TL;DR: As SaaS portfolios expand, vendor management increasingly determines whether organisations can see redundant apps, control renewal risk, and reduce shadow IT, according to Zluri. The deeper issue is that SaaS governance is really identity governance for applications, contracts, and access lifecycles.
At a glance
What this is: This is a SaaS vendor management guide that argues app sprawl, renewals, and ownership need structured governance to control cost and risk.
Why it matters: It matters because SaaS vendor management now sits at the intersection of human access, application ownership, and non-human lifecycle controls that IAM and IGA teams must coordinate.
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read Zluri's guide to SaaS vendor management and app lifecycle control
Context
SaaS vendor management is the discipline of identifying, selecting, tracking, and retiring software suppliers across the application estate. In practice, it is also an identity problem because every app, renewal, owner, and integration creates a governance surface that affects who and what can still access business data.
The article treats vendor management as a way to reduce redundancy, shadow IT, and renewal waste, but the deeper security issue is lifecycle control. When ownership is decentralised and renewals are automated, organisations lose sight of when access, contracts, and app usage no longer match the business need.
Key questions
Q: How should security teams govern SaaS vendor sprawl without losing control of access?
A: Start by treating each SaaS subscription as an access relationship, not just a contract. Assign one owner, map its users and integrations, and require renewal decisions to include usage, security review, and offboarding status. That keeps procurement, IAM, and lifecycle management aligned instead of operating as separate processes.
Q: Why do SaaS tools create identity risk even when they are approved?
A: Approved SaaS tools still create risk when ownership, renewal, and offboarding are not maintained. Access can outlive the business purpose, integrations can stay active after the app is no longer needed, and unused licenses can hide unmanaged accounts. The risk is persistence, not just initial approval.
Q: How do organisations know if SaaS vendor management is actually working?
A: Look for fewer redundant applications, lower renewal churn, clean ownership records, and a measurable drop in unused licenses and unsanctioned tools. If teams still cannot name the owner, confirm the users, or prove why the app remains active, the governance model is not working.
Q: Who is accountable when a SaaS app remains active after it should have been retired?
A: The accountable owner is the business or technical lead assigned to the app, but the governance failure usually spans procurement, security, and identity teams. Effective programmes make retirement a shared control point so no one can renew, retain, or reconnect an app without review.
Technical breakdown
SaaS sprawl creates governance drift across app ownership and renewals
SaaS sprawl appears when teams can acquire and renew tools faster than central governance can classify them. The result is duplicated functionality, scattered contracts, and unclear ownership, which makes access reviews and offboarding incomplete. In identity terms, the app becomes a governance boundary as much as a technical service. If ownership is not explicit, no one is accountable for removing access when the business relationship changes.
Practical implication: assign a named owner to every SaaS app and tie renewal decisions to that owner’s access and usage review.
Why SaaS vendor management is a lifecycle control problem
Vendor management is not only procurement. It determines whether onboarding, renewal, and retirement are linked to actual business use, security review, and license recovery. That is why lifecycle discipline matters: applications can remain paid-for, accessible, and trusted long after they stop delivering value. In a mature identity programme, vendor management and access governance should share the same source of truth for ownership and offboarding.
Practical implication: connect SaaS renewal workflows to access revocation, license reclamation, and contract retirement in one process.
Shadow IT becomes an identity risk when app adoption bypasses review
Shadow IT is risky because employees can introduce tools using corporate email addresses and personal purchasing channels without security review. That creates unmanaged accounts, unknown data flows, and hidden third-party access paths. The technical failure is not just that the app exists. It is that the organisation cannot reliably say who approved it, who owns it, or whether the access should still exist.
Practical implication: route unsanctioned app discovery into review, ownership assignment, and access governance before the tool is considered accepted.
Threat narrative
Attacker objective: The objective is to exploit unmanaged SaaS adoption and weak vendor oversight to widen the organisation’s exposure surface and weaken control over access and data flows.
- Entry occurs when employees subscribe to SaaS tools outside formal procurement channels and create shadow IT accounts with corporate credentials or email addresses.
- Escalation happens when those subscriptions accumulate unchecked, producing redundant apps, unreviewed integrations, and retained access that no longer matches business need.
- Impact follows through higher exposure to phishing, DDoS targeting, wasted spend, and weaker control over third-party risk across the SaaS estate.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SaaS vendor management is really identity governance for the application layer. Contracts, ownership, renewal dates, and app retirement determine whether access remains legitimate, not just whether software is paid for. When those controls drift apart, organisations end up with access that outlives business need. The practical conclusion is that SaaS governance should be treated as part of IAM and IGA, not as a separate procurement exercise.
