SaaS sprawl is really an identity governance problem

At a glance

What this is: This is an analysis of SaaS sprawl as an identity governance problem, with the key finding that discovery without lifecycle control leaves access, licenses, and audit evidence fragmented.

Why it matters: It matters because IAM teams have to govern human access, NHI-like app credentials, and shadow AI or SaaS usage through the same lifecycle lens, or risk losing control of who can reach what and why.

By the numbers:

• 52% of employees use apps not approved by IT.
• 38% of employees retain access to data after leaving a company.
• 70% of professionals agree SSO isn't a complete solution for securing identity.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read 1Password's guide to SaaS discovery, offboarding, and access reviews

Context

SaaS sprawl begins when teams adopt tools faster than governance can absorb them. In practice, that means access is granted for speed, then reviewed, revoked, and reconciled much later, if at all, which is a primary keyword issue for SaaS management and identity governance.

Once apps move outside SSO, spreadsheets and one-time audits stop being reliable control points. The result is not just wasted spend, but unmanaged access paths, stale entitlements, and weak audit trails across human users and the broader identity estate.

The pattern is typical in modern enterprises: work starts in the browser, but the security problem lives in the lifecycle. Discovery matters, but it only becomes governance when discovery is tied to review, revocation, ownership transfer, and renewal decisions.

Key questions

Q: How should security teams govern SaaS sprawl across the full identity lifecycle?

A: Security teams should treat SaaS sprawl as a lifecycle governance issue, not just a discovery problem. That means assigning ownership when an app is found, reviewing access with role and usage context, revoking app-local access at offboarding, and tying renewals to current business need. The goal is to stop unmanaged apps from becoming unmanaged identities.

Q: Why does SSO not solve SaaS access governance on its own?

A: SSO centralises authentication, but it does not eliminate app-local licenses, OAuth tokens, file ownership, or external sharing links. Many SaaS controls still live inside the application, so access can persist after directory deprovisioning. Teams need lifecycle controls that reach beyond the IdP and into the app itself.

Q: What breaks when SaaS access reviews rely on spreadsheets?

A: Spreadsheets freeze access data in time, so reviewers work from stale exports while roles, teams, and app usage keep changing. That creates entitlement drift and weak evidence for auditors. A better model is recurring review automation with current usage, department, and risk context, plus direct remediation from the review step.

Q: Who should own SaaS renewal decisions when security, IT, and finance all see different data?

A: Renewal decisions should be made from a shared source of truth that combines contract terms, license usage, renewal dates, and tool overlap. When each team sees different numbers, auto-renewals and true-ups become the default. Shared visibility lets the business challenge waste before it compounds.

Technical breakdown

Why SaaS discovery is not control

Discovery tells you an app exists, but it does not tell you who approved it, who owns it, what data flows through it, or whether it still matters to the business. In SaaS environments, that gap is large because tools arrive through cards, trials, and team-level buying, then persist beyond the original request. A list of applications is useful only when it feeds a workflow that assigns ownership, confirms business purpose, and records whether the app should be managed, consolidated, or removed.

Practical implication: treat discovery as the first step in an ownership and review workflow, not as a finished inventory.

Why offboarding fails when it stops at SSO

Disabling SSO closes one path, but it does not necessarily revoke OAuth tokens, remove app-local licenses, transfer files, or delete external sharing links. That is why SaaS offboarding is an identity lifecycle problem, not just an authentication event. The real technical challenge is that the application may keep its own state long after the human account is gone, leaving data and permissions stranded in the long tail of unmanaged apps.

Practical implication: build offboarding checks for app-local access, token revocation, and ownership transfer, not only directory deprovisioning.

How access review drift shows up in SaaS

Access reviews degrade when they depend on manual exports, static spreadsheets, and deadline-driven cleanup. Over time, role changes, reorganisations, and departed users create entitlement drift, while reviewers lack enough context to judge whether access is still justified. A repeatable review process needs current role, department, risk, and usage signals so revocation decisions are grounded in evidence rather than memory or convenience.

Practical implication: move reviews into a recurring workflow that uses usage and role context to support direct remediation from the review step.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS sprawl is an identity governance failure before it is a cost problem. The article shows how easy sign-up paths and weak follow-through create unmanaged access, not just unused licenses. When tools sit outside the review and offboarding motion, the enterprise loses both control evidence and lifecycle visibility. Practitioners should treat SaaS portfolios as governed identity surfaces, not just software spend.

Offboarding without app-local revocation leaves access alive after the human identity is gone. Disabling SSO was designed for central authentication, not for deleting every downstream token, license, file share, or ownership relationship inside each app. That assumption fails when applications maintain their own permission state. The implication is that leaver handling must be designed around the full application lifecycle, not only directory termination.

Access review spreadsheets encode delay, and delay is the control gap. This article makes clear that stale exports, manual approvals, and deadline pressure let privilege drift accumulate. The governance failure is not a missing policy statement, but a review model that cannot keep pace with role changes and shadow app usage. Practitioners should see recurring review automation as a governance requirement, not an administrative convenience.

Named concept: SaaS lifecycle blind spot. This is the gap between discovering a tool and actually governing its identity state, ownership, and renewal path. It spans onboarding, offboarding, recertification, and contract renewal, which is why finance, IT, and security all see partial truth. The practical conclusion is that no single control can close this blind spot unless the lifecycle is unified end to end.

SaaS management now overlaps with shadow AI governance, which raises the stakes for identity teams. The article references unmanaged apps and AI tools in the same operational flow, and that matters because identity teams increasingly have to govern both human users and software-mediated access. Where the two overlap, the same lifecycle discipline needs to cover access, data exposure, and ownership. Practitioners should prepare for a shared control plane across SaaS, shadow AI, and user access review.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• That visibility gap matters because 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For a broader control model, see NHI Lifecycle Management Guide for the lifecycle steps that close discovery, offboarding, and recertification gaps.

What this signals

SaaS control will increasingly converge with NHI-style lifecycle governance, because the same operational failure appears in both domains: access is granted quickly and reviewed too late. The organisations that get ahead will be the ones that unify discovery, entitlement review, revocation, and renewal into a single operating rhythm rather than separate hygiene tasks.

SaaS lifecycle blind spot: this is the governance gap where discovery produces inventory but not control. When that gap persists, shadow IT, unclaimed licenses, and stale access become structural rather than exceptional, and the review process becomes a reporting exercise instead of a control.

The control model is now broader than SSO or procurement alone. Teams should expect more overlap between SaaS governance, shadow AI, and identity lifecycle work, and they should anchor that operating model in the NHI Lifecycle Management Guide and the NIST Cybersecurity Framework 2.0 where access, review, and recovery functions intersect.

For practitioners

• Implement continuous SaaS discovery workflows Move discovery out of spreadsheet mode and into a workflow that captures new apps, assigns ownership, records business purpose, and routes each app into review before it becomes normalised.
• Treat offboarding as end-to-end deprovisioning Remove SSO access, revoke app-local tokens, reclaim licenses, and transfer ownership of shared files and calendars so the leaver motion closes every downstream access path.
• Automate access reviews with usage context Combine role, department, risk, and actual login or activity data so reviewers can revoke or adjust access directly instead of working from static exports.
• Tie renewals to a shared source of truth Give IT, procurement, and finance one view of usage, contract status, overlapping tools, and renewal dates so seat counts and true-ups are challenged before they auto-renew.

Key takeaways

• SaaS sprawl becomes a security problem when discovery is not connected to ownership, review, and revocation.
• The evidence is clear that stale access and unmanaged apps persist after users leave, which makes lifecycle control the decisive safeguard.
• Teams that unify SaaS governance across IT, security, and finance can reduce waste while tightening identity control at the same time.

Key terms

• SaaS Sprawl: SaaS sprawl is the uncontrolled growth of software subscriptions, trials, and shadow apps across the business. It becomes an identity issue when access, ownership, and revocation are not tracked with the same discipline as procurement and budget oversight.
• Access Review Drift: Access review drift is the gradual loss of accuracy in recertification decisions when the underlying entitlements, roles, and business context change faster than the review process can keep up. It often appears as stale exports, delayed approvals, and incomplete revocation.
• Application-local Revocation: Application-local revocation is the act of removing access, tokens, licenses, and ownership inside the SaaS application itself, not just in the directory or SSO layer. It is necessary because many apps keep permission state after central authentication is disabled.
• Shadow AI: Shadow AI is the use of AI applications or assistants that operate outside approved IT oversight. In governance terms, it behaves like shadow IT with an added layer of data exposure, because prompt content, credentials, and outputs can all move outside formal control paths.

Deepen your knowledge

SaaS lifecycle governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme needs a stronger model for discovery, offboarding, and access review, this is a practical place to start.

This post draws on content published by 1Password: a guide to SaaS management tips and advice. Read the original.