Notifications
Clear all
Topic starter
12/06/2026 8:59 pm
TL;DR: SaaS adoption has outpaced the assumptions many IT teams still use to govern apps, access, and external collaboration, and the article argues that hidden apps, incomplete discovery, and delayed deprovisioning create security and compliance exposure for organizations. For IAM teams, the message is that SaaS management is now an identity governance problem, not just a software inventory problem.
NHIMG editorial — based on content published by Zluri: The Most Prevalent 10 SaaS Management Misconceptions That Every IT Team Must Be Aware Of
By the numbers:
- 80% of employees use applications that are not approved by IT teams.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: What breaks when SaaS discovery depends on only one agent or plugin?
A: One control rarely sees all SaaS usage.
Q: Why do SaaS apps create identity governance risk as they spread across the business?
A: Because each app introduces new access paths, external users, and lifecycle events that must be governed.
Q: How should organisations govern external users in SaaS environments?
A: Treat external users as first-class identities with named ownership, approved scope, and a defined offboarding path.
Practitioner guidance
- Build a multi-source SaaS discovery model Combine SSO telemetry, endpoint signals, network inspection, and application inventory so BYOD and browser-based usage are not missed.
- Create a single owner for each SaaS entitlement set Assign an accountable business and technical owner to every major app, then define who approves access, who reviews it, and who removes it when the business need ends.
- Automate joiner-mover-leaver actions for SaaS access Trigger provisioning and deprovisioning from lifecycle events rather than tickets alone, and ensure removed users lose access to all connected SaaS instances, not just the primary application record.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- How its SaaS management platform discovers apps across managed devices, BYOD, and SSO-connected access paths
- How Zluri frames licence usage, renewals, and cost optimisation as an ongoing operating process
- How external groups and collaborators can be handled in a centralised SaaS management workflow
- How the platform supports request flows for approved applications and ownership-driven access
👉 Read Zluri's analysis of the most prevalent SaaS management misconceptions →
SaaS management myths: where identity and access teams still slip?
Explore further
12/06/2026 10:45 pm
SaaS sprawl is an identity governance problem before it is a software management problem. The article correctly shows that unknown apps create unknown access paths, which means the real failure is not app count but governance blindness. Once SaaS usage outpaces discovery, security, compliance, and lifecycle control all degrade together. Practitioners should treat SaaS inventory as an identity control surface, not an IT asset list.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do teams know whether SaaS access controls are actually working?
A: Look for three signals: complete app discovery, timely entitlement removal after role change or exit, and a clean match between active usage and licensed access. If those three do not align, the programme is carrying hidden access risk, unnecessary cost, or both.
👉 Read our full editorial: SaaS management misconceptions are masking identity and access risk
