TL;DR: SaaS governance now needs to be treated as identity attack-surface management, because employee access, personal-device storage, and post-exit access create security and compliance exposure across the application lifecycle, according to Zluri. The governance gap is no longer procurement alone; it is visibility, observability, and remediation across every connected app and identity path.
NHIMG editorial — based on content published by Zluri: SaaS governance and IAM attack surface reduction
By the numbers:
- We surveyed 100 IT leaders to know their perspective on SaaS Governance.
- Zluri | Identity Governance & Administration Reviews Rated by Gartner Peer Insights 4.7 Based on 10 reviews as of 19th Nov 2025
Questions worth separating out
Q: What breaks when SaaS access is not tied to lifecycle controls?
A: Access persists after the business need has ended, which means former employees, stale integrations, and unused permissions can still reach data.
Q: Why do SaaS apps increase identity governance risk?
A: SaaS apps multiply the number of identities, delegated connections, and data paths that IAM teams must track.
Q: How can security teams know whether SaaS governance is actually working?
A: They should look for closed-loop evidence: every discovered risky app or access path has an owner, a remediation action, and a completion timestamp.
Practitioner guidance
- Map SaaS identities beyond the login layer Inventory connected applications, delegated access, admin accounts, and any identity paths that can reach sensitive data.
- Bind SaaS offboarding to entitlement removal Make termination workflows remove app access, revoke delegated tokens, and confirm data return or deletion where required.
- Measure remediation, not just discovery Track how long it takes to revoke risky SaaS access after it is identified, and report on exceptions where the issue is known but not closed.
What's in the full report
Zluri's full report covers the operational detail this post intentionally leaves for the source:
- Survey findings from 100 IT leaders on where SaaS governance breaks down in practice.
- The report's end-to-end governance strategies from procurement through termination.
- How the vendor frames identity visibility, observability, and remediation across SaaS estates.
- Additional product and platform context around Zluri's identity governance and access management approach.
👉 Read Zluri's report on SaaS governance and IAM attack surface reduction →
SaaS governance and IAM visibility: where are the gaps?
Explore further
SaaS governance is now an identity attack-surface discipline, not a procurement discipline. The article correctly points to the gap between buying software and governing how access behaves after deployment. Once employees can continue using apps, move data to personal devices, or keep access after departure, SaaS becomes an identity control problem. The practitioner conclusion is that SaaS governance belongs inside IAM and IGA operating models, not beside them.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when SaaS access remains after offboarding?
A: Accountability should sit with the identity governance owner, the application owner, and the business approver who accepted the access. If any one of those roles is missing, the offboarding process can fail silently. Frameworks such as NIST Cybersecurity Framework 2.0 reinforce that identity governance must be measurable and owned, not implied.
👉 Read our full editorial: SaaS governance is becoming an identity attack-surface problem