SaaS identity governance: what IAM teams are missing

TL;DR: SaaS adoption has turned software access, shadow IT, compliance, and security into an identity governance problem, not just an application management problem, according to Zluri’s 2023 commentary. The practical lesson is that lifecycle control, visibility, and access governance now have to follow the SaaS stack itself, not sit beside it.

NHIMG editorial — based on content published by Zluri: Why Zluri? Why now?

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern SaaS sprawl without slowing the business down?

A: Start by making SaaS discovery, ownership, and access review part of the same control process.

Q: Why does shadow IT create an IAM problem instead of only a procurement problem?

A: Shadow IT becomes an IAM problem because every unsanctioned application creates its own identities, permissions, and lifecycle obligations.

Q: What breaks when SaaS access is automated without good identity data?

A: Automation breaks when it is asked to act on incomplete ownership, stale entitlements, or poor application discovery.

Practitioner guidance

• Build a live SaaS inventory Track every subscribed application, its owner, and its authentication path so the governance team can see where accounts and entitlements actually exist.
• Tie access requests to app ownership Require a named owner for each SaaS application before new users, admins, or integrations are approved.
• Automate offboarding across SaaS tools Remove user accounts, admin roles, and connected integrations when employees move or leave, and verify that access revocation reaches every subscribed application rather than only the primary directory.

What's in the full article

Zluri's full article covers the broader SaaS operating model this post intentionally leaves at the strategic level:

• The vendor's framing of SaaS adoption as a business enablement problem alongside security and compliance
• The operational context behind intelligent workflow automation for app adoption and access control
• The article's own explanation of how Zluri wants to simplify SaaS operations for IT, HR, finance, and employees
• The original commentary on why software affordability and accessibility changed the operating model

👉 Read Zluri's commentary on SaaS identity governance and access control →

SaaS identity governance: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →