Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS management and identity control: what teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: SaaS now underpins most enterprise work, with 38% of companies running almost entirely on SaaS and 51% using SaaS in most business functions, according to Matrix42. That makes governance of access, offboarding, data handling, and application sprawl an identity problem, not just a procurement exercise.

NHIMG editorial — based on content published by Efecte: Kuusi askelta onnistuneeseen SaaS-hallintaan

By the numbers:

Questions worth separating out

Q: How should organisations govern SaaS applications as part of identity management?

A: They should treat SaaS as an identity-governed application layer, not just a spend category.

Q: Why do SaaS sprawl and duplicate tools increase security risk?

A: Because every additional app creates another place where access, data handling, and offboarding can fail.

Q: What breaks when SaaS offboarding is not tied to lifecycle controls?

A: Former employees, contractors, and project users can retain access long after they should have been removed.

Practitioner guidance

  • Build a live SaaS application register Track every approved app with business owner, technical owner, user population, data class, and review date so governance does not depend on informal knowledge.
  • Fold SaaS discovery into offboarding Use access reviews and leaver processes to find accounts, tokens, and linked services that survive after employees move roles or leave the organisation.
  • Set review gates before new app adoption Require security, privacy, and compliance review before any SaaS app handles business data, especially where regulated information or external sharing is involved.

What's in the full article

Efecte's full article covers the operational detail this post intentionally leaves for the source:

  • Practical guidance on how to assign ownership for SaaS renewals, licenses, and budgets across teams
  • A step-by-step view of how to build user-level application portfolios and collect usage feedback
  • Detailed checks for SaaS security, including data storage, password practices, account sharing, and offboarding
  • Compliance considerations for GDPR, vendor approval, and the handling of managed versus unmanaged applications

👉 Read Efecte's article on six steps for successful SaaS management →

SaaS management and identity control: what teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

SaaS governance is an identity lifecycle problem before it is a cost problem. The article focuses on spend, duplication, and ownership, but the deeper failure mode is that SaaS tools outgrow the joiner-mover-leaver process that is supposed to keep access bounded. Once app adoption outruns offboarding and recertification, access persists because no one owns the lifecycle. Practitioners should treat SaaS as part of identity governance, not as a separate procurement list.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which shows that policy confidence and operational behaviour often diverge.

A question worth separating out:

Q: Who should be accountable for SaaS governance decisions?

A: Accountability should sit with both the business owner and the technical control owner. The business owns the need for the app, while identity, security, and compliance teams own the rules for access, data handling, and review. Without that split, SaaS becomes a shared-risk blind spot that no one is able to remediate end to end.

👉 Read our full editorial: SaaS governance is now an identity and control problem



   
ReplyQuote
Share: