SAM tool selection exposes the governance gap in SaaS visibility

At a glance

What this is: This is a practitioner guide to selecting a SAM tool, with the central finding that inventory, license control, integrations, vendor management, and risk scoring must work together.

Why it matters: It matters to IAM teams because SaaS management now touches NHI governance, third-party access, and human entitlement review, so fragmented tooling leaves blind spots across the identity surface.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's guide to selecting a SAM tool for software and access governance

Context

Software asset management is not just a procurement exercise anymore. In SaaS-heavy environments, inventory, licences, integrations, vendor contracts, and access data now overlap with identity governance, which means a SAM tool can either clarify the attack surface or leave it fragmented.

The article argues for evaluating SAM tools through five operational questions: visibility, licence optimisation, integration, vendor management, and SaaS risk. That lens is practical, but the real governance test is whether the platform can connect software entitlements to the identities and third parties using them.

For teams managing human access, service accounts, and external app connections, the question is not simply how many applications exist. It is whether the organisation can see who or what is using them, what data they can reach, and whether those rights are still appropriate.

Key questions

Q: How should teams evaluate SAM tools for identity governance coverage?

A: Teams should check whether the SAM tool connects software inventory to identities, entitlements, and ownership data. If it only tracks licences and contracts, it cannot support offboarding, access review, or third-party risk decisions. The right test is whether the platform can show who uses each application, how access was granted, and when that access should be removed.

Q: Why do SaaS management tools matter to IAM teams?

A: SaaS management matters to IAM teams because software access is identity access in practice. Every managed app can represent employee entitlements, contractor access, service account use, or delegated third-party trust. If the SAM tool cannot expose those relationships, IAM teams lose the ability to govern lifecycle, review privilege, and limit residual access.

Q: What breaks when SAM visibility does not include app users and owners?

A: When SAM visibility excludes users and owners, the organisation can count software but cannot govern it. That gap breaks offboarding, recertification, and risk prioritisation because no one can tell which identities still depend on an application, whether the access is justified, or who should approve its removal.

Q: Which frameworks should guide SaaS access and application governance?

A: NIST CSF and OWASP-NHI are the most relevant lenses for SaaS governance because they connect discovery, protection, and access control to the identities using the software. Use those frameworks to check whether inventory feeds ownership, entitlement review, and lifecycle actions rather than staying at reporting level.

Technical breakdown

360-degree SaaS visibility and software inventory

A SAM platform’s visibility model depends on how completely it can reconcile discovered applications, assigned licences, usage data, and contract records into a single inventory. In practice, that means combining directory signals, SSO data, and direct discovery so the platform can distinguish active, underused, and shadow applications. Without that join, inventory becomes a list rather than a control plane. For identity teams, the important detail is that visibility is only useful when it connects software ownership to actual access paths and users.

Practical implication: require inventory evidence that links applications to users, entitlements, and source systems before you trust the dashboard.

License optimisation and entitlement governance

Licence optimisation is not only about reducing spend. It is a governance function that checks whether assigned software rights still match current need, role, and usage. The operational value comes from seeing renewal dates, licence type, usage counts, and non-employee assignments together, because that is where waste and over-assignment surface. In identity terms, this is a cousin of entitlement review: access that is paid for but unused still represents unmanaged privilege and weak lifecycle discipline.

Practical implication: evaluate whether licence data can support recertification, reclaim, and offboarding decisions for employees and external users.

Integrated risk scoring for SaaS apps and users

Risk scoring only becomes meaningful when the platform evaluates app exposure, data sharing, compliance posture, and recent security events in one model. The source describes a scoring approach that combines breach signals, access scope, compliance coverage, and third-party security checks. That matters because an application is not inherently risky in isolation. Its risk depends on who can use it, what data it touches, and how much trust the organisation has delegated to it.

Practical implication: insist on risk scoring that reflects identity context, not just app-level security grades or vulnerability lists.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SaaS management has become an identity governance problem, not a shelfware problem. The article treats SAM as a way to control cost and compliance, but the operational reality is broader: every SaaS app also carries user entitlements, external access, and data-sharing trust. Once a platform is connected to SSO, directories, and third-party apps, it starts participating in identity governance. Practitioners should treat SAM selection as part of their broader access architecture, not a procurement decision in isolation.

Visibility without identity context creates an incomplete control surface. A dashboard that counts apps, licences, and contracts can still miss who actually has access, how that access was granted, and whether it was ever revoked. That is the same failure pattern that shows up in NHI governance when inventory exists but lifecycle ownership does not. The relevant framework lens is OWASP-NHI and NIST-CSF, because the issue is not discovery alone but whether discovery feeds enforceable control decisions.

Software licence waste and entitlement sprawl are now linked. When an organisation keeps paying for software that former staff, contractors, or unmanaged accounts still use, cost control and access control collapse into the same problem. This is where a named concept matters: entitlement drift in SaaS estates is the widening gap between what the organisation pays for and what identities actually need. Practitioners should see licence optimisation as a proxy for lifecycle discipline, not just savings.

Risk scoring only works when it measures delegated trust, not product features. The source’s emphasis on security probes, compliance, and data sharing points in the right direction, but the deeper governance question is whether the platform can explain why a given app is high risk for a particular identity population. That matters across human users, service accounts, and third-party app connections. The practical conclusion is simple: if risk scoring cannot drive entitlement review, it is reporting, not governance.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• That visibility gap is why the NHI Lifecycle Management Guide matters when SaaS platforms are used to govern access, ownership, and offboarding.

What this signals

Entitlement governance will keep converging with SaaS administration. As organisations centralise app inventory, the next control question is whether those records can support access review, offboarding, and third-party cleanup. If they cannot, the platform is useful for finance and operations but still weak for identity control.

Only 5.7% of organisations have full visibility into their service accounts, which is a warning sign for any programme that assumes software governance is separate from identity governance. A SAM tool that does not surface owner, user, and lifecycle data will leave the same blind spots that service-account inventories already suffer from, even if the dashboard looks complete.

The practical next step is to align SAM selection with lifecycle governance, not just software tracking. For teams modernising access controls, the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the better reference point than a licence-only checklist.

For practitioners

• Map SAM data to identity sources Require the tool to join software inventory with SSO, directory, and app-discovery signals so each application can be tied to real users, owners, and access paths.
• Use licence data for offboarding and reclaim Validate that unused licences can be reassigned or removed when staff leave, contractors roll off, or usage drops below policy thresholds.
• Test whether risk scoring reflects delegated access Check that app-risk scores consider who can access the app, what data can be shared, and whether third-party connections remain active beyond their intended use.
• Require contract and renewal evidence in reviews Make vendor contracts, renewal dates, and licence terms visible to the teams that perform access reviews so procurement and IAM decisions stay aligned.
• Link SaaS governance to NHI lifecycle controls Treat service accounts, API tokens, and external app connections as part of the same review cycle as human entitlements when the software estate is being assessed.

Key takeaways

• SAM tools should be judged on whether they connect software inventory to identity governance, not just whether they count applications.
• Licence optimisation becomes a security control when it helps teams reclaim unused access, reduce entitlement drift, and clean up offboarding gaps.
• If a platform cannot show who uses software, who owns it, and when access should be removed, it is not ready for serious IAM use.

Key terms

• SaaS Governance: SaaS governance is the discipline of controlling application sprawl, access, licensing, and vendor risk across cloud software estates. It combines inventory, ownership, lifecycle review, and security oversight so organisations can manage both spend and exposure from the same operating model.
• Entitlement Drift: Entitlement drift is the gradual mismatch between the access an identity has and the access it actually needs. In SaaS environments, it shows up when licences, roles, or third-party connections remain active after the business need has changed, creating both cost waste and security risk.
• Software Asset Management: Software asset management is the process of tracking, optimising, and governing software usage, licences, and contracts across an organisation. In modern SaaS environments, it increasingly depends on identity data because software value and software risk are both defined by who or what can use the application.
• Third-Party Access: Third-party access is the delegated use of an application or data set by external users, vendors, or connected apps. It becomes a governance concern when the access outlives the business relationship, lacks ownership, or is not tied to lifecycle review and revocation.

Deepen your knowledge

SaaS inventory, entitlement review, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is using SAM to close identity blind spots, it is worth exploring.

This post draws on content published by Zluri: SaaS Management 5 Questions to Ask For Selecting the Best SAM Tool for Your IT Team. Read the original.