to entitlement and usage evidence Require app owners to prove active use, named ownership, and access necessity before auto-renewal is approved or deferred.
• Include abandoned SaaS in access review cycles Treat dormant subscriptions and unused licences as governance issues, then reconcile them during quarterly entitlement reviews and offboarding.
• Map SaaS ownership to lifecycle accountability Assign one accountable owner for discovery, renewals, offboarding, and security evidence so budget control and access control do not drift apart.

Key takeaways

• SaaS sprawl is not just a finance issue, because unmanaged applications also create hidden identity and access risk.
• Visibility gaps around renewals, licences, and ownership weaken both forecasting accuracy and access governance.
• Organisations need a shared lifecycle model for SaaS, where discovery, entitlement review, and offboarding are governed together.

Key terms

• SaaS Sprawl: The uncontrolled growth of software-as-a-service applications across teams, departments, and purchase channels. It becomes a governance issue when the organisation can no longer reliably inventory apps, assign ownership, or reconcile access against business need.
• Licence Drift: The mismatch between what an organisation is paying for and what is actually being used. In mature governance terms, it often signals that renewal, ownership, and entitlement decisions are no longer aligned with current operational demand.
• Shadow IT: Technology adopted outside formal approval or oversight. In SaaS environments, shadow IT usually appears as unsanctioned applications, unreviewed integrations, and accounts that never enter the standard identity or procurement lifecycle.
• Lifecycle Accountability: The discipline of assigning clear ownership for discovery, approval, renewal, access review, and offboarding across the full life of a digital asset. For SaaS, it prevents cost control and access control from drifting into separate, inconsistent processes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management SaaS Challenges that Affect Financial Planning and Analysis. Read the original.