Spreadsheet-based access audits are failing SaaS identity governance

At a glance

What this is: This is an analysis of why spreadsheet-driven user access audits break down in sprawling SaaS environments and why automated identity governance is needed.

Why it matters: It matters because the same audit gaps that hide human access risk also weaken lifecycle control across NHI, autonomous, and human identity programmes.

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read JumpCloud's article on automating SaaS user access audits

Context

User access auditing is the process of checking who can reach which systems, data, and applications, then proving that access is still justified. In SaaS-heavy environments, that process fails when teams rely on spreadsheets to reconstruct permissions across dozens or hundreds of apps, because the result is always outdated before it is reviewed.

The governance gap is not just operational inefficiency. Manual review cycles create blind spots, weaken least privilege, and make compliance evidence fragile across IAM, IGA, and broader identity lifecycle management. The same pattern shows up across human access, service account governance, and emerging AI identity estates when review is periodic instead of continuous.

Key questions

Q: What breaks when user access audits stay in spreadsheets?

A: The review process becomes a stale snapshot instead of a live control. That means reviewers cannot reliably see current entitlements, prove timely revocation, or demonstrate least privilege across a fast-changing SaaS estate. Spreadsheets also increase the chance of omission and duplicate data, so the audit trail becomes harder to trust during compliance review.

Q: Why do SaaS environments make manual access reviews harder to govern?

A: SaaS estates fragment identity data across many applications, each with its own users, groups, and permission model. Manual review depends on exports and reconciliation, which cannot keep pace with constant changes. The more applications an organisation adds, the more the review process becomes a document-management exercise rather than a security control.

Q: How do teams know whether access review is actually working?

A: Look for evidence that approvals, removals, and exceptions are recorded in the same workflow and can be sampled later. If the team still needs separate spreadsheets to explain who approved what and when access was removed, the control is not working. Effective review should produce traceable, current, and repeatable evidence.

Q: Who should own access governance when SaaS sprawl is the problem?

A: Ownership should sit with the identity and security function, but the workflow must involve application owners and managers who can validate whether access is still needed. If governance lives only in IT administration, it turns into a reporting task instead of a business control. Shared accountability is what makes review decisions defensible.

Technical breakdown

Why spreadsheet-based access reviews fail in SaaS estates

Spreadsheet audits depend on exported snapshots from each application, then manual reconciliation across user lists, groups, and entitlement records. That workflow breaks because SaaS permissions are dynamic, identity data is fragmented, and human reviewers inevitably miss changes between exports. The result is not just slow reporting. It is a stale control surface that cannot reliably prove who had access at the moment risk mattered. Practical implication: replace export-based reviews with systems that continuously collect entitlement data from each SaaS source.

Practical implication: Move from exported snapshots to continuous entitlement collection across SaaS applications.

How unified identity platforms change least privilege enforcement

A unified identity platform creates a central view of identities and access rights, which matters because least privilege is only enforceable when permissions can be seen, compared, and removed in one place. In practice, the control is not the dashboard itself. It is the ability to correlate current role, app membership, and dormant access against policy at scale. That makes recertification and role change handling far less dependent on manual effort. Practical implication: tie access review outcomes directly to entitlement revocation workflows.

Practical implication: Tie review results to revocation workflows so least privilege is enforced, not merely observed.

Why static access snapshots weaken compliance evidence

Compliance frameworks such as SOC 2 and ISO 27001 expect access controls to be demonstrable and repeatable, not reconstructed after the fact. A spreadsheet snapshot cannot show ongoing control effectiveness, only a point in time approximation. That matters because audit evidence has to withstand scrutiny over who approved access, when it was reviewed, and whether remediation actually happened. Practical implication: preserve review trails, entitlement states, and remediation records in systems that can be queried later.

Practical implication: Keep review trails and remediation records in queryable systems rather than in isolated files.

NHI Mgmt Group analysis

Spreadsheet audits are a control illusion once SaaS sprawl crosses a certain threshold. The control still exists on paper, but it no longer produces trustworthy evidence because the data is already stale by the time the review is complete. That makes the failure one of governance visibility, not just administrative inconvenience. Practitioners should treat spreadsheet-based access review as an expired operating model, not a lighter-weight version of proper identity governance.

Access review is only meaningful when entitlement state and review state are linked in the same system of record. Manual cross-referencing separates the question of who has access from the question of whether that access was actually approved, recertified, or removed. Once those states diverge, the organisation can no longer prove least privilege at scale. The practitioner implication is to collapse review, approval, and remediation into one governed workflow.

Unified identity governance is now a SaaS control-plane problem, not a clerical one. The article correctly points to centralisation because the modern risk is distributed permissions drift across many applications, not a single privileged account failure. Identity review drift: the longer a review cycle depends on exported snapshots, the more the control measures historical access rather than current access. Practitioners need to rethink whether their governance model measures compliance or merely documents delay.

This pattern affects human IAM first, but it also sets the baseline for NHI and agentic governance. If an organisation cannot reliably review and revoke human SaaS access, it will struggle even more with service accounts, API keys, and autonomous agents that change state faster than manual review cycles can observe. The broader implication is that lifecycle governance has to become event-driven across actor types, with controls designed around live entitlement state.

Least privilege remains the right principle, but manual audit mechanics make it aspirational instead of enforceable. The failure is not the policy goal. The failure is the inability of spreadsheet-era processes to keep permissions aligned with role changes, app sprawl, and offboarding at enterprise speed. Practitioners should read this as a signal that governance architecture, not policy wording, is where the risk now lives.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI, even as autonomous adoption accelerates across infrastructure and identity programmes.
• For the broader control model, see 52 NHI Breaches Analysis for recurring entitlement and lifecycle failure patterns that show why static review models break down.

What this signals

Identity review is shifting from periodic certification to continuous entitlement governance. Once SaaS sprawl passes a manageable scale, the practical question is no longer whether reviews happen, but whether they happen on live data and can drive revocation before risk compounds. Teams that still depend on spreadsheet exports will find that their control evidence lags the business by design.

With 72% of organisations reporting or suspecting non-human identity breaches in our research, the same governance weakness that affects human access review will increasingly matter for service accounts and AI-driven workflows as well. The control pattern has to move toward live entitlement state, event-driven lifecycle triggers, and provable remediation rather than after-the-fact reconstruction.

Identity review drift: a governance model can look compliant while its evidence is already obsolete. That is the deeper lesson here for IAM, IGA, and PAM leaders, because the next failure mode is not just missed access, but missed accountability across human and machine identities alike.

For practitioners

• Replace spreadsheet audits with governed entitlement workflows Consolidate SaaS access data into a system that can continuously ingest current entitlements, route review tasks, and record remediation outcomes in one audit trail.
• Bind recertification to revocation execution Do not stop at reviewer approval. Ensure removed access is automatically revoked from each SaaS app and that the change is logged as evidence for later audit sampling.
• Prioritise privileged and dormant access first Focus review cycles on admin roles, shared accounts, and accounts with no recent use because those are the entitlements most likely to persist unnoticed across SaaS sprawl.
• Use lifecycle events as audit triggers Trigger access review when someone changes teams, leaves a function, or stops using an application, rather than waiting for a fixed spreadsheet cycle to catch the change.

Key takeaways

• Spreadsheet-based user access audits do not scale in SaaS environments because they produce stale evidence, not live governance.
• The operational risk is not only administrative inefficiency, but also weaker least privilege enforcement and fragile compliance proof.
• Identity teams should move review, approval, and revocation into a single governed workflow that works off current entitlement state.

Key terms

• User access audit: A user access audit is the process of checking whether people still need the permissions they have and whether those permissions match policy. In mature programmes, it is not a spreadsheet exercise but a governed workflow that ties review, approval, and revocation together.
• Least privilege: Least privilege is the practice of granting only the minimum access needed for a task. In SaaS environments, it depends on current entitlement data, timely role-change handling, and provable removal of access that is no longer justified.
• Entitlement drift: Entitlement drift is the gap between the access a user should have and the access they actually retain over time. It grows when reviews are slow, offboarding is incomplete, or application ownership is fragmented across many systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity programme maturity, it is worth exploring.

This post draws on content published by JumpCloud: updated guidance on automating user access audits in SaaS environments. Read the original.