Identity sprawl in SaaS: what IAM teams need to fix now

TL;DR: Identity sprawl emerges when users are spread across multiple siloed identity systems, creating ghost accounts, inconsistent privileges, and password reuse risks, according to Zluri’s guide. The governance problem is not just account count, but the absence of a single source of truth for access decisions.

NHIMG editorial — based on content published by Zluri: Security & Compliance What Is Identity Sprawl: The Ultimate Guide

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: What breaks when identity sprawl is not controlled?

A: When identity sprawl is not controlled, organisations lose confidence in who has access, where that access lives, and whether it was removed correctly.

Q: Why do siloed identity systems increase governance risk?

A: Siloed identity systems increase governance risk because each system can create its own version of the truth.

Q: How can security teams tell whether access reviews are working?

A: Access reviews are working only if they remove stale access, catch duplicated accounts, and produce a reconciled view of who still needs access.

Practitioner guidance

• Inventory every identity store and shadow directory Build a complete map of all systems that can issue or hold identity state, including SaaS apps, local directories, and app-specific stores.
• Reconcile accounts before each access review cycle Do not ask reviewers to certify access from fragmented records.
• Use orchestration to reduce duplicate identity paths Apply orchestration where integrations are unavoidable, but require every new path to preserve a single authoritative user record and a consistent entitlement model across connected apps.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step identity orchestration workflows for connecting incompatible SaaS and directory systems.
• Detailed provisioning and access review flows showing how Zluri centralises identity and entitlement data.
• Hands-on guidance for automating onboarding, access request handling, and deprovisioning across applications.
• Examples of audit trails and reporting views used to evidence access governance for reviewers and auditors.

👉 Read Zluri's guide on identity sprawl and SaaS access governance →

Identity sprawl in SaaS: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →