TL;DR: SaaS compliance is presented as a broad governance checklist, but the operational pressure points are access reviews, third-party risk, evidence production, and control ownership across finance, security, and IT according to Zluri. For identity teams, the real issue is that compliance breaks where lifecycle governance, privileged access, and SaaS visibility are weak.
NHIMG editorial — based on content published by Zluri: Security & Compliance Understanding SaaS Compliance: A Guide for IT Teams
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams run SaaS access reviews for compliance?
A: Security teams should certify every identity path that can reach SaaS data, including human users, direct app accounts, service accounts, and delegated integrations.
Q: Why do SaaS compliance programmes fail when visibility is incomplete?
A: SaaS compliance fails when visibility is incomplete because controls can only govern what they can see.
Q: What do teams get wrong about third-party SaaS access and compliance?
A: Teams often assume third-party access is covered once the vendor is approved, but compliance requires active lifecycle control.
Practitioner guidance
- Scope access reviews across the full SaaS estate Include federated users, direct app accounts, service accounts, and delegated integrations in every certification cycle.
- Build compliance evidence from authoritative identity sources Pull entitlement, approval, and revocation records from IDP, SaaS admin, and IGA systems so audit evidence is traceable end to end.
- Map third-party and OAuth connections before certification Inventory every external integration, vendor connection, and delegated app permission that can access SaaS data.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- The full SaaS compliance checklist across financial, security, and data protection regimes
- Zluri's nine discovery methods for building a more complete SaaS inventory
- Step-by-step access review and audit workflow detail for compliance teams
- Practical examples of how compliance controls map to SaaS administration tasks
👉 Read Zluri's SaaS compliance guide for IT teams and access review controls →
SaaS compliance and access review gaps: what teams miss?
Explore further
SaaS compliance is an identity governance problem disguised as a checklist. The article treats compliance as a sequence of obligations, but those obligations only become real when access, lifecycle, and evidence are governed continuously. That makes identity the control plane beneath the legal and operational language. Practitioners should treat SaaS compliance as a programme for proving access correctness at scale.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 71% of NHIs are not rotated within recommended time frames, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when SaaS access is not revoked on time?
A: Accountability usually sits with the control owner who failed to enforce lifecycle closure, not just the application team or the reviewer. Compliance frameworks expect organisations to prove that access was removed when it was no longer needed. If revocation is not traceable, the organisation owns the gap.
👉 Read our full editorial: SaaS compliance is really identity governance by another name