TL;DR: SaaS adoption has pushed digital operations into a control problem, with Matrix42 citing that nearly 38% of companies work almost entirely on SaaS and 51% run most operations through SaaS applications. The governance gap is no longer just spend or app sprawl, but who uses what, why, and under what accountability model.
NHIMG editorial — based on content published by Efecte: Six steps towards successful SaaS management
By the numbers:
- Nearly 38% of companies work almost entirely on SaaS.
- 51% of organizations run most of their operations using SaaS applications.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations govern SaaS access across business units?
A: Start with ownership, not inventory alone.
Q: Why does SaaS sprawl create identity risk?
A: SaaS sprawl creates risk because access multiplies faster than governance.
Q: What do security teams get wrong about SaaS offboarding?
A: They often treat offboarding as a finance or procurement issue rather than an access control event.
Practitioner guidance
- Assign a named owner to every SaaS application Map each app to a business owner and an IT owner, then require those owners to approve renewals, retire unused licences, and validate offboarding.
- Create a user-to-application access map Maintain a current inventory of which users, contractors, and integrations can access each SaaS application, including shared accounts and delegated access.
- Fold SaaS offboarding into IAM workflows Make account removal, token revocation, and password resets part of the same offboarding workflow used for HR leavers and contractor exits.
What's in the full article
Efecte's full post covers the operational detail this analysis intentionally leaves for the source:
- Practical guidance for assigning application owners across IT, finance, and business teams.
- Specific ways to track who is using what and why across SaaS estates.
- Discussion of vendor consolidation, spend control, and under-utilised capability cleanup.
- The article's own examples of security and compliance concerns around passwords, account sharing, and GDPR.
👉 Read Efecte's analysis of six steps toward successful SaaS management →
SaaS management and identity governance: are your controls keeping up?
Explore further
SaaS governance is an identity lifecycle problem before it is a software portfolio problem. The article’s six steps are really about control ownership, entitlement visibility, and offboarding discipline. When organisations ask who is using what and why, they are already in lifecycle territory because access, not subscription count, is what creates operational risk. Practitioners should treat SaaS inventory as a governance input, not the end state.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Which controls matter most when SaaS platforms handle sensitive data?
A: The controls that matter most are data classification, account ownership, access review, and offboarding discipline. If an application stores personal or regulated data, teams also need stronger logging, shared-account restrictions, and third-party governance. The goal is to ensure that SaaS convenience does not outrun identity and data accountability.
👉 Read our full editorial: SaaS management is now an identity governance problem