TL;DR: SaaS sprawl, shadow IT, and license waste obscure identity control, access lifecycle discipline, and measurable security outcomes, according to Zluri’s KPI guide, which frames IT performance around availability, maintenance, compliance, and deployment success. IT metrics only matter when they translate into clearer identity governance and tighter operational accountability.
NHIMG editorial — based on content published by Zluri: IT Teams KPIs for Modern IT Teams - 2026
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should IT teams measure whether SaaS maintenance is actually improving governance?
A: Measure whether maintenance outcomes include access removal, license right-sizing, and application discovery, not just ticket closure.
Q: Why do availability KPIs miss identity risk?
A: Availability tells you whether a system works, not whether access to it is still appropriate.
Q: What do security and compliance KPIs often get wrong about access governance?
A: They often prove that a policy exists rather than that the control is working.
Practitioner guidance
- Audit KPI definitions for identity blind spots Review each IT metric and ask whether it captures access scope, lifecycle status, or only service performance.
- Link SaaS maintenance to offboarding proof Require completion evidence for deprovisioning, license removal, and linked token revocation before a subscription is considered maintained or closed.
- Measure compliance with operational evidence Use recertification results, application discovery records, and entitlement reconciliation as the evidence base for security and compliance KPIs.
What's in the full article
Zluri's full post covers the operational detail this post intentionally leaves for the source:
- A full breakdown of all eight IT KPIs and how the vendor defines each one in practical business terms
- Examples of how availability, maintenance, and deployment success are positioned for day-to-day IT operations
- The article's product-context discussion on managing assets, SaaS sprawl, and access control efficiency
- Additional framing on how the vendor links KPI measurement to business alignment and ROI
👉 Read Zluri's KPI guide for modern IT teams and operational performance →
IT team KPIs and SaaS sprawl: what IAM teams are missing?
Explore further
IT KPIs are only useful when they expose identity control failure, not just service performance. The article treats availability, maintenance, and deployment success as operational measures, but each one also signals whether access is governed or merely tolerated. In modern environments, the strongest KPI programmes are the ones that surface lifecycle gaps in access, licensing, and shadow IT before they become audit findings. Practitioners should treat KPI design as a governance instrument, not a reporting exercise.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How can organisations use IT KPIs to reduce shadow IT risk?
A: Use KPIs to connect discovery, approval, and deprovisioning. When a new app appears without review, it should trigger visibility work, not just a procurement discussion. Shadow IT becomes governable when the metric shows who uses the app, who approved it, and whether access was later removed.
👉 Read our full editorial: IT team KPIs expose the governance gaps behind SaaS sprawl