Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS sprawl and access control: what IAM teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: SaaS optimization is presented as a way to reduce duplicated tools, unused licenses, and spend, while also improving visibility, security, and compliance across the application estate, according to Zluri. The deeper issue is that unmanaged SaaS growth is an identity governance problem, not just a procurement problem.

NHIMG editorial — based on content published by Zluri: SaaS Management SaaS Optimization: A Comprehensive Guide

By the numbers:

Questions worth separating out

Q: How should security teams govern SaaS sprawl without losing control of access?

A: Start with a complete SaaS inventory that includes purchased apps, connected integrations, and local account stores.

Q: Why does SaaS sprawl create identity risk as well as cost waste?

A: Because every extra application can hold active users, OAuth grants, API tokens, or local admins after the business need has passed.

Q: What do teams get wrong about SaaS license optimisation?

A: They treat it as a procurement cleanup exercise and ignore the identity state underneath.

Practitioner guidance

  • Build a complete SaaS inventory across business and IT channels Combine SSO logs, expense data, API integrations, and procurement records so you can see sanctioned and unsanctioned apps in one place.
  • Reconcile licenses, users, and active usage on a fixed cadence Compare what was purchased with what is assigned and what is actually used.
  • Include connected apps and delegated access in recertification Review OAuth grants, vendor integrations, and locally created users alongside directory-based accounts.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step SaaS inventory centralisation across discovery methods and admin sources
  • Detailed license usage monitoring workflow for finding underused and duplicated subscriptions
  • Contract renewal and auto-renewal management mechanics for procurement teams
  • Examples of spend analysis and approval workflows for SaaS portfolio control

👉 Read Zluri's guide to SaaS optimisation and spend control →

SaaS sprawl and access control: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

SaaS optimization is really lifecycle governance for the application layer. The article frames the problem as cost and efficiency, but the underlying issue is control over who and what keeps access over time. When SaaS purchasing is decentralized, lifecycle events like joiner, mover, leaver, and access review lose their reference point. The implication is that SaaS optimization should be treated as a governance function that spans identity, not as a finance-only exercise.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • Another finding from our research shows that 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slow remediation often is in practice.

A question worth separating out:

Q: Who should be accountable for offboarding SaaS access when a tool is no longer needed?

A: The accountable owner should be the business or application owner who can confirm removal, not only IT or procurement. Revocation must include users, tokens, and integrations so the application cannot retain access after cancellation or retirement.

👉 Read our full editorial: SaaS optimization exposes the identity governance gap in shadow IT



   
ReplyQuote
Share: