SaaS governance gap: what IAM teams are missing in practice

TL;DR: SaaS management fails when organisations rely on spreadsheets, weak visibility, and inconsistent lifecycle controls for apps, users, groups, and vendors, leaving security and compliance gaps across the stack, according to Zluri. The deeper issue is that SaaS governance is really identity governance across human access, privileged accounts, and third-party exposure, not a procurement list.

NHIMG editorial — based on content published by Zluri: SaaS Management 10 Policies to Ensure Reliable SaaS Management

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should teams govern SaaS access when employees change roles or leave?

A: Treat SaaS access as part of the identity lifecycle, not as a separate application task.

Q: Why do SaaS portfolios create so much hidden identity risk?

A: Because SaaS stacks grow faster than manual records can keep up with, especially when teams use spreadsheets and informal approvals.

Q: What do security teams get wrong about SaaS vendor risk?

A: They often treat vendor compliance as a procurement check instead of an ongoing governance issue.

Practitioner guidance

• Build a live SaaS inventory Replace spreadsheet-based tracking with a continuously updated inventory that records each application, owner, business purpose, and active user relationship.
• Tie SaaS offboarding to identity workflows Connect employee exit events and role changes to licence revocation, permission updates, and subscription transfer so access does not outlive the business need.
• Review external SaaS access on a schedule Apply access recertification to consultants, partners, and other external users, and remove access when the collaboration no longer requires it.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step policy examples for discovery, lifecycle management, and SaaS access review
• Detailed controls for handling vendor compliance checks and shadow IT alerts
• Operational guidance on group cleanup, offboarding, and licence maintenance
• Specific SaaS management scenarios the vendor uses to illustrate policy decisions

👉 Read Zluri's SaaS management policies for visibility, lifecycle, and vendor risk →

SaaS governance gap: what IAM teams are missing in practice?

Explore further

View Full Forum →  |  NHI Foundation Course →