TL;DR: Manual SaaS tracking works only for very small environments, but spreadsheet-based records quickly become inaccurate as app counts, ownership, renewals, and license details grow, according to Zluri. The governance gap is that spreadsheets cannot surface unapproved apps or automate discovery, so visibility and control fall behind business growth.
At a glance
What this is: This is a SaaS tracking template article showing why spreadsheet-based app records become unreliable as SaaS estates grow and why discovery automation becomes necessary.
Why it matters: It matters because unmanaged SaaS creates identity, access, and governance blind spots that affect NHI, human access, and lifecycle control across the stack.
By the numbers:
- Zluri says its app discovery engine surfaces a SaaS landscape with near 100% accuracy in less than 5 minutes.
- Zluri says customers have seen 30% - 40% cost savings on SaaS by eliminating duplicate, unused, and abandoned apps.
👉 Read Zluri's SaaS tracking template and discovery workflow details
Context
SaaS tracking becomes an identity governance problem once app inventories stop being trustworthy. When records live in spreadsheets, ownership, renewal timing, license assignment, and app usage drift apart, which means security and finance teams are making decisions from incomplete data rather than a current control plane.
That gap matters because SaaS estates are part of the wider access surface. Unapproved applications, abandoned subscriptions, and stale ownership records create governance blind spots that affect human access reviews, service-account oversight, and lifecycle cleanup across the organisation.
Key questions
Q: How should security teams manage SaaS app inventory as the business grows?
A: They should replace manual spreadsheets with an authoritative inventory built from SSO, spend, and endpoint signals. That gives security and IT one view of ownership, renewals, and app usage, which is necessary for access reviews, offboarding, and rationalisation. Without that control, shadow apps and stale access records keep accumulating.
Q: Why do spreadsheets fail as a SaaS governance control?
A: Because they are static, manual, and easy to drift from reality. They do not discover unapproved apps, they do not update themselves when usage changes, and they rarely keep pace with ownership changes or renewals. As a result, they create a false sense of control while the actual SaaS surface expands.
Q: What breaks when SaaS ownership is not assigned clearly?
A: Renewal decisions, access reviews, and cleanup tasks all lose accountability. If no one owns the app, unused licences remain active, abandoned tools stay live, and governance teams cannot determine who should approve changes. That makes ownership metadata a core control, not a nice-to-have field in a register.
Q: What should organisations do when they find duplicate or abandoned SaaS apps?
A: They should rationalise the portfolio before the next renewal cycle and remove any access paths that are no longer needed. The fastest gains usually come from eliminating duplicate tools, retiring unused apps, and checking that any remaining subscriptions still have a real business owner.
Technical breakdown
Why spreadsheet SaaS tracking fails at scale
A spreadsheet is a static inventory, not a control system. It depends on manual entry, periodic updates, and human diligence, so it cannot keep pace with app churn, department changes, or unplanned procurement. Once those records fragment, the organisation loses reliable answers on who owns an app, whether it is still used, and when renewal decisions are due. That is a governance failure, not just an admin inconvenience. Practical implication: treat spreadsheets as an onboarding tool only, then move authoritative SaaS records into an automated discovery and review process.
Practical implication: move authoritative SaaS records into an automated discovery and review process.
How SaaS discovery connects to identity and access governance
SaaS discovery is really about controlling the identities that touch each application. SSO logs, spend data, desktop agents, and browser telemetry each reveal different parts of the same picture: which apps exist, who uses them, and whether the access is sanctioned. That linkage matters because app ownership, license assignment, and user entitlements all need the same source of truth. Without it, access reviews become incomplete and offboarding misses shadow subscriptions. Practical implication: connect SaaS inventory to identity, finance, and endpoint signals before you attempt renewal or access certification.
Practical implication: connect SaaS inventory to identity, finance, and endpoint signals before renewal or access certification.
Why abandoned apps become security and cost risk
Unused and duplicated applications create two forms of exposure. First, they waste spend through wrong-tier licensing and renewals that no one challenged. Second, they leave dormant access paths behind, especially when employees leave or teams change tools without formal offboarding. In identity terms, this is privilege persistence at the application layer. The longer an app remains unmanaged, the harder it becomes to prove whether its users, tokens, and ownership are still valid. Practical implication: pair application rationalisation with access cleanup so cost control and security control happen together.
Practical implication: pair application rationalisation with access cleanup so cost control and security control happen together.
NHI Mgmt Group analysis
Spreadsheet-based SaaS tracking is a governance stopgap, not a durable control. It can record what a team knows at a point in time, but it cannot continuously reconcile app usage, ownership, renewals, and access state. That means the record becomes stale precisely when the environment starts to matter most. Practitioners should treat manual SaaS registers as temporary scaffolding, not as an identity governance source of truth.
Identity governance now extends to the SaaS layer, not just accounts and directories. When application sprawl grows, the control question is no longer only who has an account, but which tools exist, who sponsors them, and whether their access paths are still legitimate. That makes SaaS inventory part of the access lifecycle, alongside joiner-mover-leaver processes and certification cycles. Teams that ignore the application layer miss the place where access often becomes unmanaged.
App discovery creates the condition for rational access decisions. You cannot certify, revoke, or renew access credibly if the application itself is missing from the register or mapped to the wrong owner. Discovery, usage data, and ownership metadata have to align before lifecycle decisions are defensible. The practical conclusion is simple: better inventory is the prerequisite for better governance.
Duplicate, unused, and abandoned apps form a hidden identity blast radius. Each one expands the number of places where stale access, orphaned accounts, and renewal overspend can persist. That blast radius is not theoretical, because SaaS sprawl increases both operational waste and the number of unmanaged access paths. Practitioners should measure SaaS rationalisation as a governance metric, not just a cost-saving exercise.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- For a lifecycle perspective, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to stay aligned as inventories expand.
What this signals
Identity blast radius: as SaaS estates grow, the real risk is not just cost leakage but the number of unmanaged access paths that remain outside review. Organisations that can only track apps in spreadsheets will struggle to align lifecycle events, ownership changes, and entitlement cleanup across the same control process.
Zluri's near 100% discovery claim points to the direction the market is moving, but practitioners should focus on whether their own operating model can turn discovery into governance action. The next step is not more inventory for its own sake, but inventory that feeds certification, renewal, and offboarding decisions.
For teams building that operating model, the NIST Cybersecurity Framework 2.0 remains a useful structure for connecting identify, protect, detect, respond, and recover activities around the SaaS surface.
For practitioners
- Establish a single authoritative SaaS inventory Combine SSO, expense, browser, and desktop signals so app records do not depend on manual spreadsheet updates. Use the inventory as the starting point for ownership, renewal, and access decisions.
- Tie every SaaS app to an accountable owner Require one named business owner and one technical steward for each application. If ownership cannot be assigned, the app should be flagged for review before renewal or access certification.
- Reconcile renewals against actual usage Check whether the app is actively used before any renewal discussion. Focus first on duplicate, unused, and abandoned apps because those are the fastest path to wasted spend and stale access.
- Fold SaaS offboarding into identity lifecycle processes When users leave or move teams, verify that their app access, subscriptions, and assigned ownership records are removed together. Treat app offboarding as part of the same lifecycle event as account deprovisioning.
Key takeaways
- Spreadsheet SaaS tracking breaks down because it cannot keep identity, ownership, and renewal data aligned as app sprawl grows.
- The governance problem is not only wasted spend. It is also stale access, abandoned tools, and incomplete visibility into the application surface.
- The practical answer is an authoritative SaaS inventory tied to lifecycle control, renewal decisions, and access cleanup.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Inventory drift and unmanaged app access often correlate with weak lifecycle control. |
| NIST CSF 2.0 | ID.AM-1 | SaaS tracking depends on maintaining an accurate inventory of assets and applications. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | SaaS sprawl creates access decisions that need continual verification and least privilege. |
Tie SaaS discovery to ownership and lifecycle review so unmanaged access is removed before renewal.
Key terms
- SaaS Inventory: A SaaS inventory is the authoritative record of which cloud applications an organisation uses, who owns them, and how they are accessed. In mature governance, it is more than a list because it supports renewal, certification, offboarding, and security review decisions.
- Application Ownership: Application ownership is the assignment of clear accountability for an application’s business use, technical maintenance, and governance decisions. Without a named owner, renewals stall, access reviews lose authority, and abandoned tools remain active longer than they should.
- Shadow IT: Shadow IT is software or services adopted outside approved procurement or governance processes. It creates control gaps because the organisation may not know the application exists, who uses it, or what data and identities it can expose.
- Lifecycle Offboarding: Lifecycle offboarding is the process of removing an application, subscription, or identity relationship when it is no longer needed. For SaaS, it includes revoking access, closing renewals, and updating ownership records so stale entitlements do not persist.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management SaaS Tracking Template: Keep Track of Your SaaS Apps. Read the original.
Published by the NHIMG editorial team on 2025-09-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
