SaaS user management exposes the limits of spreadsheet governance

At a glance

What this is: This is a guide to SaaS user management that argues centralised control, automation, and visibility are needed to replace spreadsheet-based administration as app estates grow.

Why it matters: It matters because IAM teams are being pushed to govern not only human access, but also the service accounts, tokens, and application-level permissions that accumulate across SaaS platforms.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Zluri's guide to SaaS user management for access and lifecycle control

Context

SaaS user management is the administrative discipline of controlling who can use cloud applications, what they can see, and when access should end. In practice, the article shows why that becomes difficult once access records are scattered across app admin consoles and spreadsheets instead of a governed identity system. The primary keyword here is SaaS user management, but the real operational issue is lifecycle control across both human and non-human access.

The guide frames centralized dashboards, role assignment, onboarding, offboarding, and audit trails as the answer to SaaS sprawl. That is directionally correct, but it also exposes a wider identity problem: app-level access often outlives the person, team, or integration that created it. For practitioners, this is where SaaS administration starts to overlap with NHI governance and lifecycle management, especially where API tokens and service accounts are involved.

For teams already formalising identity governance, the relevant reference point is the NHI lifecycle problem, not just user administration. The Ultimate Guide to NHIs is the clearest starting point for mapping this overlap between provisioning, visibility, and revocation across machine and application identities.

Key questions

Q: How should security teams manage SaaS user access across multiple applications?

A: They should treat SaaS access as a governed lifecycle problem, not a collection of app-by-app admin tasks. The practical approach is to keep one authoritative record for accounts, roles, and ownership, then sync that record into onboarding, access review, and offboarding workflows so permissions stay accurate across the estate.

Q: Why do SaaS environments increase identity and access risk?

A: SaaS environments multiply access points, admin consoles, and permission models, which makes it easy for access to drift away from business need. The risk rises when spreadsheets or disconnected app settings become the source of truth, because stale accounts and overbroad roles persist after people change jobs or leave.

Q: What breaks when SaaS offboarding is handled manually?

A: Manual offboarding usually breaks because it depends on people remembering every application, integration, and delegated account that needs removal. That leaves orphaned access, dormant permissions, and incomplete audit trails, which are exactly the conditions attackers and auditors exploit.

Q: How can organisations tell whether SaaS access governance is actually working?

A: They should look for three signals: low numbers of orphaned accounts, consistent entitlement recertification, and rapid revocation when users change roles or leave. If access remains valid across apps after a lifecycle event, governance is not working even if dashboards look complete.

Technical breakdown

Centralised SaaS access control and the spreadsheet problem

SaaS user management works best when one system owns account creation, role assignment, permission changes, and offboarding across the app estate. The article’s spreadsheet alternative fails because it fragments authoritative records across multiple admin consoles, leaving no reliable source of truth for who has access, under which role, and for how long. That creates drift between real application access and what the organisation thinks is in place. In identity terms, the issue is not just scale. It is control loss caused by distributed state. Once access data is maintained manually, governance becomes reactive and audit evidence degrades quickly.

Practical implication: replace spreadsheet records with a governed system of record that can reconcile user access across all SaaS applications.

RBAC, ABAC, and permission boundaries in SaaS environments

The guide describes role-based and attribute-based access as the mechanisms that keep SaaS permissions aligned with job function. RBAC assigns access through roles such as manager or viewer, while ABAC evaluates attributes such as department, location, or application context. In SaaS environments, the technical challenge is not the model itself but the consistency of enforcement across many applications with different native permission schemas. If roles are copied manually from one app to another, privilege creep follows. If attributes are not synchronised, authorisation becomes inconsistent. The deeper problem is entitlement sprawl across dozens of disconnected policy surfaces.

Practical implication: standardise role and attribute mapping before expanding SaaS adoption, then recertify entitlements against business need.

User provisioning, de-provisioning, and SaaS offboarding

Provisioning creates accounts and permissions, while de-provisioning removes them when access is no longer required. The article correctly treats offboarding as a core control, because SaaS access often persists long after a user changes role or leaves. In practice, the mechanism breaks when joiner, mover, and leaver workflows are not tied to authoritative HR or identity events. That leaves dormant accounts, stale permissions, and orphaned app records behind. For NHI governance, the same logic applies to integration users and API credentials: if lifecycle events are not authoritative, access persists beyond accountability.

Practical implication: connect SaaS offboarding to authoritative lifecycle events so access removal is triggered automatically rather than by manual cleanup.

Threat narrative

Attacker objective: The objective is to retain or exploit SaaS access long enough to reach sensitive data, administrative functions, or downstream integrations without being detected or revoked.

1. Entry occurs when SaaS access is accumulated through direct app sign-ups, delegated admin consoles, or manually recorded credentials that are not centrally governed.
2. Credential abuse follows when stale accounts, weak authentication, or poorly controlled permissions let an attacker or insider use legitimate SaaS access beyond its intended scope.
3. Impact occurs through unauthorized data exposure, privilege misuse, and audit failure across connected applications, especially where offboarding and monitoring are incomplete.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Spreadsheet governance is not SaaS user management, it is access debt. The article’s central promise is centralisation, but the real failure mode is that manual records cannot keep pace with app proliferation, role churn, and offboarding. Once access records live in spreadsheets, the organisation loses assurance that permissions, ownership, and removal events are synchronized. Practitioners should treat every manual access register as unresolved governance debt.

