SaaS visibility and offboarding gaps still create hidden identity risk

At a glance

What this is: This case study shows how OnLoop centralized SaaS visibility, ownership, and offboarding to replace spreadsheet-based tracking with automated identity governance.

Why it matters: It matters because SaaS sprawl, stale access, and manual certification burden affect NHI, human identity, and lifecycle governance programmes in the same way: they create unseen entitlement risk.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read Josys's case study on OnLoop's SaaS visibility and offboarding improvements

Context

SaaS visibility is an identity governance problem, not just an inventory problem. When teams rely on spreadsheets to track applications, users, licenses, and access, they lose the ability to see who still has access, who owns each app, and whether offboarding actually removed entitlements.

OnLoop's starting point is common in fast-growing organisations: tools accumulate faster than governance processes, and manual tracking becomes the control layer by default. That leaves compliance prep, ownership decisions, and access removal exposed to delay and error.

For identity teams, the issue extends beyond SaaS administration. The same lifecycle weaknesses that affect human accounts also affect non-human access patterns when ownership, review cadence, and revocation are handled informally.

Key questions

Q: How should teams govern SaaS access when apps are discovered informally?

A: Start by treating discovery as a governance control, not just inventory. Every newly found app should be assigned an owner, linked to the identities using it, and reviewed for business need. If the app cannot be owned, reviewed, or revoked consistently, it should be treated as a governance exception rather than a normal part of the environment.

Q: Why do spreadsheet-based access trackers create lifecycle risk?

A: Spreadsheets age faster than access changes. They do not enforce revocation, cannot guarantee ownership accuracy, and rarely stay synchronized with HR or application events. That makes them weak evidence for audit and weak control for offboarding, especially in fast-moving environments where tools and users change constantly.

Q: What breaks when offboarding is still a manual process?

A: Manual offboarding leaves a gap between departure and revocation, which is where residual access survives. In that window, former staff, contractors, or dormant accounts can retain access to collaboration tools, SaaS platforms, or downstream systems. The failure is usually process latency, not policy intent.

Q: How do organisations know whether SaaS governance is actually working?

A: Look for evidence that ownership is current, access reviews are based on live data, and leaver workflows revoke access without exceptions. If the team still needs to reconcile spreadsheets before audits or cannot say who owns an app, governance is still reactive rather than operational.

Technical breakdown

SaaS discovery and entitlement mapping

SaaS discovery tools work by reconciling connected apps, users, and license records into a single control view. The technical value is not just visibility, but the ability to map which identities are active, which applications are shadow IT, and where orphaned access persists after role changes or departures. Without that mapping, governance decisions depend on stale manual registers. In practice, discovery is the prerequisite for any reliable lifecycle action because you cannot govern what you cannot enumerate.

Practical implication: build a current app-to-identity inventory before trying to automate reviews or offboarding.

Automated offboarding workflows and access revocation

Automated offboarding ties a departure event to deterministic revocation steps across connected systems. Instead of waiting for manual follow-up, the workflow removes access on a schedule and can cascade into downstream applications where accounts would otherwise remain active. This matters because offboarding failure is usually a lifecycle failure, not a single permission mistake. The technical control is the event-to-revocation chain, which reduces the interval between loss of employment or contract and actual loss of access.

Practical implication: connect HR or identity events to access revocation so leaver handling is not dependent on memory or tickets.

Audit-ready access review and ownership records

Compliance review tooling turns app usage, ownership, and access history into evidence that can support recertification and audit prep. In mature setups, that evidence is not assembled at the end of a quarter from spreadsheets; it is continuously maintained from the systems of record. This changes the operational burden of SOC 2 and similar reviews because the organisation can answer who has access, who approved it, and whether the app still has an owner. The architecture is governance-first, not reporting-first.

Practical implication: maintain ownership and access evidence continuously so reviews are an outcome of operations, not a separate scramble.

NHI Mgmt Group analysis

Spreadsheet-based SaaS governance creates an identity blind spot, not a productivity shortcut. Once access, ownership, and licensing live in manual trackers, the control plane becomes stale the moment it is written. That means offboarding, certification, and shadow app detection all depend on human follow-through instead of system-enforced state. For identity programmes, the lesson is that governance quality collapses when the record of access is separated from the event that changes it.

Lifecycle drift in SaaS is the same failure mode that drives orphaned NHI access. Whether the subject is a person, a contractor, or a service credential, access that outlives ownership turns into residual privilege. The article shows a familiar governance pattern: apps are adopted quickly, but revocation and review lag behind. The implication is that access lifecycle must be treated as a continuous control, not a quarterly cleanup.

Audit readiness is a byproduct of operational control, not a documentation exercise. The moment teams have to reconstruct app ownership and access history from spreadsheets, they have already lost evidentiary integrity. This is where lifecycle governance and compliance intersect most sharply, because recertification only works when the underlying entitlement data is current. Practitioners should treat evidence freshness as a control objective, not an after-action report.

The named concept here is SaaS identity sprawl. It is the accumulation of apps, licenses, and entitlements faster than the organisation can assign ownership, review access, and revoke stale accounts. That sprawl is not just cost leakage. It widens the governance gap across human users and non-human access paths, so practitioners need a single lifecycle model that can keep pace with adoption.

Centralised visibility becomes the operating condition for least privilege. Without a reliable view of active tools and actual use, least privilege degrades into guesswork because no one can tell whether access is still needed. The field should read this as evidence that entitlement governance must start with discovery, then move to ownership and revocation. The practical conclusion is simple: visibility is the control that makes every other lifecycle control usable.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation can lag behind exposure, according to NHI Mgmt Group research.
• For a broader control lens, NHI Lifecycle Management Guide shows why provisioning, rotation, and offboarding need to be managed as one continuous process.

What this signals

SaaS identity sprawl: The governance problem is not app count alone, but the gap between application adoption and evidence of ownership. Once that gap opens, audit prep, offboarding, and access recertification all depend on reconstruction instead of control, which is why lifecycle data needs to be treated as a live control surface.

When organisations centralise discovery and revocation, they improve more than admin efficiency. They also reduce the chance that human accounts, contractor access, or adjacent non-human identities linger beyond their business purpose, which is where privilege creep becomes operational debt.

The next maturity step is to connect lifecycle events to policy enforcement so that access changes are automatic, reviewable, and attributable. That is where programmes move from reactive clean-up to governed identity operations, and it is the difference between keeping up and catching up.

For practitioners

• Centralise SaaS discovery and ownership records Replace spreadsheet registers with a continuously updated inventory that links each app to an owner, usage status, and access state.
• Automate leaver-triggered revocation Connect departure events to scheduled removal steps so access is revoked across all connected apps without manual chasing.
• Tie review evidence to live entitlement data Keep access and ownership records current enough to support SOC 2 and internal reviews without rebuilding evidence at quarter-end.
• Track shadow apps as governance exceptions Flag any newly discovered unsanctioned application for ownership assignment, risk review, or removal before it becomes part of the normal stack.

Key takeaways

• The core risk in this case study is not SaaS volume, but the loss of reliable ownership, access, and offboarding control.
• Manual tracking creates audit and security debt because records drift faster than the environment they are meant to describe.
• Practitioners should treat discovery, ownership, and revocation as one lifecycle control, not as separate administration tasks.

Key terms

• SaaS identity sprawl: The accumulation of software applications, users, licenses, and entitlements faster than an organisation can assign ownership and enforce review. It creates governance drift because access decisions, offboarding, and audit evidence all become harder to trust when the inventory is fragmented or stale.
• Offboarding workflow: A controlled process that removes access when a person or contractor leaves, changes role, or no longer needs an application. In practice, it must connect identity events to revocation steps so access is removed consistently across connected systems, not left to manual follow-up.
• Access ownership: The assignment of responsibility for an application, entitlement set, or account lifecycle to a named business or IT owner. Without ownership, review and remediation decisions stall, and the organisation loses a clear accountable party for access decisions and exceptions.
• Audit-ready evidence: Current, traceable records that show who has access, who approved it, and whether the access still matches business need. Audit-ready evidence is operational, not reconstructed after the fact, which is why live identity data is more reliable than spreadsheet summaries.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.

This post draws on content published by Josys: How OnLoop Enhanced SaaS Visibility and Boosted IT Efficiency with Josys. Read the original.