SaaS catalog integrity: what IAM teams need to get right

TL;DR: Catalog quality and classification consistency shape SaaS governance, as shown by JumpCloud’s AI validation engine, which can process over 25,000 domains, reach 99.6% precision, and cut review time from more than a week for 500 domains to under an hour for 700. The governance lesson is simple: if your catalog cannot distinguish SaaS from consumer web properties, every downstream control inherits that error.

NHIMG editorial — based on content published by JumpCloud: AI-driven SaaS catalog validation and catalog integrity at scale

By the numbers:

• The new AI engine can now process over 700 domains in under an hour on a standard development machine.
• The average cost to analyze one domain is just $0.0057 using Gemini 2.0 Flash.

Questions worth separating out

Q: How should security teams prevent consumer websites from entering a SaaS catalog?

A: Security teams should define exclusion criteria as strictly as inclusion criteria, then enforce those rules in the discovery pipeline before a domain becomes a managed application.

Q: Why does SaaS catalog accuracy matter for IAM and governance teams?

A: Because the catalog drives downstream policy, licensing, and user governance, any misclassification spreads into the controls built on top of it.

Q: What is the best way to validate AI-assisted application discovery?

A: Use a curated set of manually confirmed domains and compare model output against it on a continuous basis.

Practitioner guidance

• Define inclusion and exclusion rules before scaling discovery Write explicit criteria for what qualifies as SaaS and what must be rejected, then encode those rules into the validation workflow so every candidate is judged against the same boundary.
• Separate managed applications from consumer web properties Build a review step that blocks social media, banking, news, and other non-managed domains from entering the catalog, even if they appear in discovery output.
• Tie enrichment to classification approval Require application name, category, description, and logo to be captured only after the domain passes validation, so metadata does not propagate for the wrong asset.

What's in the full article

JumpCloud's full analysis covers the operational detail this post intentionally leaves for the source:

• The prompt structure and exclusion criteria used to keep non-SaaS domains out of the catalog.
• The full evaluation workflow for comparing AI classifications against manually verified datasets.
• The implementation stack, including Playwright, Gemini 2.0 Flash, Node.js, Express, and TypeScript.
• The measured performance outputs, including precision, recall, and per-domain analysis cost.

👉 Read JumpCloud’s analysis of AI-driven SaaS catalog validation →

SaaS catalog integrity: what IAM teams need to get right?

Explore further

View Full Forum →  |  NHI Foundation Course →