Notifications
Clear all
Topic starter
12/06/2026 9:01 pm
TL;DR: Software evaluation checklists help teams compare functionality, cost, and stakeholder fit, but they also reveal a broader governance problem: SaaS buying decisions often outpace identity, access, and lifecycle controls, according to Zluri. Procurement discipline matters, but identity teams still need to govern who gets access, how it is reviewed, and when it is removed.
NHIMG editorial — based on content published by Zluri: Procurement Upgrade Your SaaS Selection: The Ultimate Software Evaluation Team
Questions worth separating out
Q: How should IAM teams govern SaaS purchases before rollout?
A: IAM teams should treat SaaS purchasing as a control checkpoint, not a post-contract cleanup exercise.
Q: Why do SaaS buying decisions create access governance risk?
A: SaaS buying decisions create risk because each new application adds identities, permissions, and integrations that must be managed over time.
Q: What do organisations get wrong about total cost of ownership for SaaS?
A: Organisations often count licence fees and deployment work but ignore recurring identity work.
Practitioner guidance
- Embed identity review into procurement intake Require IAM, security, and application ownership review before any SaaS contract moves forward.
- Map every new SaaS app to an owner and lifecycle path Assign a clear business owner, technical owner, and access owner for each application.
- Add access governance to total cost of ownership Count access review effort, privileged admin review, logging, entitlement cleanup, and orphaned account removal as recurring costs.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The article's step-by-step SaaS evaluation checklist, including the exact decision factors the vendor recommends for comparing tools.
- The procurement workflow details behind Zluri's negotiation and buying process, including how the platform positions itself in vendor selection.
- The vendor's cost-saving examples and pay-when-you-save model, which are useful if you are evaluating commercial procurement terms.
- The article's stakeholder collaboration framing, including how it describes team alignment during SaaS selection.
👉 Read Zluri's software evaluation guide for SaaS procurement teams →
SaaS evaluation checklists: what IAM teams are missing?
Explore further
12/06/2026 10:49 pm
SaaS procurement is an identity governance event, not a buying event. Every application purchase creates a new access boundary, new administrative trust, and new lifecycle work. The article is useful because it shows how quickly business selection criteria can outrun IAM controls if identity ownership is not built into the evaluation step. Practitioners should treat procurement intake as the first control point in SaaS governance.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should approve SaaS tools from an identity perspective?
A: SaaS tools should be approved by business stakeholders, IT, security, and the application owner together. Business approval confirms value, but identity approval confirms that access can be provisioned, reviewed, and removed safely. Without that shared decision, the organisation inherits an application it cannot fully govern.
👉 Read our full editorial: SaaS evaluation checklists expose the hidden governance gap
