Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS shadow IT discovery gaps: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: SaaS adoption is creating a shadow IT problem that traditional surveys, SSO, CASB, ITAM, and SAM tools only partially expose, while Zluri argues that nine discovery methods are needed to map usage across the enterprise, according to Zluri. Shadow IT is now an identity governance and access visibility issue, not just an application inventory problem.

NHIMG editorial — based on content published by Zluri: SaaS Management How to Eliminate Shadow IT

By the numbers:

Questions worth separating out

Q: How should security teams discover shadow IT in SaaS environments?

A: They should combine identity-provider data, finance records, direct app integrations, directory data, and endpoint or browser signals.

Q: Why do SSO and CASB miss so much SaaS usage?

A: SSO only sees apps that are federated through the identity layer, while CASB often provides incomplete SaaS detail and can miss who is actually using or administering an app.

Q: What breaks when shadow IT is handled only as a procurement issue?

A: Access review, offboarding, and license reclamation all break because the organisation never creates a governance path for the app.

Practitioner guidance

  • Map SaaS discovery to governance owners Assign a named owner for every discovered SaaS application, including business-owned tools that entered through expense cards or freemium sign-ups.
  • Use multiple discovery sources, not one control Correlate identity provider logs, finance records, app integrations, directory data, and endpoint signals before deciding whether a tool is sanctioned.
  • Review shadow app access in lifecycle cycles Fold unsanctioned SaaS into joiner-mover-leaver processes, recertification, and offboarding so accounts and subscriptions are removed when the business need ends.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

  • Nine separate SaaS discovery methods and how Zluri combines them across identity, finance, and endpoint signals.
  • Practical examples of how each discovery source surfaces different classes of shadow IT.
  • Implementation details for direct integrations, optional desktop agents, and browser extensions.
  • Operational guidance on using SaaS visibility to benchmark costs and determine governance thresholds.

👉 Read Zluri's blog post on eliminating SaaS shadow IT with multi-source discovery →

SaaS shadow IT discovery gaps: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Shadow IT is now an identity surface problem, not a software inventory problem. The article correctly frames SaaS adoption as a governance issue because every unsanctioned app creates an unmanaged access path, a data-sharing path, and a lifecycle problem. That means the control failure is not simply that IT does not know the app exists. It is that the organisation cannot govern the identity, permission, and offboarding consequences that follow. Practitioners should treat SaaS discovery as part of identity security, not a side activity.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility.

A question worth separating out:

Q: How can organisations decide whether a SaaS app should be sanctioned?

A: They should judge usage, business purpose, data sensitivity, and ownership together. An app that is widely used but lacks a control owner, clear contract trail, or identity integration should be treated as a governance candidate, not automatically approved. Sanctioning should follow evidence, not convenience.

👉 Read our full editorial: Shadow IT in SaaS discovery is still outpacing IAM controls



   
ReplyQuote
Share: