Software rationalization through identity governance: what teams need to know

At a glance

What this is: This piece argues that identity governance can be used to rationalise SaaS spend by identifying inactive users, certifying access, and simplifying deprovisioning.

Why it matters: For IAM and NHI practitioners, it shows how access governance can serve both least privilege and cost control when licence waste and over-access overlap.

By the numbers:

• Gartner Research expects the SaaS market to reach nearly $205 billion in 2024, up from $105.6 billion in 2020.
• Gartner estimated that 25% of SaaS spending is underutilized.

👉 Read Okta Identity Governance's analysis of software rationalisation and SaaS savings

Context

Identity governance often gets framed as an audit and compliance control, but the operational gap is broader: many organisations do not know which accounts are actively using SaaS licences, which are idle, and which still hold access they no longer need. That creates both cost leakage and avoidable privilege exposure. For IAM teams, software rationalisation is therefore a governance problem as much as a procurement problem.

The article uses Okta Identity Governance as the source example, but the underlying issue is generalisable. If access data can drive deprovisioning, certification, and request workflows, then licence management becomes a recurring control loop rather than a one-time cleanup exercise. That is a familiar pattern in mature identity programmes, and it is increasingly relevant as SaaS estates expand faster than review capacity.

Key questions

Q: How should teams reduce SaaS licence waste without breaking access for users who still need it?

A: Use access certification and ownership-based review to decide whether a licence is truly unnecessary. Combine that with automated deprovisioning for clearly inactive accounts and a quick access request path for legitimate exceptions. The goal is to remove standing waste while preserving a controlled way to restore access when business needs change.

Q: When does software rationalisation become an IAM issue instead of just a procurement issue?

A: It becomes an IAM issue when licence waste reflects unmanaged entitlements, dormant accounts, or poor lifecycle controls. At that point, the problem is not only paying for unused software. It is also that access persists without evidence of need, which increases governance risk and weakens least privilege.

Q: What is the difference between deprovisioning and access certification in SaaS governance?

A: Deprovisioning removes access, while access certification asks an authorised reviewer whether access should remain. Deprovisioning is an execution control, and certification is a decision control. Strong programmes use both: certification to validate need, and deprovisioning to enforce the result quickly and consistently.

Q: How can security teams keep least privilege from hurting productivity?

A: They should combine removal controls with a fast, justified request process. If users can request access, explain why they need it, and receive a timely decision, they are less likely to look for workarounds. Least privilege works best when governance is visible, predictable, and responsive.

Technical breakdown

How access certification supports software rationalisation

Access certification is a governance control that pushes retain or revoke decisions to the people most likely to understand the business need. In practice, it uses context from app usage, ownership, and role assignment to decide whether a licence should remain assigned. That matters because inactive does not always mean unnecessary, and blind deprovisioning can break work. The technical value is in turning usage data into a reviewable decision record, which supports both least privilege and auditability.

Practical implication: Use certification campaigns to remove stale access without forcing IT to guess at business context.

Why real-time access data matters for SaaS licence management

SaaS rationalisation depends on visibility into current access patterns, not just directory membership or purchase records. Real-time or near-real-time usage data helps distinguish active users from dormant ones and gives governance workflows a factual basis for action. Without that data, teams either over-retain licences or remove them too aggressively. The mechanism is simple: observe access, classify inactivity, then route the result into an approval or deprovisioning workflow.

Practical implication: Connect usage telemetry to governance actions before trying to reclaim licences at scale.

How automated deprovisioning and access requests reduce friction

Automated deprovisioning removes unused access quickly, while access requests create a controlled path for re-entry when the access is still needed. Those two controls work together. One reduces standing access, the other prevents business users from bypassing governance because the process is too slow. In identity terms, this is about preserving productivity while shrinking the window in which excess access persists. The strongest programmes make the review and re-request cycle predictable.

Practical implication: Pair removal workflows with fast access requests so least privilege does not become a shadow IT problem.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Software rationalisation is becoming an identity governance use case, not just a finance exercise. The article makes a practical case that licence waste and access waste often sit in the same place. That means IAM teams can no longer treat cost recovery as separate from entitlement hygiene. When the same governance motion can reduce spend and tighten access, the programme should be run as a shared control objective.

Usage-based governance creates a better decision model than static entitlement reviews. A licence that is assigned but unused is not automatically safe to remove, but it is a strong indicator that the entitlement deserves scrutiny. The discipline here is to use evidence, not assumptions, before changing access. Practitioners should expect this model to improve precision in review campaigns and reduce the number of purely manual decisions.

Least privilege and software cost control now reinforce each other. That is the main structural insight in the piece. If organisations can tie access telemetry to deprovisioning and certification, they gain a repeatable way to reduce standing privilege across SaaS applications. The governance lesson is straightforward: identity programmes should measure licence recovery as a security outcome, not only a savings metric.

Inactive-user discovery should be treated as an entitlement lifecycle control. The named concept here is the access waste loop: access is granted, not used, remains active, and keeps consuming both budget and risk capacity. Closing that loop requires lifecycle ownership, not periodic cleanup projects. Practitioners should build this into their identity operating model rather than relying on quarterly reviews alone.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
• 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, according to the 2026 Infrastructure Identity Survey.
• For teams building the next control layer, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs connects governance, provisioning, rotation, and offboarding into one operating model.

What this signals

The access-review pattern in this article points to a larger shift: identity governance is moving from periodic reconciliation to continuous entitlement management. That shift becomes more urgent as agentic systems enter the same operational stack, because static access decisions do not scale cleanly across human users, services, and autonomous software. With 69% of security leaders saying identity management must fundamentally shift to address agentic AI systems, per the 2026 Infrastructure Identity Survey, the governance model is already under pressure.

Access waste loop: organisations should treat unused SaaS access as a lifecycle signal, not only a cost anomaly. The practical next step is to align recertification, deprovisioning, and request workflows so stale access is removed and legitimate exceptions are restored quickly. Teams that operationalise that loop will reduce both entitlement sprawl and review fatigue.

For practitioners

• Map SaaS entitlement ownership to business reviewers Assign managers or application owners to certify inactive access so revoke decisions reflect business context, not just raw inactivity.
• Automate inactive-user discovery across major apps Use access telemetry and workflow automation to flag dormant accounts, group them for review, and route them into certification or deprovisioning queues.
• Pair revocation with fast access requests Keep a low-friction request path in place so users can regain legitimate access without bypassing governance controls.
• Track reclaimed licences as both savings and risk reduction Report on licences recovered, stale entitlements removed, and over-permissioning reduced so finance and security can evaluate the same control from different angles.

Key takeaways

• Identity governance can lower SaaS spend only when it is tied to real usage, review, and removal workflows.
• Unused licences are also a governance signal, because dormant access often reveals stale entitlements and weak lifecycle controls.
• The most effective programmes combine certification, deprovisioning, and rapid access requests to preserve both least privilege and productivity.

Key terms

• Access Certification: Access certification is the process of asking an authorised reviewer to confirm whether an entitlement should remain in place. It turns access decisions into a documented governance control, which helps teams remove stale access without guessing at business need.
• Software Rationalisation: Software rationalisation is the practice of matching software licences and entitlements to actual business use. In identity programmes, it combines usage visibility, review, and deprovisioning so organisations can recover waste while reducing unnecessary access exposure.
• Entitlement Lifecycle: The entitlement lifecycle covers how access is created, reviewed, used, changed, and removed over time. Strong lifecycle control prevents old permissions from lingering after a role, project, or need has ended, which is essential for least privilege and audit readiness.
• Least Privilege: Least privilege means granting only the access needed to perform a task and no more. In SaaS environments, it depends on timely review and removal of dormant entitlements, not just on initial access design.

Deepen your knowledge

Software rationalisation and access certification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building lifecycle controls that need to support both security and cost recovery, it is worth exploring.

This post draws on content published by Okta: software rationalization with Okta Identity Governance. Read the original.