SaaS access reviews at scale: what IAM teams are missing

TL;DR: Oktane 2024 conversations underscored that manual access reviews, SaaS sprawl, shadow IT, and compliance pressure are making access governance harder to manage at enterprise scale, according to Zluri. The practical shift is toward automation and app-level visibility, because identity programmes can no longer rely on review cycles designed for smaller, slower software estates.

NHIMG editorial — based on content published by Zluri: How Access Management Took Center Stage at Oktane 2025

By the numbers:

• Oktane 2024 brought together over 3,000 technology and security professionals.

Questions worth separating out

Q: How should security teams run access reviews across large SaaS estates?

A: Security teams should base SaaS access reviews on live entitlement data, not spreadsheets or stale exports.

Q: Why does shadow IT make access governance harder?

A: Shadow IT makes access governance harder because teams cannot certify, revoke, or audit access to applications they do not know exist.

Q: What breaks when access reviews stay manual in SaaS environments?

A: Manual access reviews break when the number of applications and entitlements grows faster than the team can validate them.

Practitioner guidance

• Replace spreadsheet-based certifications with live entitlement inventories Pull access data directly from SaaS applications so reviews are based on current permissions rather than exported snapshots.
• Build a discovery process for shadow IT before running reviews Identify unsanctioned SaaS tools through procurement, SSO logs, browser telemetry, and employee reporting, then fold them into the governance workflow.
• Define access ownership and exception handling up front Assign a named approver for each application, establish what counts as an acceptable exception, and decide how unresolved access is handled when an owner does not respond.

What's in the full article

Zluri's full post covers the operational detail this post intentionally leaves for the source:

• Booth-level discussion of automated access review workflows for large SaaS portfolios
• Examples of how Zluri complements Okta with application-level control and visibility
• Operational discussion of shadow IT discovery and unused license optimisation in SaaS estates

👉 Read Zluri's recap of Oktane 2024 on access management and SaaS governance →

SaaS access reviews at scale: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →