TL;DR: Quantum Brilliance cut SaaS costs by 30 to 50 percent and improved offboarding, visibility, and compliance support after replacing spreadsheet-based administration with unified SaaS discovery, license management, access reviews, and automated notifications, according to Josys. The case shows that unmanaged application sprawl is both a financial control problem and an identity governance problem.
At a glance
What this is: This is a Josys case study showing how a fast-growing company used SaaS discovery, license management, access reviews, and automated offboarding to reduce spend and improve IT control.
Why it matters: It matters because SaaS sprawl creates orphaned access, shadow IT, and audit gaps that affect NHI, human identity, and lifecycle governance programmes alike.
By the numbers:
- 60 percent of their IT budget was going, as going to SaaS, yet they did not have real-time data to track where that spend was going.
- 30 to 50 percent SaaS cost reduction came from license optimization and eliminating unused subscriptions.
👉 Read Josys' case study on SaaS visibility, offboarding, and cost reduction
Context
SaaS visibility is not just a procurement problem. When application ownership is decentralised and offboarding is manual, identity governance loses track of who can still access what, and the result is a mix of shadow IT, unused licences, and orphaned accounts. In practice, that creates both waste and exposure across human identity and lifecycle controls.
This case is about a company that scaled faster than its control plane. The starting point was typical for fast-growing, distributed organisations: spreadsheet administration, fragmented app ownership, and limited real-time visibility into access and spend.
Key questions
Q: How should organisations govern SaaS access when app ownership is decentralised?
A: Use a single inventory of applications, owners, and admin contacts, then tie onboarding, offboarding, and access reviews to that inventory. Decentralised ownership is manageable only when every app still feeds a common governance process. Without that, identity teams cannot prove who has access or whether it should still exist.
Q: Why do manual offboarding processes create security risk in SaaS environments?
A: Manual offboarding leaves too much room for delay, inconsistency, and human error across separate admin consoles. That creates orphaned accounts and lingering access after someone has left. In SaaS environments, delayed removal is a governance failure because access survives beyond the business relationship that justified it.
Q: How do access reviews improve SaaS governance when systems are fragmented?
A: They improve governance only if the organisation can aggregate entitlement data from every app into one reviewable record. Fragmentation weakens certification because reviewers cannot see the full access picture. The key is not the review form itself, but the quality and completeness of the underlying evidence.
Q: Who should own SaaS visibility and offboarding controls in an identity programme?
A: Ownership should be shared across IT, security, procurement, and application administrators, with clear accountability for each stage of the lifecycle. Identity teams need the authority to define policy, but they also need operational inputs from the teams that buy, administer, and retire the applications.
Technical breakdown
SaaS discovery and the visibility problem
SaaS discovery is the control that identifies which cloud applications are in use, who owns them, and whether they are approved. Without it, organisations only see the systems they remember to track, which means shadow IT and unsanctioned access remain hidden in plain sight. Discovery is not a one-time inventory exercise. It needs to connect procurement, admin panels, and usage telemetry so IT can distinguish active services from stale contracts and forgotten apps.
Practical implication: build a live SaaS inventory before you try to optimise cost or enforce access policy.
Automated offboarding and orphaned accounts
Offboarding fails when account removal depends on manual follow-up across multiple SaaS tools. If leavers, contractors, or transferred staff are not removed promptly, access lingers after the business relationship ends. In governance terms, this is a lifecycle failure, not just an admin delay. Automated notifications help, but the real mechanism is coordinated deprovisioning across every app that issued a standalone identity or session boundary.
Practical implication: tie leaver workflows to every SaaS admin surface so access revocation is triggered, not remembered.
Access reviews, compliance evidence, and audit readiness
Access reviews are only useful when the organisation can see current entitlements and the business reason for them. In distributed SaaS environments, that evidence often sits in separate admin panels, spreadsheets, or team-owned records, which makes certification slow and incomplete. Compliance reports do not create governance by themselves, but they turn scattered access data into a reviewable control record that can support ISO 27001 and similar audit expectations.
Practical implication: centralise entitlement data so access certification can be completed from evidence, not memory.
NHI Mgmt Group analysis
Shadow IT is an identity governance problem before it is a spend problem. Once SaaS purchasing becomes decentralised, the organisation no longer has a reliable map of who created access, who owns it, or when it should end. That is exactly where governance breaks down because access control, asset visibility, and procurement drift apart. Practitioners should treat unmanaged app sprawl as a lifecycle control failure, not a software catalogue issue.
Orphaned SaaS accounts are the predictable result of manual offboarding. When leaver processes rely on spreadsheets and email follow-up, access revocation becomes best-effort instead of guaranteed. The failure mode is not unusual, it is structural: every delayed deprovisioning step extends exposure after employment or contractor engagement ends. For identity teams, the lesson is to govern the full account lifecycle across every SaaS admin domain.
Access reviews without consolidated entitlement data produce weak assurance. A certification exercise can only validate what the organisation can actually see, and fragmented SaaS administration hides both unused licences and risky standing access. This is where NIST CSF access governance and lifecycle discipline matter in practice, because evidence quality determines whether a review is real or ceremonial. Practitioners should align review workflows to a single source of entitlement truth.
Cost optimisation and security governance now share the same control surface. The same visibility that reduces idle licence spend also exposes stale access, unowned apps, and incomplete offboarding. That makes SaaS administration a shared operating problem for IT, security, procurement, and compliance rather than a narrow platform task. Teams should expect identity governance programmes to be judged on operational clarity as much as on risk reduction.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- For a broader benchmark on control gaps, see The State of Non-Human Identity Security, which shows only 1.5 out of 10 organisations are highly confident in securing NHIs.
What this signals
SaaS governance is converging with identity governance, and teams that still treat it as a procurement-only concern will keep missing orphaned access and incomplete offboarding. The useful shift is to measure app sprawl, access sprawl, and lifecycle closure as one control problem rather than three disconnected tasks.
Lifecycle drift: when SaaS ownership is fragmented, the practical risk is not just unused spend but accounts that outlive the reason they were created. That is why IT visibility, access reviews, and deprovisioning should be designed as a single operating model.
For practitioners, the next maturity jump is to connect discovery with entitlement evidence and retirement workflows. Once those links exist, compliance reporting becomes easier, but more importantly the organisation can see where hidden access and shadow applications are still accumulating.
For practitioners
- Implement a live SaaS inventory Create a continuously updated list of all approved and discovered applications, with ownership, admin access, and business purpose recorded for each service.
- Automate leaver revocation across every app Connect offboarding workflows to each SaaS admin surface so account removal is triggered automatically when employment or contractor status changes.
- Centralise access review evidence Pull entitlement data, usage data, and ownership context into one review process so certification decisions are based on current facts rather than spreadsheets.
- Use SaaS spend signals as a security input Treat unused seats, duplicate apps, and unmanaged subscriptions as indicators that access governance may already be drifting out of control.
Key takeaways
- Fast-growing SaaS environments create a governance gap when visibility, ownership, and offboarding are managed manually.
- The reported outcome was not only cost reduction, but also better control over shadow IT, orphaned accounts, and audit support.
- Identity teams should treat SaaS discovery and lifecycle automation as core governance controls, not optional operational conveniences.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SaaS access reviews and lifecycle closure depend on current entitlement control. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Orphaned SaaS accounts and stale access reflect lifecycle control gaps. |
| NIST Zero Trust (SP 800-207) | AC-2 | Continuous verification relies on knowing which SaaS identities still have valid access. |
Use zero trust access governance to continuously validate SaaS entitlement and remove stale access.
Key terms
- SaaS Discovery: SaaS discovery is the process of identifying which cloud applications are in use across the organisation, including shadow IT and unsanctioned services. It combines procurement data, admin visibility, and usage signals so teams can govern applications that would otherwise remain hidden.
- Orphaned Account: An orphaned account is an identity that remains active after the person or contractor who needed it has left or changed role. In SaaS environments, it is a lifecycle failure that leaves access behind because deprovisioning was delayed, missed, or never fully connected across systems.
- Access Review: An access review is a formal check of whether a user or service still needs the permissions they hold. In SaaS governance, the review is only as strong as the entitlement data behind it, because incomplete visibility leads to incomplete assurance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Josys: How Quantum Brilliance Reduced SaaS Costs and Strengthened IT Visibility and Security with Josys. Read the original.
Published by the NHIMG editorial team on 2025-08-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
