SaaS posture management and IAM gaps: what teams need now

TL;DR: Forrester’s SaaS Security Posture Management Wave points to a widening gap between traditional IAM practices and the realities of SaaS admin sprawl, OAuth-connected apps, and misconfigured access artifacts, according to Zluri’s summary of the report. The core issue is not coverage alone, but whether identity governance can keep pace with SaaS configuration and privilege complexity.

NHIMG editorial — based on content published by Zluri: Forrester’s SaaS Security Posture Management Wave summary

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface

Questions worth separating out

Q: How should security teams govern SaaS admin access across many applications?

A: Start by mapping each critical SaaS application’s admin roles, data-access settings, and approval paths.

Q: Why do traditional IAM tools struggle with SaaS security posture management?

A: Traditional IAM tools focus on authentication and central entitlements, but SaaS risk lives in app-specific roles, delegated consents, and configuration settings.

Q: What do security teams get wrong about OAuth-connected SaaS apps?

A: They often treat OAuth consent as a one-time setup step instead of a standing authorization that can outlive the original need.

Practitioner guidance

• Inventory SaaS admin paths across priority applications Build an app-by-app view of who can change settings, approve access, and delegate permissions in the SaaS platforms that matter most to the business.
• Review OAuth consents and third-party app grants Identify all external apps connected through OAuth and classify the permissions they hold, the data they can reach, and the owner responsible for each grant.
• Replace manual certs with workflow-based remediation Use approval and revocation workflows that let security teams correct risky SaaS permissions without waiting for the next quarterly review.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Forrester evaluation criteria used to score SaaS security posture management providers
• Zluri capability areas tied to SaaS discovery, governance, and optimisation
• Roadmap items covering third-party application risk management and privileged access management
• Discussion of how the platform maps to GitHub, Google Workspace, Microsoft 365, and Salesforce

👉 Read Zluri's summary of Forrester's SaaS Security Posture Management Wave →

SaaS posture management and IAM gaps: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →