SaaS sprawl turns identity governance into a control problem

At a glance

What this is: This is a practitioner analysis of five SaaS management challenges, centered on how shadow IT, orphaned apps, spreadsheet inventories, compliance gaps, and integration failures undermine identity governance.

Why it matters: It matters because SaaS sprawl changes who can access what, who owns that access, and whether access is ever removed, which cuts across NHI, human IAM, and lifecycle governance programmes.

By the numbers:

• 99% of organizations will use at least one SaaS solution by the end of 2024, according to Zluri.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri’s analysis of the five SaaS management challenges facing modern enterprises

Context

SaaS sprawl is an identity governance problem as much as it is an application management problem. Once employees can create, connect, and renew SaaS tools outside central oversight, the organisation loses track of accounts, permissions, owners, and offboarding obligations across both human and machine access paths.

Zluri’s article treats that reality through five recurring failure modes: hidden shadow IT, orphaned applications, spreadsheet-based inventories, duplicate apps and auto-renewals, compliance drift, and weak integration with existing identity systems. The underlying issue is that SaaS adoption outpaces the controls needed to govern it consistently.

For IAM and IGA teams, the main question is not whether SaaS is useful. The question is whether the organisation can still answer basic governance questions about who approved access, who owns the app, which identities still use it, and when access should be removed.

Key questions

Q: How should security teams govern shadow IT in SaaS environments?

A: Security teams should treat shadow IT as an access discovery problem, not just a procurement issue. Discovery tools must feed ownership, entitlement, and approval workflows so unsanctioned apps can be assessed, restricted, or onboarded intentionally. Without that linkage, hidden SaaS accounts become durable governance blind spots.

Q: Why do orphaned SaaS apps create more risk than unused licences?

A: Orphaned SaaS apps can still hold data, tokens, and integrations after the original business need has ended. That means the exposure is operational, not just financial. If no owner exists to revoke access, rotate credentials, or decommission the service, the app remains a live entry point.

Q: How do you know if SaaS inventory governance is actually working?

A: It is working when the inventory matches live usage, ownership, renewals, and exceptions without repeated manual correction. Strong governance produces audit-ready evidence, shows which apps are active or duplicate, and supports timely offboarding. If the record cannot be trusted during a review, the control is not effective.

Q: Who is accountable when a third-party SaaS app causes a compliance failure?

A: Accountability should sit with the internal owner of the application relationship, not only the vendor. The organisation is responsible for access approval, audit trails, and offboarding discipline. If the SaaS connection exists inside the enterprise, governance ownership stays inside the enterprise as well.

Technical breakdown

Shadow IT and disconnected SaaS approval flows

Shadow IT appears when users bypass formal procurement or IAM workflows to create their own SaaS accounts. That matters because each unsanctioned app introduces another identity store, another set of permissions, and another offboarding obligation that central teams may never see. Without discovery, approval, and inventory reconciliation, security teams lose the ability to map access to business purpose. The result is not just policy drift but unmanaged identity growth across the SaaS estate.

Practical implication: connect SaaS discovery to access governance so unsanctioned apps are visible before they become permanent access paths.

Orphaned applications and lifecycle failure

Orphaned apps are SaaS services left without an active owner after a project ends or an employee leaves. In identity terms, this is a lifecycle failure, because access can remain active even when the business purpose no longer exists. These apps often retain data, integrations, and privileged connections, so they become durable exposure points rather than simple unused subscriptions. The control problem is ownership continuity, not just licence waste.

Practical implication: require app ownership and offboarding triggers for every SaaS service, including abandoned subscriptions and dormant integrations.

Spreadsheet inventories cannot support governance at scale

A spreadsheet can list software, but it cannot enforce policy, reconcile changes, or prove control over access over time. As SaaS populations grow, static inventories fragment by department, version, and owner, making audits slower and decisions less reliable. This is especially damaging when access reviews depend on timely, accurate source data. Governance fails when the inventory cannot reflect current entitlements, renewals, and exceptions in near real time.

Practical implication: replace manual SaaS registers with a system that can continuously reconcile apps, owners, users, and renewal dates.

Threat narrative

Attacker objective: The objective is to exploit unmanaged SaaS access paths, persistence, and integration blind spots to reach data or systems without effective central oversight.

1. Entry occurs when users or departments adopt SaaS applications outside formal approval channels, creating hidden accounts and unsanctioned access paths.
2. Escalation follows when orphaned apps, duplicate tools, and unmanaged vendor connections keep credentials, data, or integrations active after the original business need has changed.
3. Impact is loss of governance over access, compliance evidence, and cost control, which increases breach exposure and makes offboarding incomplete.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance does not stop at the app catalogue. SaaS sprawl turns access governance into a living control problem because every new application brings its own users, owners, entitlements, and renewal obligations. A static inventory can record the presence of tools, but it cannot prove that access still matches business intent. The practitioner takeaway is that governance has to follow the full SaaS lifecycle, not just procurement.

