Notifications
Clear all
Topic starter
12/06/2026 9:59 pm
TL;DR: Clearer governance over shadow users, offboarding, and app sprawl is the practical shift as Josys’ March 2026 release unifies SaaS reporting, device visibility, action prioritisation, and workflow automation across discovered apps, MDM sources, and lifecycle triggers, with new RBAC controls and exportable reports for IT teams, rather than just more automation.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should teams reduce shadow users in SaaS environments?
A: Start by treating shadow users as lifecycle exceptions, not just discovery findings.
Q: Why does unified SaaS and device visibility matter for identity governance?
A: Because access decisions are only as reliable as the context behind them.
Q: When should organisations automate SaaS offboarding workflows?
A: Automate offboarding when the approval source is authoritative and the revocation path is well understood.
Practitioner guidance
- Define one governance record for each SaaS application Tie app discovery, licence ownership, security status, and business owner into a single record so review and remediation do not depend on separate spreadsheets or teams.
- Separate shadow-user detection from remediation ownership Assign a named owner, SLA, and escalation path for every unmanaged account so discovery does not become a passive dashboard exercise.
- Correlate device context before approving access decisions Use combined Intune, Jamf, or other MDM visibility to confirm device ownership and compliance before treating an access state as trustworthy.
What's in the full announcement
Josys' full blog post covers the operational detail this post intentionally leaves for the source:
- Specific Reporting Module views for SaaS Security, License Optimization, and Device Management
- Exact task actions in the Action Centre, including Automate, Deprovision, and Classify
- Workflow timing options for running onboarding and offboarding before, on, or after key dates
- Webhook-triggered examples tied to onboarding approval, threat detection, and other live events
👉 Read Josys' March 2026 product release on SaaS governance and automation →
SaaS governance and workflow automation: what the March release changes?
Explore further
13/06/2026 12:28 am
Unified SaaS governance is now an identity problem, not just an IT inventory problem. Once app discovery, licence usage, device state, and workflow actioning sit in the same operational plane, the security question changes from “what do we own?” to “what access is still live and who can act on it?” That is the more durable model for modern SaaS estates because unmanaged users, redundant tools, and stale device context all change entitlement risk. Practitioners should treat SaaS governance as a control plane for identity and access decisions, not a reporting afterthought.
A few things that frame the scale:
- From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
A question worth separating out:
Q: What is the difference between reporting and governance in SaaS management?
A: Reporting tells you what exists, while governance determines what should happen next. A report can show shadow accounts or unused licences, but governance assigns ownership, applies policy, and drives remediation. Without that second layer, visibility increases while risk remains unchanged.
👉 Read our full editorial: Josys March release tightens SaaS governance and workflow control
