TL;DR: Software asset management tools are positioned to help organisations discover applications, track renewals, optimise license spend, and support onboarding and offboarding, according to Zluri’s review of 13 tools. The deeper issue is that SaaS governance is now an identity problem as much as a procurement problem, because unmanaged app sprawl creates access, compliance, and lifecycle risk.
At a glance
What this is: This is a review of 13 software asset management tools, with the key finding that discovery, lifecycle control, and renewal oversight are now central to software governance.
Why it matters: It matters to IAM practitioners because SaaS management overlaps directly with NHI, autonomous workflow, and human access lifecycle control, especially where app requests, revocation, and audit readiness depend on identity processes.
By the numbers:
- Zluri says its discovery engine uses nine methods to accurately discover 100% of SaaS applications within organisations.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read Zluri's comparison of 13 software asset management tools
Context
Software asset management is no longer just about buying, renewing, and retiring applications. In practice, it now sits on top of identity controls because every discovered app, license request, and offboarding workflow depends on who or what is authorised to use the service.
The article frames SAM through operational choice, but the underlying governance question is broader: how do organisations keep SaaS inventories, contract sprawl, and access lifecycles aligned without losing control of dormant apps, duplicate tools, and unrevoked access?
For IAM teams, the overlap is obvious. SaaS management data becomes useful only when it feeds lifecycle governance, entitlement review, and revocation processes that cover human users, service accounts, and automated workflows.
Key questions
Q: How should security teams govern SaaS applications that sit outside core identity workflows?
A: Security teams should bring SaaS governance into the identity lifecycle, because app discovery, approval, renewal, and removal all depend on accountable ownership. The practical goal is to connect discovered applications to a business owner, an access path, and a revocation trigger. That turns shadow IT cleanup into ongoing lifecycle governance instead of one-time inventory work.
Q: Why do software asset management tools matter to IAM and IGA programmes?
A: They matter because software inventory only becomes usable when it informs entitlement decisions. IAM and IGA teams need to know which apps are live, who owns them, which users still need them, and when access should be removed. Without that linkage, software asset management becomes reporting, not governance.
Q: What breaks when SaaS offboarding is not tied to identity revocation?
A: The organisation keeps paying for applications after the business no longer needs them, and access can remain active even after the relationship should end. That creates budget leakage, audit exposure, and unnecessary access persistence. The failure is not just operational waste, but the loss of a reliable end state for application lifecycle management.
Q: How do organisations decide whether SAM controls are actually working?
A: They should measure whether every discovered application has an owner, whether renewal decisions are made before deadlines, and whether offboarding consistently removes access and subscription waste. If the tool produces inventories but not actions, governance is incomplete. A working programme turns visibility into decisions.
Technical breakdown
SaaS discovery as the foundation of software asset management
Discovery is the control plane for SAM because an application cannot be governed if it is not visible. The article describes multiple discovery methods, including SSO, finance and expense data, APIs, and optional agents or browser extensions. That architecture matters because no single source is complete on its own. Identity data, spend data, and technical telemetry each capture different parts of the same application surface. In practice, discovery quality determines whether renewal control, license optimisation, and offboarding are based on evidence or guesswork.
Practical implication: build discovery coverage across identity, finance, and integration sources before trusting any software inventory.
Renewal monitoring and contract lifecycle governance
Renewal monitoring is a lifecycle control, not just a procurement convenience. The article highlights alerts ahead of payment and contract dates so teams can decide whether to renew, renegotiate, or terminate. That is useful because SaaS contracts often persist long after usage drops, and stale renewals quietly expand spend and access surface. The real mechanism is decision timing: if usage and ownership signals arrive too late, the organisation renews by default. SAM tools only help when renewal data is tied to accountable application ownership.
Practical implication: connect renewal alerts to named business owners and access review outcomes, not only to procurement calendars.
SaaS lifecycle automation and offboarding control
The strongest governance value in the article is the link between app requests, assignment, and revocation. When onboarding and offboarding are automated through rules, the software asset programme starts to behave like an identity lifecycle workflow. That reduces manual delay, but only if revocation is actually triggered when a role ends or an app is decommissioned. Otherwise, automated provisioning merely speeds up privilege accumulation. In identity terms, SAM becomes a control surface for entitlement sprawl across human, NHI, and delegated access paths.
Practical implication: make revocation a first-class workflow trigger whenever an employee, app owner, or integration changes state.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Software asset management has become an identity governance problem disguised as spend control. The article is framed around optimization, renewals, and inventory, but every one of those outcomes depends on identity state. If SaaS is discovered without lifecycle ownership, the organisation gains visibility without control. Practitioners should treat SAM as an input to IAM and not as a separate operations function.
Discovery depth is the real control boundary in SaaS governance. A tool can only enforce renewal, compliance, or offboarding decisions if it sees the full application surface, including shadow apps and delegated access paths. Partial discovery produces false confidence because the organisation believes it has a system of record when it really has a partial ledger. The practical conclusion is that coverage, not feature count, decides governance value.
Lifecycle automation is the named concept this category has been missing. Software asset management only becomes security-relevant when app request, assignment, renewal, and revocation are linked into a single lifecycle chain. That chain matters for human access, NHI credentials, and SaaS subscriptions alike. If one link is manual, delayed, or invisible, the governance model fragments. Practitioners should measure the chain end to end, not tool by tool.
Shadow IT and shadow access are converging into the same operational risk. The article’s emphasis on unused apps, duplicate tools, and contract waste mirrors what identity teams already see in standing access and stale entitlements. The governance response cannot stay siloed by function. IAM, procurement, and IT operations now need a shared control model for app ownership, access review, and offboarding.
The category is moving toward continuous governance rather than periodic clean-up. The most useful SAM platforms are the ones that feed real-time operational decisions, not annual inventory exercises. That shift aligns with modern identity governance, where entitlement drift and application sprawl are managed continuously. Practitioners should evaluate whether their software asset process produces action at the moment risk is created, not after the fact.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Our research also shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations, including code, config files, and CI/CD tools.
- For a broader control lens, NHI Lifecycle Management Guide shows how visibility, rotation, and offboarding fit into one governance model.
What this signals
Lifecycle governance is the differentiator that separates a useful SAM programme from a reporting dashboard. When discovery is good but ownership and revocation are weak, the organisation only learns where applications are, not how risk leaves the environment. That is why SaaS management now needs to sit inside identity governance rather than adjacent to it.
The practical next step is to treat application inventory, access review, and offboarding as one chain. If duplicate apps, shadow tools, or stale subscriptions are found but not removed, the programme is still absorbing risk rather than reducing it.
With 92% of organisations exposing NHIs to third parties, the same discipline that governs SaaS sprawl must also govern delegated access and external integrations. The boundary between software management and identity management is now operational, not theoretical.
For practitioners
- Map SaaS discovery to identity sources Correlate SSO, finance, API, and directory data so that each discovered application has an owner, access path, and business justification.
- Tie renewal alerts to access decisions Use upcoming renewal windows to confirm whether the application still has active users, approved owners, and an accepted business purpose before extending the contract.
- Automate offboarding alongside app retirement Trigger revocation when an employee leaves, an app owner changes, or a SaaS product is retired so dormant subscriptions do not preserve access.
- Review duplicate apps through the entitlement lens Treat overlapping SaaS functions as both spend waste and access sprawl, then remove redundant tools only after validating who still depends on each app.
- Use lifecycle governance for shadow IT cleanup Combine app discovery with access review and ownership assignment so unmanaged applications move into a controlled lifecycle instead of remaining hidden.
Key takeaways
- Software asset management now overlaps with identity governance because discovery, renewal, and offboarding all depend on access state.
- The scale of the visibility problem is severe, with only 5.7% of organisations reporting full visibility into service accounts.
- Practitioners should measure whether SAM actually drives owner assignment, revocation, and lifecycle closure, not just inventory reports.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Software lifecycle control depends on rotation and offboarding discipline. |
| NIST CSF 2.0 | PR.AC-1 | Access provisioning and authorization underpin SaaS governance outcomes. |
| NIST Zero Trust (SP 800-207) | AC-4 | Continuous verification fits SaaS discovery and lifecycle enforcement. |
Tie SaaS lifecycle events to revocation and renewal controls so access does not outlive business need.
Key terms
- Software Asset Management: Software asset management is the practice of tracking, governing, and optimising software use across its lifecycle. It covers discovery, procurement, renewals, usage, and retirement, but in identity-led environments it also depends on ownership, entitlement control, and timely revocation.
- SaaS Discovery: SaaS discovery is the process of identifying cloud applications that are in use across an organisation. Effective discovery combines identity, finance, API, and endpoint signals so hidden apps, shadow IT, and unmanaged integrations do not escape governance.
- Lifecycle Governance: Lifecycle governance is the discipline of managing an application or identity from request to retirement. In practice it links approval, assignment, review, renewal, and revocation so access and spend do not continue after the business need ends.
- Shadow IT: Shadow IT is the use of applications or services without formal approval or central oversight. It creates governance blind spots because ownership, security review, and offboarding can be missing even when the software is actively used by employees or teams.
Deepen your knowledge
Software discovery, renewal control, and offboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your SaaS programme is being pulled into identity governance, this course is a practical next step.
This post draws on content published by Zluri: 13 best software asset management tools in 2026. Read the original.
Published by the NHIMG editorial team on 2026-03-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