Orphaned SaaS is a lifecycle failure, not a cost optimisation issue. When an app is left without ownership, its credentials, data, and integrations often outlive the project that justified them. That creates a durable control gap because no one is accountable for revocation, review, or remediation. The implication is that offboarding discipline has to cover applications as well as people.

Spreadsheet governance is a false control plane. Many organisations treat Excel as a source of truth for SaaS oversight, but the article shows why that collapses under scale. Spreadsheets do not reconcile entitlements, detect duplicate services, or enforce renewal and review workflows. The practical conclusion is that governance evidence must come from systems of record, not manual lists.

Vendor access without lifecycle offboarding: the same failure mode that appears in third-party SaaS abuse also shows up in internal app sprawl when access outlives the business purpose. The article’s compliance section illustrates how weak audit trails and unmanaged vendor relationships create accountability gaps. Practitioners should treat every SaaS relationship as a governed identity relationship with an end state.

Duplicate applications create identity sprawl before they create cost sprawl. When teams run multiple tools for the same function, they fragment access decisions, offboarding responsibilities, and audit evidence. That means renewal and rationalisation are identity controls as much as they are budget controls. The practitioner conclusion is to govern application consolidation through access and ownership data, not procurement alone.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why orphaned access so often escapes routine reviews.
• For a broader lifecycle lens, read NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that also apply to SaaS-connected identities.

What this signals

SaaS governance is converging with identity lifecycle management. The practical boundary between application administration and IAM keeps shrinking as teams discover that every SaaS app creates users, owners, renewals, and revocation events. Programmes that still treat SaaS as a procurement problem will miss the access and offboarding work that actually reduces risk.

A useful concept here is identity sprawl through SaaS adoption: the more departments can self-provision tools, the faster ownership and entitlement records degrade. That means continuous discovery and review matter more than periodic clean-up, especially when the estate is fragmented across business units and regions.

Organisations that already struggle with service account visibility will feel this most sharply, because the same governance weakness appears in SaaS integrations and third-party connections. The strongest next step is to align SaaS inventory, access review, and offboarding into one operational rhythm, supported by the NIST Cybersecurity Framework 2.0 where identify and protect functions overlap.

For practitioners

• Map SaaS discovery to identity governance Connect application discovery to owner, user, and entitlement data so shadow IT is visible before it becomes persistent access drift.
• Assign explicit ownership to every SaaS app Require a named business owner and an offboarding trigger for each application, including abandoned subscriptions and pilot tools that may later become orphaned.
• Replace spreadsheet registers with controlled inventory Move SaaS tracking into a system that can reconcile active users, renewals, duplicates, and exceptions without manual re-entry.
• Tie renewals to access review evidence Before automatic renewal, verify current usage, business justification, and whether the app still carries live permissions or data dependencies.
• Review third-party SaaS connections as access relationships Treat vendor-linked apps and integrations as governed access paths that need periodic review, audit trails, and revocation when the relationship changes.

Key takeaways

• SaaS sprawl becomes an identity governance problem the moment users can create, connect, and renew tools outside central control.
• Orphaned apps, spreadsheet inventories, and duplicate services all weaken access accountability before they become visible security incidents.
• The control answer is lifecycle governance for SaaS relationships, including ownership, review, renewal discipline, and offboarding.

Key terms

• Shadow IT: Shadow IT is software or SaaS use that happens outside approved procurement, security, or identity workflows. It often begins as convenience for a team, but it creates unmanaged accounts, unclear ownership, and weaker offboarding, making access governance and audit evidence harder to maintain.
• Orphaned Application: An orphaned application is a SaaS service that no longer has an active owner to manage access, renewals, or decommissioning. The risk is not just unused spend. The application may still contain data, tokens, or integrations that keep security exposure alive after the original business need has gone away.
• SaaS Inventory Governance: SaaS inventory governance is the discipline of keeping a reliable, current record of applications, owners, users, renewals, and exceptions. It goes beyond listing software because the inventory must support access decisions, lifecycle actions, and audit evidence instead of serving as a static spreadsheet.
• Identity Sprawl: Identity sprawl is the uncontrolled growth of accounts, entitlements, and access paths across systems, applications, and integrations. In SaaS environments, it appears when each department can create tools and credentials independently, causing ownership, review, and offboarding processes to fragment across the organisation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: 5 SaaS management challenges. Read the original.