SaaS sprawl and shadow IT: what identity teams need to govern

TL;DR: SaaS management centralises discovery, cost control, renewals, compliance, and security across expanding app portfolios, with Zluri arguing that unmanaged SaaS creates visibility gaps, shadow IT, sensitive-data exposure, and regulatory risk. The real governance issue is not app count alone, but ownership, lifecycle, and access sprawl across identities.

NHIMG editorial — based on content published by Zluri: SaaS Management What Is SaaS Management: A Comprehensive Guide 2026

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams govern shadow SaaS apps that bypass IT approval?

A: Security teams should treat shadow SaaS as an identity and access exception, not just an inventory problem.

Q: Why do unmanaged SaaS apps create IAM and compliance risk?

A: Unmanaged SaaS apps create risk because they sit outside the normal lifecycle controls that govern access, offboarding, and review.

Q: What breaks when SaaS ownership is unclear?

A: When ownership is unclear, nobody can reliably answer who can approve access changes, who can retire the app, or who is responsible for its data.

Practitioner guidance

• Create a single SaaS ownership registry Map each application to a business owner, technical owner, data owner, and renewal approver so no app exists without an accountable lifecycle path.
• Tie SaaS reviews to access and renewal cycles Use recurring reviews to validate active users, dormant licenses, and auto-renewing contracts at the same time, so access and spend drift are remediated together.
• Classify shadow SaaS as an access exception When an app appears outside the approved stack, route it into identity and security review before it is allowed to connect to data, integrations, or SSO.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step SaaS stack diagnosis methods for teams that need a practical assessment workflow.
• Detailed explanations of discovery channels such as ERP, HR, finance, and direct SaaS integrations.
• Business impact analysis guidance for weighing downtime, spend, and security exposure across the stack.
• Platform selection criteria for organisations evaluating SaaS management tooling at implementation stage.

👉 Read Zluri's guide to SaaS management, sprawl, and security risk →

SaaS sprawl and shadow IT: what identity teams need to govern?

Explore further

View Full Forum →  |  NHI Foundation Course →