TL;DR: SaaS sprawl, shadow IT, and inefficient joiner-mover-leaver handling make SaaS Operations a governance problem as much as an operational one, according to Zluri. The control gap is that discovery, access review, and offboarding often lag the rate at which applications and accounts are created.
NHIMG editorial — based on content published by Zluri: SaaS Management SaaS Operations (SaaS Ops) - The Complete Guide
By the numbers:
- 31% of companies say SaaS takes 10% of their overall budget.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should organisations govern SaaS sprawl without losing visibility into access?
A: Treat SaaS discovery, access review, and offboarding as one control loop.
Q: Why does SaaS shadow IT create identity risk as well as compliance risk?
A: Shadow IT becomes identity risk because users often authenticate directly into unapproved apps, creating accounts, data permissions, and OAuth grants outside normal lifecycle controls.
Q: What breaks when SaaS offboarding is handled manually?
A: Manual offboarding usually leaves some combination of active accounts, lingering OAuth grants, and unused licenses behind.
Practitioner guidance
- Build a single SaaS inventory with accountable ownership Map every application to a business owner, technical owner, and security owner, then require a reviewable reason for each app’s presence in the stack.
- Automate joiner-mover-leaver events across connected apps Use HR and directory signals to trigger provisioning, entitlement reduction, and revocation in every SaaS system that can hold direct user accounts.
- Tie renewal approval to access evidence Do not renew subscriptions unless the app still has active business use, approved ownership, and a current access review record.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- How the SaaS Ops model is applied across discovery, procurement, onboarding, and offboarding.
- The DUAAS-based approach the vendor uses to reduce duplicate apps, unused licenses, and auto-renewal waste.
- Operational examples of automating account provisioning and deprovisioning across a SaaS stack.
- The vendor's own framing of cost control, compliance, and lifecycle management across SaaS tools.
👉 Read Zluri's complete guide to SaaS operations and governance →
SaaS sprawl and access drift: what IAM teams are missing?
Explore further
SaaS sprawl is really identity sprawl with a procurement wrapper. The article treats application growth as an operations issue, but the governance failure is broader: every unsanctioned app creates another identity boundary, another review surface, and another revocation path. That is why SaaS management belongs in the same conversation as IAM, IGA, and SaaS lifecycle controls. Practitioners should manage SaaS as an identity estate, not as a software catalog.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own SaaS governance in an organisation?
A: SaaS governance should be shared across IAM, security, procurement, finance, and application owners, but it needs one accountable operating model. IAM teams should own access control and lifecycle outcomes, procurement should own commercial terms, and security should own risk review. Without explicit ownership, SaaS renewal and access decisions drift apart.
👉 Read our full editorial: SaaS operations expose the identity governance gap in sprawl