SaaS spend optimization: what identity teams should watch

TL;DR: SaaS spend optimization is presented as a way to cut waste, but the deeper issue is that unused apps, hidden subscriptions, and weak decommissioning also create identity and access exposure, according to Zluri. For IAM and NHI teams, cost control and governance now overlap in the same control surface.

NHIMG editorial — based on content published by Zluri: SaaS Management SaaS Spend Optimization: A Comprehensive Guide

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams govern SaaS sprawl without losing access control?

A: Security teams should manage SaaS sprawl as an identity governance problem, not only a cost problem.

Q: Why do unused SaaS subscriptions create security risk as well as cost waste?

A: Unused subscriptions often leave behind active accounts, SSO trust, API tokens, and delegated admin paths.

Q: What breaks when SaaS offboarding does not include revoking access?

A: If offboarding stops at contract cancellation, the organisation can retain active access in the form of federated logins, tokens, and privileged roles.

Practitioner guidance

• Map every SaaS app to its identity footprint Record users, admins, SSO links, API integrations, and service accounts for each application before renewal or cancellation decisions are made.
• Join spend reviews to access reviews Use the same quarterly review to identify unused licenses and over-privileged accounts, then require remediation for both findings in one workflow.
• Treat offboarding as a revocation event When an application is retired, remove the account, disable federation, revoke tokens, and verify that no delegated access remains in downstream systems.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step SaaS discovery methods used to surface hidden applications across finance, identity, and device signals
• Practical approaches to license reallocation, duplicate app removal, and department-level usage tracking
• Negotiation mechanics for renewals, including BATNA and ZOPA examples applied to SaaS purchasing
• Workflow detail for monitoring spend in real time and turning usage data into procurement decisions

👉 Read Zluri's guide to SaaS spend optimisation and hidden app costs →

SaaS spend optimization: what identity teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →