Notifications
Clear all
Topic starter
11/06/2026 10:39 pm
TL;DR: SaaS risk management is framed here as the discipline of finding, assessing, and reducing application, access, compliance, and third-party exposure across a growing SaaS estate, according to Zluri. The practical takeaway is that visibility, access control, auditability, and offboarding discipline matter more than adding another checklist.
NHIMG editorial — based on content published by Zluri: Security & Compliance Effective SaaS Risk Management - A Guide for 2026
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should organisations govern SaaS access in environments with shadow IT?
A: They should start with inventory, then tie each application to an owner, a data classification, and a review cycle.
Q: Why do SaaS applications create identity risk beyond authentication?
A: Because SaaS risk is usually caused by entitlement drift, third-party connections, and unmanaged lifecycle events rather than sign-in alone.
Q: What breaks when third-party SaaS access is never reviewed?
A: Access becomes effectively permanent, even when the vendor relationship changes or the integration is no longer needed.
Practitioner guidance
- Build a live SaaS inventory Track every approved and unapproved application, its business owner, and the data it can reach.
- Tie SSO to entitlement review Use SSO for consistent authentication, but review roles, groups, and app-specific permissions on a recurring basis so central login does not hide stale access.
- Require third-party access expiry Set explicit review and removal dates for vendor integrations, API connections, and delegated access.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SaaS risk management workflow for inventory, assessment, and remediation
- Examples of monitoring, audit, and compliance checks across SaaS applications
- Operational guidance on access control, MFA, SSO, and backup recovery planning
- Practical suggestions for handling shadow IT and third-party SaaS exposure
👉 Read Zluri's guide to SaaS risk management for 2026 →
SaaS risk management and identity controls: what teams are missing?
Explore further
12/06/2026 6:54 am
SaaS risk management is really identity governance under another name. The article correctly treats visibility, access control, and third-party risk as core issues, but those controls all depend on knowing which identities exist, who owns them, and when they should be removed. That is the same governance problem seen in NHI programmes, where sprawl becomes dangerous once access outpaces oversight. The practitioner conclusion is that SaaS risk cannot be owned only by security operations; it belongs in identity governance.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why lifecycle governance and inventory discipline keep failing in practice.
A question worth separating out:
Q: Who is accountable when SaaS data is exposed through unmanaged applications?
A: Accountability should sit with the business owner of the application, the identity team managing access, and the security team governing risk decisions. If no one owns lifecycle review, unmanaged SaaS will keep accumulating permissions. Frameworks such as the NIST Cybersecurity Framework 2.0 help structure that accountability around govern, identify, protect, detect, respond, and recover.
👉 Read our full editorial: SaaS risk management in 2026 demands stronger identity controls
