Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS sprawl and Shadow IT: what IAM teams need to control


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: SaaS sprawl creates security, compliance, and cost risk when employees adopt apps outside IT visibility, according to Zluri. Automation helps discovery and inventory management, but it also exposes the deeper identity governance problem: access, lifecycle, and renewal control still fail when app usage is fragmented.

NHIMG editorial — based on content published by Zluri: Automation Manage SaaS Sprawl With The Power Of Automation

By the numbers:

  • Zluri says its discovery approach can identify 100% of SaaS apps used within an organization through its library of 225,000+ apps.
  • Zluri directly integrates with around 300 SaaS applications, giving it visibility into access levels, permissions, and license details.

Questions worth separating out

Q: How should security teams reduce SaaS sprawl without losing control of access?

A: Start by building a single inventory that merges discovery, procurement, and identity data.

Q: Why does SaaS sprawl create identity governance risk?

A: Because every unsanctioned app adds another access path, another data store, and often another set of tokens or integrations.

Q: What do organisations get wrong about Shadow IT in SaaS environments?

A: They treat it as a procurement problem when it is also an access and lifecycle problem.

Practitioner guidance

  • Reconcile SaaS discovery across every source of truth Combine SSO logs, finance records, browser telemetry, and admin exports into one inventory so hidden apps do not survive because they were seen in only one system.
  • Assign lifecycle ownership to every SaaS application Require a named owner for each app, integration, and renewal decision so de-provisioning and offboarding are not left to the last team that notices the app.
  • Review duplicate and abandoned licenses as access risks Flag apps with overlapping functionality, dormant usage, or auto-renewal drift and treat them as entitlement exposure before renewal decisions lock them in.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • A closer look at how its automation model discovers SaaS apps across SSO, finance, API, browser, and desktop signals.
  • Details on the DUAAS framework and how it is used to identify duplicate, unused, abandoned, auto-renewed, and poorly matched licenses.
  • Examples of how the platform surfaces app usage, license details, and access logs for operational review.
  • A fuller walkthrough of how the vendor positions automation for onboarding, de-provisioning, and SaaS spending control.

👉 Read Zluri's article on managing SaaS sprawl with automation →

SaaS sprawl and Shadow IT: what IAM teams need to control?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

SaaS sprawl is an identity governance failure before it is a software problem. The article treats automation as the answer, but the deeper issue is that organisations are allowing application ownership, access, and renewal decisions to fragment across business users and tool stacks. That breaks the control plane that IAM and IGA depend on. The implication is that SaaS inventory must be governed as an identity estate, not managed as a loose collection of subscriptions.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Another finding from the same guide shows that only 20% of organisations have formal processes for offboarding and revoking API keys.

A question worth separating out:

Q: Who should own SaaS offboarding and renewal decisions?

A: Ownership should sit with the business and identity teams together, not with users who selected the app informally. The right model assigns one accountable owner, one review cadence, and one revocation path for every app and integration, including APIs and service accounts tied to the SaaS stack.

👉 Read our full editorial: SaaS sprawl automation exposes the identity gap in app governance



   
ReplyQuote
Share: