Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS identity governance: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: SaaS adoption has turned software access, shadow IT, compliance, and security into an identity governance problem, not just an application management problem, according to Zluri’s 2023 commentary. The practical lesson is that lifecycle control, visibility, and access governance now have to follow the SaaS stack itself, not sit beside it.

NHIMG editorial — based on content published by Zluri: Why Zluri? Why now?

By the numbers:

Questions worth separating out

Q: How should security teams govern SaaS sprawl without slowing the business down?

A: Start by making SaaS discovery, ownership, and access review part of the same control process.

Q: Why does shadow IT create an IAM problem instead of only a procurement problem?

A: Shadow IT becomes an IAM problem because every unsanctioned application creates its own identities, permissions, and lifecycle obligations.

Q: What breaks when SaaS access is automated without good identity data?

A: Automation breaks when it is asked to act on incomplete ownership, stale entitlements, or poor application discovery.

Practitioner guidance

  • Build a live SaaS inventory Track every subscribed application, its owner, and its authentication path so the governance team can see where accounts and entitlements actually exist.
  • Tie access requests to app ownership Require a named owner for each SaaS application before new users, admins, or integrations are approved.
  • Automate offboarding across SaaS tools Remove user accounts, admin roles, and connected integrations when employees move or leave, and verify that access revocation reaches every subscribed application rather than only the primary directory.

What's in the full article

Zluri's full article covers the broader SaaS operating model this post intentionally leaves at the strategic level:

  • The vendor's framing of SaaS adoption as a business enablement problem alongside security and compliance
  • The operational context behind intelligent workflow automation for app adoption and access control
  • The article's own explanation of how Zluri wants to simplify SaaS operations for IT, HR, finance, and employees
  • The original commentary on why software affordability and accessibility changed the operating model

👉 Read Zluri's commentary on SaaS identity governance and access control →

SaaS identity governance: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

SaaS sprawl is an identity governance problem first and a software problem second. The article correctly treats SaaS adoption as a change in how access is created, approved, and controlled. Once every team can subscribe independently, governance no longer lives only in the IT stack. The practical conclusion is that SaaS inventory and entitlement oversight must be designed as a core IAM capability, not an afterthought.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity inventories fail before governance can start.

A question worth separating out:

Q: How do IAM and IGA teams reduce risk in a SaaS-heavy environment?

A: They should combine application discovery, entitlement visibility, and lifecycle enforcement into one operating model. That means linking approvals to owners, recertifying app access regularly, and revoking accounts and integrations at offboarding. The control objective is consistent governance across every SaaS application, not isolated policy checks.

👉 Read our full editorial: SaaS identity governance needs a stronger operating model



   
ReplyQuote
Share: