TL;DR: SaaS sprawl creates redundant applications, unmanaged access, surprise renewals, and shadow apps that weaken security and inflate cost, according to Zluri. The governance problem is not just tool count, but the lack of visibility, ownership, and offboarding discipline across SaaS access.
At a glance
What this is: This is an analysis of the symptoms of an unoptimized SaaS stack and the operational controls needed to reduce sprawl, cost leakage, and access risk.
Why it matters: It matters because SaaS sprawl is an identity governance problem as much as a procurement problem, affecting NHI, human access, and lifecycle controls across the estate.
By the numbers:
- 69% of workers waste 32 days per year just navigating workplace applications.
- 71% of millennials have admitted to using unapproved apps at least a few times a year.
- 51% of the applications that use Java scripts have at least one vulnerability.
👉 Read Zluri's analysis of symptoms of an unoptimized SaaS stack
Context
SaaS stack sprawl is what happens when application choice, access, and renewal decisions are distributed across users without enough central visibility. The result is not just wasted spend. It is a fragmented identity surface where IT cannot reliably see which apps exist, who has access, or whether access is still justified.
For IAM teams, the governance issue is broader than software procurement. Unreviewed SaaS subscriptions create offboarding gaps, unowned access, and shadow application risk that cuts across human access management and workload-style credentials stored inside apps and integrations.
Key questions
Q: What breaks when SaaS applications are not centrally inventoried?
A: When SaaS applications are not centrally inventoried, organisations lose the ability to connect access to ownership, data location, and lifecycle state. That means offboarding, recertification, and renewal controls become partial, because teams cannot confidently revoke access or retire unused subscriptions. The result is hidden exposure, duplicate spend, and weak audit evidence.
Q: Why do shadow apps create both security and compliance risk?
A: Shadow apps create security and compliance risk because they sit outside approved procurement, monitoring, and lifecycle processes. Sensitive data may be stored in tools no one has assessed, while user access may persist after a role change or departure. Without visibility, organisations cannot prove control over who can reach what.
Q: How can security teams know if SaaS access reviews are working?
A: Access reviews are working only if the organisation can verify the full app inventory, the owner for each app, the current users, and the data exposure. If reviewers are relying on self-reported lists or partial records, the process is producing paperwork rather than control. A clean inventory is the strongest success signal.
Q: Who should own SaaS app lifecycle decisions when business units self-procure tools?
A: Business units should own the business justification, but IAM and IT should own the control framework that governs access, offboarding, and renewal. That split prevents uncontrolled procurement while still keeping accountability close to the users who rely on the tool. A named owner should be mandatory before approval or renewal.
Technical breakdown
Why SaaS sprawl becomes an access governance problem
SaaS sprawl turns application inventory into an identity problem because every subscription introduces users, permissions, tokens, and renewal obligations. When those objects are scattered across departments, central IT loses the ability to verify ownership or revoke access cleanly. The article's examples of abandoned apps, wrong-tier licenses, and unused seats all point to the same mechanism: access persists after business need has changed. That creates both waste and exposure, especially when ex-employees or untracked app owners still hold valid access paths.
Practical implication: map every SaaS app to an owner, an access path, and a revocation process before treating it as approved.
How shadow apps and unrevoked licenses widen the attack surface
Shadow apps bypass standard procurement and review controls, so they also bypass the checks that normally support access governance. Once users self-procure tools, IT may not know where sensitive data resides or which accounts can reach it. The article also ties unrevoked licenses to post-employment access, which is a classic lifecycle failure. In practice, the dangerous part is not just the app itself, but the combination of hidden identity, unmonitored use, and delayed offboarding.
Practical implication: tie offboarding and access review to SaaS discovery, not just HR termination events.
Standardisation and integration as control-plane discipline
Standardising sanctioned tools and integrating them into a managed workflow reduces duplicate apps, data silos, and unclear ownership. In identity terms, that means fewer uncontrolled access paths and more predictable lifecycle handling. The article's emphasis on automated procurement, onboarding, and offboarding reflects the need for a control plane that can see usage, route approvals, and remove access when business need ends. Without that discipline, renewals and entitlements drift away from governance.
Practical implication: treat standardisation, integration, and automated lifecycle actions as one governance control, not separate hygiene tasks.
Threat narrative
Attacker objective: The objective is to exploit unmanaged SaaS access and hidden application use to reach data, preserve persistence, or trigger avoidable loss through governance gaps.
- Entry occurs when employees self-procure SaaS applications outside the central IT process, creating unsanctioned accounts and invisible access paths.
- Credential and access abuse follows when unused licenses, hidden permissions, or stale accounts remain valid after a role change or departure.
- Impact shows up as shadow IT exposure, data residency blind spots, compliance failure, and avoidable SaaS overspending.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Unoptimized SaaS stacks are identity governance failures before they are cost problems. The article describes redundant apps, abandoned subscriptions, and surprise renewals, but the deeper issue is that access becomes detached from ownership. Once app choice is decentralised, IAM loses a reliable record of who should have access, who approved it, and when it should end. That is why SaaS sprawl should be treated as part of the identity control surface, not as a procurement nuisance.
Shadow SaaS creates a lifecycle gap that standard onboarding and offboarding processes do not close. The article notes that employees buy unsanctioned tools and sometimes keep using them after leaving or changing roles. That breaks the assumption that access exists only in known systems with known owners. The implication is that lifecycle governance must start with discovery, because you cannot revoke what you cannot see.
Access reviews lose value when the application inventory is incomplete. Recertification only works when the reviewer can verify the app, the owner, the users, and the data exposure. In a sprawl-heavy SaaS estate, certifications become partial and stale, which means they provide comfort without control. Practitioners should interpret this as a warning that auditability depends on inventory quality first, not review cadence alone.
Standardising the sanctioned SaaS stack is a form of identity blast-radius reduction. Reducing duplicate apps and consolidating integrations does more than save money. It narrows the number of places where credentials, sessions, and data can drift outside governance. In NIST CSF terms, it strengthens identify and protect functions by making the estate legible enough to control.
Shadow app lifecycle debt: this article describes the accumulation of uncancelled subscriptions, unseen access, and unmanaged renewals that outlive the business need for the app. That debt compounds because each unmanaged app adds another offboarding path, another data location, and another renewal obligation. Practitioners should treat it as a structural control deficit, not an isolated admin issue.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts from incomplete inventory.
- For a broader view of lifecycle and offboarding controls, see NHI Lifecycle Management Guide.
What this signals
Shadow app lifecycle debt: SaaS sprawl behaves like identity debt because every unmanaged subscription creates a future offboarding, audit, and renewal obligation. Teams that do not connect procurement signals to lifecycle governance will keep paying for hidden risk after the business need has disappeared.
The practical signal is not just the number of apps. It is whether discovery, owner assignment, and access revocation happen as one workflow. When those steps are split across finance, IT, and departments, governance slows down enough for shadow IT to become normal.
Organisations that want cleaner SaaS control should pair inventory work with established guidance such as the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10, because app sprawl and unmanaged credentials usually fail together.
For practitioners
- Build a complete SaaS inventory first Inventory every application, the business owner, the access method, the data it touches, and the renewal date. Tie that list to HR, finance, and SSO data so discovery is continuous rather than periodic.
- Make offboarding remove SaaS access by default Automate license suspension, account deprovisioning, and app-specific revocation when a worker leaves or changes roles. Do not rely on managers to remember manual cleanup for each tool.
- Eliminate duplicate tools through sanctioned standardisation Approve a small set of preferred collaboration and business apps, then retire overlapping subscriptions where users have created parallel stacks for the same use case.
- Review app ownership on every renewal cycle Require a named owner to confirm need, usage, data sensitivity, and access scope before any auto-renewal proceeds. If ownership is unclear, block the renewal until it is resolved.
- Track shadow apps as a governance signal Treat unapproved procurement and browser-discovered SaaS use as a control finding, not an IT inconvenience. Feed those signals into access review, procurement, and training workflows.
Key takeaways
- SaaS sprawl is an identity governance problem because unmanaged apps create unmanaged access, not just wasted spend.
- Visibility, ownership, and offboarding are the controls that determine whether shadow apps remain an annoyance or become a breach path.
- Standardising the approved stack and automating lifecycle actions are the fastest ways to reduce both SaaS waste and access risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unrevoked SaaS access and stale subscriptions map to credential and lifecycle control failures. |
| NIST CSF 2.0 | PR.AC-1 | The article centers on who can access which apps and whether that access is still justified. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Reducing standing SaaS access supports continuous verification and least privilege. |
Inventory SaaS identities and revoke unused access before each renewal or offboarding event.
Key terms
- SaaS Stack Sprawl: The uncontrolled growth of overlapping or unmonitored SaaS applications across a business. It creates duplicate spending, inconsistent access controls, and hidden data locations, which makes identity governance harder because the estate becomes difficult to inventory and review.
- Shadow App: A software application adopted outside approved IT or procurement processes. Shadow apps are risky because they bypass standard identity, security, and compliance controls, making it difficult to know who has access, where data lives, or when access should end.
- Lifecycle Offboarding: The process of removing a user or account's access when the business relationship ends or changes. In SaaS environments, offboarding must include app-specific revocation, license removal, and verification that no valid access remains after departure or reassignment.
- Access Ownership: The assignment of clear accountability for who approves, reviews, and retires access to an application. In SaaS governance, ownership is what turns an app from an uncontrolled subscription into a managed service with an accountable control point.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Symptoms of an Unoptimized SaaS Stack (+ Solutions). Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