Shadow IT is a lifecycle failure, not just an inventory problem. The article correctly points to visibility, but visibility alone does not close the gap if no process exists to revoke access, retire the app, or reassign ownership. That is why the control failure is structural: unsanctioned adoption bypasses joiner-mover-leaver discipline before security ever sees the tool. The practical conclusion is that discovery must feed offboarding, not just reporting.
Application rationalisation is a privilege-reduction exercise in disguise. Redundant SaaS tools create redundant access paths, duplicate identities, and unnecessary third-party relationships. That expands the attack surface even when no attacker is present. The practical conclusion is that every app rationalisation review should ask which identities, integrations, and data paths disappear with the contract.
Ownership is the control that turns SaaS management into governance. Without explicit owners, renewals become automatic, usage becomes stale, and nobody is accountable for app retirement. The article shows why centralised tracking matters, but the deeper lesson is that accountability is the hinge between cost control and security control. The practical conclusion is to make ownership assignment a mandatory governance prerequisite for every subscription.
Vendor management and zero trust intersect at the question of trust persistence. Every long-lived SaaS relationship extends trust beyond the moment of purchase, while zero trust assumes that trust must be continuously revalidated. When renewal, access, and usage are not reviewed together, trust becomes standing privilege by another name. The practical conclusion is to align SaaS renewals with continuous verification and access review.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 96% of organisations store secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, which makes unmanaged SaaS trust paths harder to defend.
- That same lifecycle problem is explored in NHI Lifecycle Management Guide, where provisioning, rotation, and offboarding are treated as one control loop.
What this signals
SaaS management is converging with identity governance. As application estates grow, the real control question is no longer how many tools exist, but whether each one has a current owner, current users, and a current retirement path. That is the same lifecycle logic IAM teams already apply to non-human identities, just at the application layer.
Shadow IT will keep bypassing controls until discovery feeds enforcement. Inventory alone does not reduce risk if the organisation cannot move an app from discovery into ownership, review, or offboarding. The governance gap is not awareness, it is follow-through across procurement, access, and contract lifecycle.
With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, the broader lesson is that standing access accumulates whenever ownership is unclear. SaaS vendor management should therefore be measured by how quickly it collapses privilege, not by how many apps it lists.
For practitioners
- Create a single ownership record for every SaaS app Tie each subscription to one accountable business owner, one technical owner, and one review cadence so no renewal or access decision happens without a named approver.
- Link renewals to access and usage review Require usage evidence, license counts, and current integrations before any renewal is approved, then revoke access and reclaim seats for apps that no longer have a business purpose.
- Inventory shadow IT through identity signals Use corporate email registrations, SSO logs, and procurement records to surface unapproved apps, then move each one into review or offboarding before the next billing cycle.
- Consolidate contract and offboarding workflows Place vendor contracts, app retirement steps, and access termination in the same operating procedure so departing apps do not leave behind active accounts or lingering data access.
Key takeaways
- SaaS vendor management is an identity governance problem as much as a procurement problem.
- Visibility without ownership and offboarding still leaves redundant apps, inactive licenses, and unmanaged access in place.
- IAM and SaaS governance should share one lifecycle model so renewal, access review, and retirement happen together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers NHI rotation, offboarding, and lifecycle control for unmanaged app access. |
| NIST CSF 2.0 | PR.AC-4 | Access management applies when SaaS ownership and renewal affect who can still use tools. |
| NIST Zero Trust (SP 800-207) | AC-2 | Zero trust requires continuous verification of access, including third-party SaaS relationships. |
Revalidate SaaS access and integrations continuously instead of relying on historical approval.
Key terms
- SaaS vendor management: The process of selecting, monitoring, renewing, and retiring software vendors across an organisation’s application estate. In identity terms, it is also a lifecycle control surface because ownership, access, and third-party trust all persist or expire through the vendor relationship.
- Shadow IT: Software adopted outside formal procurement and security review. It becomes an identity problem when employees create accounts, connect data, or renew subscriptions without a clear owner, leaving access and contracts in place after the business need has changed.
- Application rationalisation: The process of reducing overlapping tools, subscriptions, and integrations so the organisation keeps only what it actually needs. For identity teams, it is also a privilege reduction exercise because every removed app should eliminate accounts, tokens, and trust relationships.
- Lifecycle governance: The discipline of managing an asset or identity from creation through review, renewal, and retirement. For SaaS, it links procurement, access control, and offboarding so tools do not remain active simply because they are still billable.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
This post draws on content published by Zluri: SaaS Management SaaS Vendor Management: A 101 Guide. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