The identity surface in SaaS is wider than human users alone. The article focuses on employee app access, but modern SaaS estates also depend on API keys, service accounts, and app integrations that behave as non-human identities. That makes this topic inseparable from NHI governance because offboarding, visibility, and permission review must cover application-level credentials as well as people. Practitioners need one lifecycle model across human and non-human access.

Entropy in SaaS permissions is a lifecycle problem, not just a permissions problem. The guide correctly points to role definition and de-provisioning, but most SaaS risk emerges when permissions are created quickly and removed slowly. Over time, that creates privilege creep, orphaned access, and weak audit evidence. The practical conclusion is that governance should be designed around entitlement decay, not only entitlement creation.

Access visibility is the control plane, not the reporting layer. The article describes dashboards and usage analytics as operational benefits, but visibility only matters when it drives entitlement decisions. If access data cannot support recertification, offboarding, and exception handling, it is merely reporting. Practitioners should use visibility to reduce unknown access, not to decorate a monthly review.

Ultimate Guide to NHIs lifecycle processes for managing NHIs is the better lens for SaaS integration sprawl. Where SaaS user management overlaps with integrations, the governing question becomes how access is provisioned, rotated, and revoked across machine identities. That shift matters because many SaaS environments now depend on credentials that never appear in a classic user lifecycle. Practitioners should evaluate SaaS administration as part of broader NHI lifecycle governance.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For the wider lifecycle problem, see NHI Lifecycle Management Guide, which shows how provisioning, rotation, and offboarding should be governed across machine identities.

What this signals

Access governance is shifting from account administration to control-plane design. SaaS programmes that still rely on manual registers will continue to miss the identities that matter most, especially when app access and machine access converge inside the same platform. As visibility improves, the real test is whether recertification and offboarding are authoritative or just reported.

Entropy in SaaS estates will keep rising unless lifecycle events become the trigger for revocation. The broader trend is that identity work is moving upstream into provisioning systems and downstream into revocation automation, with NIST Cybersecurity Framework 2.0 remaining relevant for govern, identify, protect, and recover alignment. Practitioners should expect access review programs to fail if they do not cover non-human credentials as well as employee accounts.

Only 5.7% of organisations have full visibility into their service accounts, which is why Ultimate Guide to NHIs is now a foundational reference for SaaS teams that need a broader identity baseline. The message for programme owners is simple: if you cannot see the non-human layer, you cannot credibly claim SaaS governance maturity.

For practitioners

• Replace spreadsheet registers with a system of record Tie SaaS account ownership, role assignment, and de-provisioning to a governed source of truth so the same record drives provisioning, recertification, and revocation across all applications.
• Map SaaS permissions to standard roles and attributes Define a limited role catalogue and attribute policy set so application permissions can be reviewed consistently instead of being recreated manually in each app admin console.
• Automate offboarding from authoritative lifecycle events Trigger access removal from HR or identity change events, then reconcile app-level accounts and integration credentials to catch orphaned access that manual workflows miss.
• Extend governance to non-human SaaS access Include service accounts, API tokens, and application integrations in the same review cadence as employee accounts, because stale machine credentials can persist after users are removed.
• Use visibility to drive recertification decisions Pair usage telemetry with entitlement reviews so inactive accounts, overbroad roles, and unused integrations are remediated rather than merely reported.

Key takeaways

• SaaS user management fails when identity records are scattered across spreadsheets and application consoles instead of being governed centrally.
• The risk is broader than employee access because SaaS estates also depend on non-human credentials, integration accounts, and stale permissions.
• The strongest control is lifecycle-driven revocation, with provisioning, recertification, and offboarding tied to authoritative identity events.

Key terms

• SaaS user management: The governance of who can use SaaS applications, what they can do inside them, and when access should end. It combines onboarding, role assignment, permission control, and offboarding into one operational discipline that should produce consistent access decisions and audit evidence across the application estate.
• Entitlement creep: The gradual accumulation of permissions that no longer match a person’s role or a system’s purpose. In SaaS environments, it often appears when roles are copied manually, access is granted faster than it is removed, or review cycles fail to catch outdated privileges.
• Non-human identity: A digital identity used by software, services, integrations, or automation rather than a person. In SaaS environments, this includes API tokens, service accounts, certificates, and connected applications that can continue to act even after the human context around them has changed.
• Lifecycle governance: The control of identity from creation through change, review, and removal. For SaaS, that means provisioning, access review, and offboarding must be tied to authoritative events so permissions do not persist longer than the business relationship that justified them.

Deepen your knowledge

SaaS user management and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your SaaS estate includes integrations, service accounts, or shared admin access, it is a practical place to deepen that capability.

This post draws on content published by Zluri: SaaS Management SaaS User Management: A Comprehensive Guide for 2026. Read the original.