SaaS sprawl and access drift: what IAM teams are missing

TL;DR: SaaS sprawl, shadow IT, and inefficient joiner-mover-leaver handling make SaaS Operations a governance problem as much as an operational one, according to Zluri. The control gap is that discovery, access review, and offboarding often lag the rate at which applications and accounts are created.

NHIMG editorial — based on content published by Zluri: SaaS Management SaaS Operations (SaaS Ops) - The Complete Guide

By the numbers:

• 31% of companies say SaaS takes 10% of their overall budget.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should organisations govern SaaS sprawl without losing visibility into access?

A: Treat SaaS discovery, access review, and offboarding as one control loop.

Q: Why does SaaS shadow IT create identity risk as well as compliance risk?

A: Shadow IT becomes identity risk because users often authenticate directly into unapproved apps, creating accounts, data permissions, and OAuth grants outside normal lifecycle controls.

Q: What breaks when SaaS offboarding is handled manually?

A: Manual offboarding usually leaves some combination of active accounts, lingering OAuth grants, and unused licenses behind.

Practitioner guidance

• Build a single SaaS inventory with accountable ownership Map every application to a business owner, technical owner, and security owner, then require a reviewable reason for each app’s presence in the stack.
• Automate joiner-mover-leaver events across connected apps Use HR and directory signals to trigger provisioning, entitlement reduction, and revocation in every SaaS system that can hold direct user accounts.
• Tie renewal approval to access evidence Do not renew subscriptions unless the app still has active business use, approved ownership, and a current access review record.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• How the SaaS Ops model is applied across discovery, procurement, onboarding, and offboarding.
• The DUAAS-based approach the vendor uses to reduce duplicate apps, unused licenses, and auto-renewal waste.
• Operational examples of automating account provisioning and deprovisioning across a SaaS stack.
• The vendor's own framing of cost control, compliance, and lifecycle management across SaaS tools.

👉 Read Zluri's complete guide to SaaS operations and governance →

SaaS sprawl and access drift: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →