TL;DR: The real issue is not only cost control but whether identity and access programmes can see, rationalize, and lifecycle-manage SaaS entitlements well enough to prevent sprawl, according to Zluri. ROSS, or Return on SaaS Stack, is a framework for judging SaaS value through pricing, latent value, and future roadmap fit, while warning that unused subscriptions, hidden costs, and weak app interoperability waste spend and erode governance.
At a glance
What this is: This is a SaaS license optimization framework that reframes software spend as a governance problem, showing how unused subscriptions, hidden costs, and roadmap mismatches reduce value.
Why it matters: It matters because IAM, IGA, and SaaS governance teams need visibility into who has access to which applications, why those entitlements exist, and when they should be removed or consolidated.
By the numbers:
- 38% of all subscriptions in any business are wasted.
- Some of the most wasted subscriptions in the industry include apps like Camtasia Studio (67%).
👉 Read Zluri's analysis of SaaS license optimisation and ROSS
Context
SaaS license optimization is really an access governance problem in disguise. When organisations cannot see which subscriptions are used, duplicated, or under-provisioned, they lose control over both spend and entitlement sprawl across teams and applications.
That matters for identity programmes because application value is tied to provisioning, recertification, and offboarding discipline. The same lifecycle thinking that applies to SaaS seats also applies to service accounts and other non-human identities, where unused access often persists long after it stops delivering value.
Key questions
Q: How should organisations evaluate SaaS subscriptions before renewal?
A: They should compare actual usage, business ownership, and workflow fit against the subscription tier being renewed. If an app is lightly used, duplicated elsewhere, or no longer aligned to operating needs, the entitlement should be downgraded or removed. Renewal should be a governance decision based on evidence, not a default continuation of spend.
Q: Why do SaaS stacks create governance problems for IAM teams?
A: Because the same sprawl that inflates cost also obscures who should have access, which apps are still needed, and when access should be retired. Without visibility into usage and ownership, identity teams cannot confidently recertify or remove entitlements. The result is persistent access that outlives the business need.
Q: How do you know if SaaS license optimization is working?
A: You should see fewer duplicate applications, lower spend on unused seats, clearer application ownership, and cleaner recertification outcomes. If renewals are still approved without usage evidence, the programme is not working. The strongest signal is that access and spend decisions are now tied to measurable business use.
Q: Who should own SaaS entitlement cleanup and offboarding?
A: Ownership should sit with application owners and identity governance teams together, because license cleanup affects both budget and access risk. Finance can flag waste, but only the business and IAM functions can confirm whether an entitlement still serves a real process. Shared accountability prevents unused access from lingering indefinitely.
Technical breakdown
SaaS subscription wastage and entitlement sprawl
Subscription wastage happens when an organisation pays for software that users do not actually use, or uses a higher tier than required. In identity terms, that often reflects poor entitlement visibility, weak application ownership, and a lack of periodic access review. The result is not only wasted budget but also latent risk, because dormant access can become an unmanaged access path. License optimization becomes more effective when usage data, ownership data, and business purpose are linked in the same governance model.
Practical implication: tie software renewal decisions to access review evidence, not only invoice totals.
Latent value and application interoperability
Latent value is the business value embedded in an app’s workflow features, integrations, automation, and reporting. If those capabilities are not used, the organisation often pays for functionality that sits outside its operating model. From an identity perspective, this is where SaaS governance intersects with access design, because over-broad app access and poor integration discipline can make valuable features hard to adopt safely. The real challenge is matching application capability to actual workflow demand.
Practical implication: validate whether each SaaS app's features are being used before renewing higher-cost plans.
Future roadmap as a governance input
Future roadmap matters because SaaS decisions are not static. A tool that fits today may fail to support next year’s workflow, reporting, or automation needs, especially as teams scale or business processes change. For identity leaders, this means app governance should include not just current usage and cost, but also lifecycle fit, access model compatibility, and the risk of vendor lock-in. Roadmap awareness is part of entitlement strategy, not just procurement planning.
Practical implication: include roadmap fit in app rationalization so access and licensing decisions do not lag business change.
NHI Mgmt Group analysis
SaaS license optimization is an identity governance problem, not a finance exercise. The article treats ROSS as a value framework, but the underlying control issue is whether organisations can maintain accurate ownership, usage, and entitlement records across their SaaS estate. That is classic governance territory, because over-provisioned applications and forgotten subscriptions are both signs that lifecycle discipline is weak. The practitioner conclusion is that software spend, access sprawl, and governance maturity move together.
Unused SaaS subscriptions resemble dormant non-human access. In both cases, the asset continues to exist after the operational need has faded. The article’s 38% wastage figure points to a broader pattern: organisations frequently keep entitlements alive because no one owns the removal decision. That same failure mode appears in non-human identity programmes when service accounts or tokens are left in place after the workload changes. The practitioner conclusion is that entitlement retirement must be treated as a governance control, not an administrative cleanup task.
Feature bloat creates a hidden governance burden. The article notes that hidden costs include migration, feature overload, and collaboration friction, all of which reduce realised value. For identity teams, that means application rationalisation should account for adoption drag as well as direct spend. If users cannot practically use a platform’s capabilities, access rights become a paper entitlement rather than a business asset. The practitioner conclusion is to evaluate whether a license tier actually maps to operational need.
Future roadmap fit is the real test of SaaS value. The article correctly moves beyond static cost comparisons and asks whether today’s app can support tomorrow’s workflows. That is the same logic identity teams should apply to lifecycle governance: value depends on whether access, integrations, and entitlements still match the operating model as the business changes. The practitioner conclusion is to make roadmap awareness part of access and application rationalisation reviews.
ROSS gives practitioners a language for defensible reduction decisions. Even if the framework is subjective, it helps security, IT, and business leaders compare options consistently and explain why one entitlement set, tier, or application remains justified. That matters because governance fails when decisions are ad hoc and unreviewable. The practitioner conclusion is to use value frameworks to support renewal, consolidation, and offboarding decisions across the SaaS stack.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For a broader control baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how lifecycle governance closes visibility gaps across machine identities.
What this signals
SaaS rationalisation will increasingly converge with identity governance. As organisations try to reduce waste, they will need a single view of application ownership, usage, and entitlement state. A licence that is still assigned but never used is not just a finance problem, it is an access governance exception waiting to happen. The programme implication is that renewal, recertification, and offboarding must be managed together.
Return-on-value frameworks will become more credible when tied to lifecycle control. If the same process can prove that a subscription is underused and that its access can be safely removed, governance teams gain a stronger decision model. That matters because business leaders increasingly want evidence that software spend maps to actual operating outcomes. The practical signal is a tighter link between usage analytics and entitlement disposition.
The identity surface is broader than human users, so SaaS optimisation must account for service accounts and automation too. Many SaaS ecosystems now contain machine-driven access paths that are easy to overlook when teams focus only on employee seats. With 72% of organisations already reporting or suspecting NHI breaches, per our 2024 ESG report on managing non-human identities, the governance model has to extend beyond licenses into workload and integration identity.
For practitioners
- Map SaaS entitlements to business owners Assign a named owner for each application, subscription tier, and high-value integration so renewal decisions have a clear accountability path. Use ownership data to challenge duplicate apps and dormant seats before contract renewal.
- Combine usage telemetry with access reviews Compare active usage, feature adoption, and last access dates against entitlement records, then remove or downgrade subscriptions that no longer support a live business process. Link the review to renewal deadlines so the outcome changes spend, not just documentation.
- Rationalise duplicate apps by workflow purpose Group applications by the business job they perform, then identify overlapping tools that create migration friction and collaboration issues. Retain only the platforms that are actually used in day-to-day workflows.
- Add roadmap fit to procurement criteria Require product and business stakeholders to explain how a SaaS app will support next-year workflow, reporting, or automation needs before approving higher-cost tiers. Treat roadmap fit as part of entitlement strategy, not a separate buying step.
Key takeaways
- SaaS license optimisation is a governance discipline because wasted subscriptions usually reflect weak ownership and poor entitlement visibility.
- ROSS is useful when it helps teams compare value, usage, and roadmap fit, but it only works if access data is accurate enough to drive decisions.
- Identity teams should treat renewal, recertification, and offboarding as one control loop so dormant SaaS access does not persist after business need ends.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SaaS entitlement sprawl is an access control and review problem. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Unused SaaS access mirrors lifecycle failures seen in non-human identity governance. |
| NIST Zero Trust (SP 800-207) | AC-2 | Zero Trust expects continuous verification, which SaaS sprawl often undermines. |
Reconcile SaaS access with least-privilege principles and eliminate standing access where possible.
Key terms
- Subscription wastage: Subscription wastage is the gap between what an organisation pays for and what people actually use. In practice it appears as idle seats, over-tiered plans, or duplicated tools. It is a governance signal because wasted spend often indicates weak ownership, poor review cadence, or unclear business need.
- Latent value: Latent value is the usable business capability hidden inside a software product’s workflows, integrations, automation, and reporting. If that capability is not adopted, the organisation pays for potential rather than outcomes. Identity and access governance shape how easily users can safely reach and use that value.
- Application rationalisation: Application rationalisation is the process of reducing a software portfolio by keeping tools that deliver unique value and retiring overlapping ones. For identity teams, it is closely tied to entitlement cleanup because applications cannot be rationalised cleanly if access records, ownership, and usage data are incomplete.
- Entitlement lifecycle: The entitlement lifecycle covers how access is granted, reviewed, modified, and removed over time. In SaaS environments, this includes subscription assignment, tier changes, recertification, and offboarding. If the lifecycle is weak, access can persist after the business need ends, creating cost and security exposure.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Software License Optimization: How to Maximize Your ROSS. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
