By NHI Mgmt Group Editorial TeamPublished 2025-11-13Domain: Governance & RiskSource: Efecte

TL;DR: As SaaS adoption expands across departments, fragmented subscriptions, hidden auto-renewals, and shadow IT are forcing procurement teams into reactive oversight, according to Matrix42, with Gartner projecting organisations that fail to manage SaaS lifecycles centrally will be five times more likely to experience cyber incidents by 2027. The governance issue is no longer spend control alone, but whether organisations can maintain a reliable source of truth for software access, usage, and renewal risk.


At a glance

What this is: This is an analysis of why SaaS visibility has become a procurement governance requirement, with the key finding that fragmented purchasing and hidden renewals create cost, compliance, and security blind spots.

Why it matters: It matters because procurement data now intersects with SaaS access, shadow IT, and lifecycle governance, which means IAM, NHI, and GRC teams need shared visibility to avoid unmanaged software risk.

By the numbers:

👉 Read Efecte's analysis of SaaS visibility and procurement governance


Context

SaaS visibility is the ability to see what software is being bought, renewed, used, and retired across the organisation. In procurement environments, the problem is not simply spend leakage. It is that software consumption now happens across many business functions, which breaks the old assumption that procurement owns the full contract and usage picture from start to finish.

Once software decisions are fragmented across departments, hidden renewals, shadow IT, and duplicate tools become governance problems as much as financial ones. That is why SaaS visibility belongs in the same conversation as IAM, NHI governance, and lifecycle control: the organisation cannot secure, recertify, or retire what it cannot reliably see.

For practitioners, the important shift is that procurement data is no longer a back-office record set. It is part of operational risk management, especially where SaaS tools are tied to identities, integrations, API tokens, and third-party access paths.


Key questions

Q: How should procurement teams govern SaaS tools that arrive outside official channels?

A: They should treat every unsanctioned SaaS purchase as both a spend exception and an identity exception. The first response is to identify the business owner, the connected identities, and any API keys or integrations already in use. Without that mapping, the organisation cannot safely decide whether to approve, constrain, or retire the tool.

Q: Why do hidden SaaS renewals create security risk as well as cost waste?

A: Hidden renewals keep software and its access paths alive after the original business need may have ended. That means dormant integrations, stale administrative accounts, and forgotten data sharing can persist unnoticed. The risk is not only budget leakage. It is the continued existence of access that no one is actively reviewing.

Q: What breaks when SaaS visibility is missing from identity governance?

A: Offboarding becomes incomplete, duplicate tools remain in place, and access reviews lose context because the organisation cannot see which applications are still active. In that state, identity teams may revoke users but leave the underlying SaaS integration untouched. The result is persistent exposure even after the original workflow should have ended.

Q: Who should own SaaS governance when procurement, IT, and security all touch it?

A: Ownership should sit with a named business accountable for each application, supported by procurement for commercial control and identity teams for access control. The key is not centralising every task in one team. It is making one party accountable for the full lifecycle so renewals, access, and retirement do not fall between functions.


Technical breakdown

Why fragmented SaaS buying breaks procurement governance

SaaS purchasing usually starts with business teams optimizing for speed, not control. That creates distributed subscription ownership, inconsistent approval paths, and renewal dates that sit outside central oversight. The technical issue is not just that more tools exist. It is that the control plane for software lifecycle decisions is split across finance, procurement, IT, and local business owners, so no single team can reliably answer who bought what, under which terms, and with which access dependencies.

Practical implication: build a single inventory that ties contracts, owners, usage, and identity dependencies together before the next renewal cycle.

How shadow IT turns spend leakage into access risk

Shadow IT matters because SaaS is rarely isolated from identity infrastructure. A tool bought outside official channels may still connect to SSO, SCIM, API keys, shared mailboxes, or webhook integrations. That means unmanaged software can create unmanaged identities, standing permissions, and offboarding gaps even when the spend issue looks minor. In practice, SaaS visibility is a control problem across procurement and identity, not just a budgeting exercise.

Practical implication: require every SaaS purchase to declare identity integrations, data access, and offboarding owner before approval.

Why renewals and usage data must be linked to lifecycle controls

Renewal data without usage data drives waste, but usage data without lifecycle controls still leaves governance blind. The operational model should connect active users, dormant subscriptions, integration privileges, and offboarding status so teams can see whether a tool is still justified or simply renewing by default. That linkage is what turns visibility into action: it allows organisations to retire redundant software, revoke unnecessary access, and reduce the accumulation of unreviewed access paths.

Practical implication: align renewal review, access review, and offboarding workflows so software cannot renew without an owner re-certification.


NHI Mgmt Group analysis

SaaS visibility is now a lifecycle governance issue, not a procurement reporting problem. The article describes a world where buying, renewing, and using software happens across dozens of business functions, which makes central control impossible if teams treat procurement as a separate administrative lane. The deeper issue is that software lifecycle events now affect access, data exposure, and third-party risk. Practitioners should treat SaaS inventory as part of identity governance, not a standalone finance record.

Shadow IT creates unmanaged identity pathways long before it creates budget waste. A department that buys software outside the standard process may also create a new integration point, a new set of tokens, or a new administrative account. That means the first governance failure is often identity-related, not financial. The implication is that procurement controls and identity controls need to converge at intake, renewal, and offboarding.

Visibility without ownership is only a dashboard. The article correctly points to a unified view of contracts, usage, and spend, but the operational challenge is deciding who owns remediation when a tool is unused, duplicated, or over-authorised. Without explicit ownership, visibility produces reports, not risk reduction. Practitioners should define accountable owners for every SaaS record before they can expect meaningful governance outcomes.

Non-human identity governance extends into procurement because SaaS tools often arrive with credentials attached. The real estate of SaaS is not just seat licences. It includes API keys, service integrations, automation tokens, and administrative access that can outlive the original business need. That makes procurement a front-end control for NHI sprawl. Teams that ignore this connection will keep buying software faster than they can govern its identities.

Identity blast radius grows when software purchasing is decentralised. The named concept here is the gap between software adoption speed and the organisation’s ability to constrain who and what the software can reach. When decentralised buying meets centralised identity assumptions, the result is overlapping tools, duplicated access paths, and delayed offboarding. The practitioner conclusion is simple: procurement maturity now depends on identity visibility as much as spend discipline.

From our research:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
  • For the operational side of that risk, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding steps that procurement teams now depend on.

What this signals

Identity blast radius is now a procurement metric as much as a security metric. Once SaaS buying is decentralised, every new subscription can introduce identities, integrations, and renewal debt that outlive the original use case. Teams should start tracking application ownership alongside access ownership, because a contract without lifecycle control is only a temporary permission slip.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, per our Ultimate Guide to NHIs, SaaS visibility has to extend into where applications keep their credentials. Procurement cannot govern what it cannot correlate to identity and secret exposure.

The next maturity step is to connect procurement events to identity events through the NHI Lifecycle Management Guide mindset. That means renewal, offboarding, and access review should be treated as one control chain, not three separate processes.


For practitioners

  • Create a unified SaaS register Link every subscription to an owner, business purpose, renewal date, data classification, and identity integrations so the organisation can answer who can access what and why.
  • Require identity review at purchase intake Make SSO, SCIM, API keys, and administrative account ownership part of the approval checklist before any department can onboard a new SaaS tool.
  • Tie renewals to usage and access recertification Block automatic renewal until the business owner confirms active use and the identity team confirms that access, integrations, and offboarding controls remain appropriate.
  • Map shadow IT to access exposure Use discovery from procurement, finance, and SaaS logs to find tools purchased outside official channels, then assess whether they introduced unmanaged credentials or third-party access.

Key takeaways

  • Decentralised SaaS buying turns procurement into an identity governance problem because every subscription can introduce access, integrations, and offboarding debt.
  • Visibility matters because it links contracts, usage, and ownership to the controls that reduce renewal waste and unmanaged access.
  • Organisations need a single SaaS lifecycle record if they want procurement, IAM, and security teams to act on the same facts.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03SaaS subscriptions often ship with credentials and integrations that outlive their business need.
NIST CSF 2.0GV.OV-03The article is about governance visibility across software, ownership, and risk.
NIST SP 800-53 Rev 5AC-6SaaS visibility supports least-privilege review across application access and integrations.
NIST Zero Trust (SP 800-207)SaaS tools with distributed access and integrations fit zero-trust access assumptions.

Track SaaS credentials, tokens, and integrations as NHI assets and retire them with the application.


Key terms

  • SaaS Visibility: SaaS visibility is the ability to see all software subscriptions, owners, users, renewals, and integrations in one place. In governance terms, it is the minimum condition for controlling spend, access, and retirement across decentralised purchasing models.
  • Shadow IT: Shadow IT is software adopted outside approved procurement or security processes. It creates governance risk because the organisation may not know who owns the application, what data it touches, or which identities and credentials it depends on.
  • Application Lifecycle Governance: Application lifecycle governance is the discipline of managing software from intake through renewal to retirement. For SaaS, it includes ownership, access review, contract control, and offboarding so business convenience does not become persistent exposure.
  • Identity Blast Radius: Identity blast radius is the amount of access, data, and downstream systems that can be affected when a software tool or identity is mismanaged. In SaaS environments, decentralised purchasing increases blast radius because one application can create several hidden access paths.

What's in the full article

Matrix42's full post covers the operational detail this analysis intentionally leaves for the source:

  • How Matrix42 frames SaaS visibility across procurement, finance, and compliance workflows.
  • Examples of the cost and renewal problems that arise when SaaS ownership is distributed across departments.
  • The article's broader perspective on managed services for lean procurement teams.
  • The vendor's discussion of how European midmarket organisations are approaching the shift to visibility-driven procurement.

👉 The full Efecte post covers the procurement, compliance, and cost-control detail behind SaaS visibility.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-11-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org