Notifications
Clear all
Topic starter
10/06/2026 9:13 pm
TL;DR: SaaS sprawl creates the same visibility failure for finance and security: the article shows that organisations often discover applications only after adoption, purchase, or SSO integration, leaving access reviews, offboarding, and cost control incomplete. The real problem is late discovery, which makes both SaaS management and identity governance reactive instead of preventive.
NHIMG editorial — based on content published by Zluri: SaaS Management The Problem of SaaS Sprawl: Where SaaS Management and Identity Governance Meet (And Both Fail)
By the numbers:
- The actual number is 247.
Questions worth separating out
Q: What breaks when SaaS sprawl is not in your identity catalogue?
A: Access reviews, provisioning, and offboarding all become partial controls.
Q: Why do SaaS sprawl and identity governance fail in the same place?
A: They both depend on discovery happening before control.
Q: How do you know if access reviews are actually covering your SaaS environment?
A: Compare the number of applications in review workflows with the number of applications employees actually use.
Practitioner guidance
- Expand discovery before formal adoption Use browser, endpoint, CASB, MDM, and finance-system signals to identify applications while employees are still testing or sharing them.
- Tie access reviews to real application use Compare your IGA review list against observed application activity, not just SSO integrations.
- Route purchase data into governance workflows Map spend events, reimbursement records, and discretionary card transactions into identity governance queues so new tools are assessed before they become business-critical.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- A stage-by-stage breakdown of SaaS adoption from signup to SSO integration, including the control points that appear too late.
- Examples of how finance teams miss duplicate spend when tools are adopted through free tiers, personal cards, or misclassified expenses.
- Operational guidance on earlier discovery methods such as browser extensions, endpoint signals, CASB, and finance system integration.
- A practical view of how IT, finance, and security can share one application inventory without waiting for full SSO integration.
👉 Read Zluri's analysis of SaaS sprawl and identity governance failure →
SaaS sprawl and IGA blind spots: what teams need to know?
Explore further
10/06/2026 10:04 pm
Late discovery is the shared failure mode behind SaaS sprawl. The article shows that finance and security are not facing separate problems but one visibility failure expressed in two different control domains. Application discovery at Stage 3 or Stage 5 is already too late for cost containment and governance completeness. Practitioners should treat early discovery as a prerequisite control, not an operational convenience.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: What should teams do when they discover an application after employees are already using it?
A: Treat the discovery as a governance event, not just an inventory update. Confirm owners, verify whether accounts were created outside approved workflows, check for duplicate spend, and include the application in offboarding and recertification before the next access cycle closes.
👉 Read our full editorial: SaaS sprawl is breaking both identity governance and cost control
