SaaS sprawl and shadow IT: what it means for IAM teams

TL;DR: Unsanctioned SaaS adoption expands shadow IT, data leakage, and compliance exposure because employees can connect tools outside IT visibility, according to Zluri. The core issue is identity surface sprawl: access, sharing, and lifecycle controls break down when app usage is undiscovered and unmanaged.

NHIMG editorial — based on content published by Zluri: Security & Compliance Uncovering the Hidden Risks of SaaS in Your Organization

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams govern unsanctioned SaaS apps in the enterprise?

A: Security teams should govern unsanctioned SaaS by discovering every app in use, assigning an owner, and mapping its data access before allowing it to remain connected.

Q: Why do shadow IT apps create more risk than simple software sprawl?

A: Shadow IT apps create more risk because they introduce hidden access paths to data, identity providers, and downstream services.

Q: What do security teams get wrong about SaaS visibility?

A: Teams often assume visibility means control, but discovery alone does not reduce risk.

Practitioner guidance

• Build a complete SaaS discovery inventory Use SSO logs, finance systems, direct integrations, and browser or endpoint telemetry to identify every SaaS app that has touched corporate accounts or data.
• Classify every connected app by trust and data access Assign risk levels based on what each app can read, modify, or sync, then review the permissions behind those integrations as privileged access paths.
• Tie SaaS offboarding to access revocation When an app is no longer approved or no longer needed, remove its integrations, tokens, and user grants, then verify that data sharing and synchronization have stopped.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The nine discovery methods used to identify SaaS apps across SSO, finance, APIs, desktop agents, and browser telemetry
• The app-level risk scoring model that separates managed, unmanaged, restricted, and needs-review applications
• The compliance enforcement workflow used to align SaaS usage with ISO 27001, SOC 2, GDPR, and similar obligations
• The practical visibility outputs that show who is using each app and how frequently they use it

👉 Read Zluri's analysis of the hidden security risks in SaaS app sprawl →

SaaS sprawl and shadow IT: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →