Notifications
Clear all
Topic starter
11/06/2026 10:39 pm
TL;DR: SaaS portfolio management is presented as a way to control app sprawl, reduce redundant subscriptions, and improve compliance by centralising assessment, categorisation, licensing, and access oversight, according to Zluri. The identity issue is that portfolio management only helps when app ownership, user access, and offboarding are enforced across the full SaaS lifecycle.
NHIMG editorial — based on content published by Zluri: SaaS Management SaaS Portfolio Management: A Comprehensive Guide
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams govern SaaS portfolio sprawl without losing access control?
A: They should govern SaaS sprawl as an identity problem, not only as an application count problem.
Q: Why do unused SaaS apps still create security risk after renewal is cancelled?
A: Unused apps often retain admin roles, OAuth grants, API keys, or embedded integrations even after business use declines.
Q: What breaks when SaaS discovery does not include identity ownership?
A: Discovery without ownership leaves security teams with a list of tools but no way to determine who can approve access, remove credentials, or retire the app safely.
Practitioner guidance
- Build one inventory for apps, owners, and access paths Document every SaaS application with its business owner, connected accounts, admin roles, API integrations, and renewal date.
- Add entitlement review to SaaS rationalisation decisions Before renewing or retiring an application, check whether it still has privileged users, delegated OAuth grants, or service connections that would survive the commercial decision.
- Treat application retirement as an offboarding workflow When an app moves into decline, revoke admin access, remove stored credentials, delete unused integrations, and confirm no downstream workflow still depends on the account.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SaaS portfolio management workflow for discovery, assessment, renewal, and retirement
- Detailed feature descriptions for automated app categorisation, license tracking, and reporting
- Examples of how the platform centralises usage, compliance, and cost data for SaaS oversight
- Product-specific guidance on using the tool to rationalise subscriptions and manage the full app lifecycle
👉 Read Zluri's guide to SaaS portfolio management and application lifecycle control →
SaaS portfolio sprawl: what IAM teams are missing?
Explore further
12/06/2026 6:53 am
SaaS portfolio sprawl is an identity governance problem, not only a finance problem. The article frames value, renewal, and efficiency as the main drivers, but every unmanaged app also creates another set of permissions, tokens, and owners that must be governed. That means SaaS portfolio management belongs inside IAM, IGA, and NHI operating models, not beside them. Practitioner conclusion: treat app rationalisation as access rationalisation.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable when a SaaS application is retired but access remains?
A: Accountability should sit with the application owner, but security, IAM, and procurement all have a role in verifying closure. The app should not be considered retired until access reviews, credential revocation, and downstream dependency checks are complete. This is a lifecycle control failure, not just a contract issue.
👉 Read our full editorial: SaaS portfolio sprawl exposes identity governance blind spots
