Identity sprawl in fast-growing SaaS teams: where do controls fail?

TL;DR: Fast-growing SaaS teams can create identity sprawl faster than they can govern it, leaving API keys, service accounts, and vendor access active long after they should be removed, according to Unosecur. The real risk is not growth itself but identity control that cannot keep pace with continuous change.

NHIMG editorial — based on content published by Unosecur: Scaling safely, how to grow your teams and tech without growing your risk

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: What breaks when API keys are left active after a project ends?

A: When API keys remain active after their original purpose ends, they become reusable entry points for attackers.

Q: Why do service accounts and API keys increase lateral movement risk?

A: Service accounts and API keys increase lateral movement risk when they carry more privilege than their current task requires or remain valid after staff, vendors, or systems change.

Q: How do security teams know if identity governance is actually working?

A: Identity governance is working when credentials are discoverable, revocable, and rotated on a schedule that matches their real use.

Practitioner guidance

• Inventory every live credential path Build a single view of API keys, service accounts, vendor tokens, and other machine credentials across code, cloud, and CI/CD systems.
• Automate revocation on ownership change Trigger key revocation when code is archived, a project ends, or an integration is retired.
• Reduce standing permissions before growth adds more Review service accounts and vendor integrations for permissions that exceed current use.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• A practical walkthrough of how to structure continuous identity discovery across hybrid, multi-cloud, and on-prem environments.
• Implementation detail on no-code access governance and just-in-time access approvals for business owners.
• Examples of how to align identity controls with compliance reporting for ISO 27001, SOC 2, PCI DSS 4.0, and GDPR.
• The article's full set of operational recommendations for teams scaling cloud and SaaS access.

👉 Read Unosecur's blog on scaling identity security without growing risk →

Identity sprawl in fast-growing SaaS teams: where do controls fail?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →