SaaS management and security controls: what IAM teams need now

TL;DR: Recession pressure should push CIOs toward tighter SaaS buying, asset visibility, spend control, security tooling, and employee training, according to Zluri, with its platform framed as a way to reduce waste and improve governance across the stack. The deeper lesson is that SaaS sprawl is an identity problem as much as a cost problem: unmanaged access, renewal drift, and weak offboarding turn budget pressure into control failure.

NHIMG editorial — based on content published by Zluri: SaaS Management 6 Investments CIOs Must Make Before Recession Hits

By the numbers:

• Zluri says it can discover 100% of SaaS apps in an organisation.
• Zluri says it notifies teams 30 days, 15 days, and one day before contract expiry.
• 30% after purchase, age can fall to 30% after purchase, leaving 70% of resources wasted.

Questions worth separating out

Q: How should organisations govern SaaS access as part of lifecycle management?

A: Treat each SaaS application as an identity lifecycle object with an owner, approval path, review cadence, and offboarding trigger.

Q: Why do SaaS renewals often expose governance weaknesses?

A: Renewals force organisations to answer whether an app is still needed, who still uses it, and whether its access remains justified.

Q: What do teams get wrong about SaaS security scoring?

A: Security scores are often treated as a substitute for governance, when they are only a signal.

Practitioner guidance

• Tie SaaS renewal to access review Require each renewal decision to validate active users, owned integrations, and whether permissions still match current business need.
• Inventory SaaS integrations as identities Treat every API connection, OAuth app, and service account inside a SaaS tool as a governed identity with an owner, purpose, and removal trigger.
• Separate high-risk permissions from routine use Split view and collaboration access from delete, admin, and export rights so that reviews can focus on the permissions that change blast radius.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• How Zluri frames SaaS buying decisions for budget-constrained CIOs and CFOs.
• The platform-specific renewal tracking, notification timing, and dashboard workflows described in the source article.
• The detailed examples of SaaS security scoring and access-level risk handling that sit behind the article's summary.
• The training and employee enablement angle as presented in the original piece.

👉 Read Zluri's analysis of SaaS management investments for recession pressure →

SaaS management and security controls: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →