TL;DR: Salesforce license management is not just a cost problem, because over-provisioning, weak role alignment, and delayed revocation can leave users with more access than they need, according to Zluri. The operational lesson is that license administration is an identity governance issue, not a procurement afterthought.
At a glance
What this is: This article frames Salesforce license management as a mix of access control, renewal discipline, and usage optimisation, with the key finding that unmanaged licences create security, compliance, and cost risk.
Why it matters: It matters because IAM, IGA, and SaaS governance teams need to treat app entitlements as lifecycle-managed access, especially where role changes and offboarding affect who can still reach customer data and admin functions.
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Zluri's analysis of Salesforce license management challenges and best practices
Context
Salesforce licence management is the discipline of assigning, monitoring, and retiring entitlements so users have the access they need without carrying unnecessary privilege. In practice, the article shows that licence sprawl, weak role alignment, and manual renewals can turn a SaaS cost exercise into an access governance problem.
For IAM and IGA teams, the important point is that application licences are not just commercial assets. They are access containers, and when they are not tied to role changes, usage checks, and revocation workflows, organisations can keep paying for access they no longer need while leaving stale permissions in place.
Key questions
Q: How should security teams govern Salesforce licences as part of IAM?
A: Treat Salesforce licences as access entitlements, not just software purchases. Map each licence type to a role, review usage regularly, and revoke or reassign access when users change jobs or leave. That keeps access aligned to business need and reduces both waste and unauthorised exposure.
Q: Why do unused SaaS licences create security risk?
A: Unused licences often indicate stale access paths that nobody is actively governing. If a user no longer needs the entitlement but still retains it, the organisation keeps an open door to data and administrative functions. Reclamation reduces attack surface and improves control over who can reach what.
Q: What breaks when Salesforce licence reviews are manual?
A: Manual reviews miss role changes, dormant users, and renewal deadlines. That creates a gap between the access someone should have and the access they actually keep. At scale, the result is over-provisioning, delayed revocation, and poor audit evidence for who approved what.
Q: Who should own Salesforce licence governance?
A: Ownership should sit with IAM or IGA teams in partnership with SaaS operations and finance. Finance can track spend, but identity teams must validate whether the access is still justified. Shared ownership works only when the entitlement review and offboarding process is explicit.
Technical breakdown
License allocation, role mapping, and entitlement sprawl
Salesforce licensing works as a tiered entitlement model, where user, feature, platform, identity, experience cloud, marketing cloud, and Einstein licenses each expose different capabilities. The governance challenge is not the list of licenses themselves, but the mismatch between what a role needs and what the entitlement bundle grants. When organisations allocate licenses without role mapping, they create entitlement sprawl: users inherit capabilities they will never use, while others may be under-provisioned and forced into workarounds. That mismatch complicates auditability, increases cost, and weakens access discipline across the SaaS stack.
Practical implication: Map Salesforce license types to job roles and business functions before renewal or expansion decisions.
Renewal timing and access revocation
The article’s renewal challenge is really a lifecycle problem. If a workforce changes frequently and renewals are not monitored, access can outlive the business need that justified it. In identity terms, that is a leaver-management failure, even when the account remains technically active. For SaaS environments, delayed renewal review often means the organisation keeps dormant entitlements alive because no one is watching the intersection of contract dates, last access, and role changes. That leaves an avoidable window where access persists without current operational justification.
Practical implication: Tie Salesforce renewal checks to access reviews and offboarding events, not just finance calendars.
Usage telemetry and license optimisation
Usage telemetry is what turns Salesforce licence management from guesswork into governance. By measuring last access, feature consumption, and inactive users, organisations can distinguish between licences that are genuinely supporting work and licences that are simply sitting in inventory. The article describes this as a way to reclaim unused licences and right-size subscriptions, but the deeper issue is identity accountability. Without telemetry, entitlement decisions are based on assumption. With telemetry, teams can prove whether access still matches need and whether the platform is being used in line with its intended scope.
Practical implication: Use access data to drive reclamation decisions and prove whether entitlements still match actual usage.
NHI Mgmt Group analysis
Salesforce license management is an identity governance problem, not a software billing problem. The article treats licences as a way to optimise spend, but the security reality is that every licence also defines an access boundary. When entitlement allocation is detached from role design and offboarding, the organisation loses control over who can still interact with sensitive CRM data. Practitioners should therefore evaluate Salesforce licensing through the same lens used for any other access lifecycle.
License over-provisioning is a form of access creep. The article’s description of unused or underused licences maps directly to privilege accumulation in IAM programmes. When users retain access they do not need, the organisation pays twice: once in licence cost and again in wider exposure. The control failure is not just excess inventory, but the absence of a routine entitlement reclamation process. Practitioners should treat unused Salesforce licences as reclaimable access, not sunk cost.
Renewal management exposes the limits of manual governance. The article shows that expiring licences can disrupt productivity if they are not monitored, but the deeper lesson is that manual reminders do not scale across dynamic SaaS estates. Access needs to be tied to observable usage and employment or role change events. Otherwise, renewal becomes a lagging administrative task rather than a governance checkpoint. Practitioners should connect Salesforce renewal workflows to identity lifecycle controls.
Role-based access only works when role definitions are current. The article recommends RBAC, but RBAC in SaaS fails when roles become stale or overly broad. A licence can be correctly assigned and still be misgoverned if the underlying role no longer reflects current duties. That is why Salesforce entitlement reviews need to sit inside a broader access governance model, not as a one-off configuration step. Practitioners should periodically validate whether role design still matches business need.
Usage visibility is the named concept this article really points to. The governance gap is not merely over-buying licences. It is the inability to see which identities are actively using Salesforce, which are dormant, and which entitlements can be reclaimed without disrupting work. That gap matters because licence optimisation depends on proof, not assumption. Practitioners should base entitlement decisions on observed behaviour rather than subscription headcount.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For the lifecycle angle: review the NHI Lifecycle Management Guide for how revocation, rotation, and offboarding should be operationalised across identity types.
What this signals
License governance is converging with entitlement governance across the SaaS stack. Salesforce is a useful example because the same review discipline used for SaaS seats now needs to cover who can still access business data, not only who is paying for a subscription. That shift will increasingly push IAM teams to treat renewals, role changes, and offboarding as one workflow, not three separate processes.
The practical signal for security programmes is that access observability now matters as much as cost visibility. If teams cannot show which identities are active, which are dormant, and which entitlements are being reclaimed, they do not have control over the application surface. That is why licence optimisation is becoming a governance signal, not just a finance metric.
Identity lifecycle management is the hidden control plane here. When a user leaves or changes role, the licence should follow the lifecycle event, not the invoice cycle. Teams that can link Salesforce entitlement data to their broader lifecycle process will have a cleaner audit trail and less residual access drift.
For practitioners
- Align Salesforce licences to role definitions Review every licence class against current job functions, not historic assignments. Remove broad default allocation and require a documented business need for higher-tier entitlements.
- Connect renewal reviews to access recertification Pair contract renewal dates with identity reviews so expiring or redundant licences are assessed before renewal, especially for users who changed roles or left the organisation.
- Use usage telemetry to reclaim dormant access Track last login, feature consumption, and inactive users, then reclaim entitlements when the access is no longer justified by observed use.
- Document entitlement ownership and approval paths Assign clear owners for Salesforce licence decisions and require approval paths for premium or external-user entitlements so governance is auditable.
Key takeaways
- Salesforce licence management becomes a governance issue when entitlements outlast the roles that justified them.
- The article’s strongest operational signal is that usage data, renewal timing, and access reviews must be managed together.
- Teams that tie Salesforce licences to lifecycle controls will reduce both wasted spend and residual access risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Salesforce licences are access entitlements that should follow least-privilege principles. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on unmanaged access and renewal gaps that resemble stale NHI governance. |
| NIST Zero Trust (SP 800-207) | AC-6 | Role-based access and ongoing verification align with zero-trust access minimisation. |
Review entitlement lifecycles and revoke dormant access before renewal cycles auto-extend them.
Key terms
- License Entitlement: A license entitlement is the bundle of application capabilities a user is allowed to consume. In identity governance, it should be treated like access rather than a commercial line item, because over-allocation and stale assignment can create both cost waste and security exposure.
- Entitlement Reclamation: Entitlement reclamation is the process of taking back access that is no longer needed. It usually follows usage review, role change, or offboarding, and it is one of the clearest ways to reduce excess access in SaaS environments without harming productivity.
- Role-Based Access Control: Role-based access control assigns permissions according to job function instead of individual preference. In practice, it only works when roles stay current, are narrowly defined, and are reviewed often enough to prevent old duties from continuing to grant unnecessary access.
- Identity Lifecycle: Identity lifecycle is the full sequence of joiner, mover, and leaver events that govern access over time. For SaaS applications, it links provisioning, role change, renewal, and offboarding so access follows the person or workload rather than the subscription schedule.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Salesforce License Management: Challenges & Best Practices. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
