Notifications
Clear all
Topic starter
12/06/2026 8:59 pm
TL;DR: SaaS adoption is shifting software consumption to decentralized buying, access, and data ownership, and Zluri argues that traditional ITAM and SAM models cannot keep up with renewal, offboarding, and compliance demands. The identity problem is no longer just software sprawl, but unmanaged access lifecycles across users, data, and SaaS tools.
NHIMG editorial — based on content published by Zluri: The Case for Building a SaaS Management Tool Ground Up
By the numbers:
- NHI outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams govern SaaS access when employees can buy tools directly?
A: Security teams should treat SaaS as an identity governance problem, not just a procurement problem.
Q: Why do SaaS tools create more access risk than traditional software?
A: SaaS tools create more access risk because buying and provisioning are decentralised, so access can be created outside central IT visibility.
Q: What breaks when offboarding is not tied to SaaS subscription management?
A: When offboarding is disconnected from SaaS management, former users, contractors, and service accounts can keep access after the business need ends.
Practitioner guidance
- Map every SaaS app to an owner and offboarding path Create a system of record that ties each SaaS subscription to a business owner, renewal date, data class, and revocation workflow.
- Separate procurement approval from access governance Require a security and identity review before users can expand SaaS access beyond the initial purchase.
- Build lifecycle triggers into SaaS access removal Connect leaver, mover, and contract-end events to automated revocation for SaaS accounts and connected integrations.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The article breaks down the SaaS-first operating model and why traditional ITAM assumptions no longer fit.
- It explains the business-side drivers behind decentralised SaaS adoption and why they matter for governance.
- It lays out the practical access control, data sprawl, and compliance problems in more detail.
- It includes the author's perspective on building a SaaS management platform from the ground up.
👉 Read Zluri's case for a SaaS management platform built for cloud-first adoption →
SaaS sprawl and access control: what IAM teams need to know?
Explore further
12/06/2026 10:46 pm
Decentralised SaaS buying creates identity sprawl, not just software sprawl. The article is really describing a governance model where access is created faster than central teams can observe it. That is not a procurement issue alone, because every untracked subscription can also become an untracked identity path. Practitioners should treat SaaS adoption as an access governance problem with financial and compliance side effects.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own SaaS governance in an enterprise?
A: SaaS governance should be shared across IT, security, procurement, and business ownership, but identity teams need clear control authority over access and revocation. If no one owns the lifecycle, each group assumes another team is handling it, and the application becomes unmanaged in practice.
👉 Read our full editorial: SaaS sprawl is breaking traditional identity and asset controls
