Notifications
Clear all
Topic starter
11/06/2026 10:58 pm
TL;DR: SaaS discovery without connection to the underlying application leaves access, least privilege, and lifecycle actions trapped in spreadsheets and manual review loops, according to Josys. The governance gap is not visibility alone but the inability to enforce policy where permissions actually live, which makes review, offboarding, and exception handling drift out of control.
NHIMG editorial — based on content published by Josys: Josys AI Integration Builder: Closing the Identity Governance Gap
Questions worth separating out
Q: How should security teams govern SaaS apps that are discovered but not connected to IGA?
A: They should treat discovery as an inventory signal, not a governance outcome.
Q: Why do manual SaaS lifecycle processes increase access risk?
A: Manual processes slow down entitlement removal and make it easy for permissions to outlive the business need that justified them.
Q: What breaks when SaaS apps are visible but not governable?
A: Least privilege becomes inconsistent, offboarding becomes unreliable, and access reviews stop reflecting real entitlement state.
Practitioner guidance
- Map every discovered SaaS app to an enforceable control path Inventory is not enough.
- Eliminate spreadsheet-based access tracking Replace manual entitlement tracking with governed workflows so that access reviews, approvals, and revocations are recorded in one system of record.
- Prioritise non-native integrations for lifecycle review Focus on applications without native API support, because these are the most likely to remain partially governed and to create lingering access after role changes or offboarding.
What's in the full article
Josys's full blog covers the operational detail this post intentionally leaves for the source:
- Browser-extension training flow for connecting non-native SaaS apps without writing code
- How the internal review queue handles integrations that do not work on the first attempt
- Shared app-catalog reuse model that expands coverage across customers
- Walkthrough of how Josys maps application elements in the background after recording
👉 Read Josys's analysis of the SaaS discovery and access control gap →
SaaS discovery vs access control: what IAM teams are missing?
Explore further
12/06/2026 7:26 am
Discovery without control is not governance. The article describes a common IGA failure mode: organisations know the app exists, but they do not have a usable control path into it. That means entitlement state remains trapped in the application, outside central policy enforcement and review. The practical implication is that visibility metrics can look healthy while governance remains weak.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How do teams decide whether browser-based app integration is good enough?
A: They should ask whether the recorded workflow is reliable enough to represent the real administrative action over time. If the app changes frequently, the integration needs review and revalidation, or governance can drift silently. The test is not whether the automation works once, but whether it remains trustworthy as the application evolves.
👉 Read our full editorial: SaaS discovery without access control creates an IGA governance gap
