TL;DR: ITAM gaps let shadow SaaS, weak access oversight, and poor renewal discipline create security, compliance, and cost risk as organisations scale, according to Zluri. The underlying issue is not tool shortage but governance drift across discovery, access, and lifecycle control.
NHIMG editorial — based on content published by Zluri: IT Teams Top 4 ITAM Challenges And Solutions to Overcome Them
By the numbers:
- The platform integrates with 300+ apps and gives teams an overview of app cost, department usage, and renewal updates.
Questions worth separating out
Q: How should security teams reduce SaaS sprawl without creating more governance overhead?
A: Start with a single authoritative inventory, then attach ownership, access, and renewal data to each application.
Q: Why do unused SaaS apps become security risk even if nobody is actively using them?
A: Unused apps often still retain valid identities, permissions, and integrations.
Q: How do organisations know whether SaaS usage data is good enough for governance decisions?
A: Usage data is good enough when it can support a specific action, such as renewal, restriction, or retirement, without manual reconciliation.
Practitioner guidance
- Map every SaaS app to an accountable owner Require a named business owner, a technical owner, and a removal path for every application in inventory so no app remains unowned at renewal or offboarding.
- Tie renewal decisions to usage telemetry Use active usage, last-access data, and department demand to decide whether an app should be renewed, restricted, or retired before the contract date arrives.
- Unify app approval and access review Connect procurement, entitlement approval, and access recertification so that apps cannot remain approved without a current access justification.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of Zluri's nine discovery methods for SaaS inventory and where each method fits in practice.
- Specific workflow examples for onboarding, offboarding, approvals, and app store-style access control.
- Contract and renewal alert mechanics, including the timing of reminders before renewals and payments.
- Examples of how usage metrics support licence reduction, app retirement, and negotiation planning.
👉 Read Zluri's analysis of the top ITAM challenges affecting SaaS governance →
SaaS sprawl and asset visibility: what IAM teams are missing?
Explore further
ITAM is now identity governance by another name: once SaaS becomes the delivery layer for business access, inventory control and access control stop being separable disciplines. The article shows the same failure pattern that NHI programmes face: assets are purchased locally, used informally, and retired too late. The practical conclusion is that every application inventory is also an entitlement inventory.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is the same visibility problem this post identifies in SaaS governance.
A question worth separating out:
Q: Who should be accountable for SaaS offboarding and renewal control?
A: Accountability should sit with the business owner for need, the IT or IAM team for control execution, and procurement for contract enforcement. That division matters because ownership, access, and spend are different control points. If any one of them is missing, applications linger past their useful life.
👉 Read our full editorial: IT asset visibility gaps are still driving SaaS risk