TL;DR: SaaS sprawl starts with fast self-service adoption and ends with hidden access, unused licenses, and audit gaps, according to 1Password. The governance problem is not discovery alone, but the lack of repeatable lifecycle controls for onboarding, offboarding, access reviews, and renewals across unmanaged apps.
NHIMG editorial — based on content published by 1Password: a guide to SaaS management tips and advice
By the numbers:
- 52% of employees use apps not approved by IT.
- 38% of employees retain access to data after leaving a company.
- 70% of professionals agree SSO isn't a complete solution for securing identity.
Questions worth separating out
Q: How should security teams govern SaaS sprawl across the full identity lifecycle?
A: Security teams should treat SaaS sprawl as a lifecycle governance issue, not just a discovery problem.
Q: Why does SSO not solve SaaS access governance on its own?
A: SSO centralises authentication, but it does not eliminate app-local licenses, OAuth tokens, file ownership, or external sharing links.
Q: What breaks when SaaS access reviews rely on spreadsheets?
A: Spreadsheets freeze access data in time, so reviewers work from stale exports while roles, teams, and app usage keep changing.
Practitioner guidance
- Implement continuous SaaS discovery workflows Move discovery out of spreadsheet mode and into a workflow that captures new apps, assigns ownership, records business purpose, and routes each app into review before it becomes normalised.
- Treat offboarding as end-to-end deprovisioning Remove SSO access, revoke app-local tokens, reclaim licenses, and transfer ownership of shared files and calendars so the leaver motion closes every downstream access path.
- Automate access reviews with usage context Combine role, department, risk, and actual login or activity data so reviewers can revoke or adjust access directly instead of working from static exports.
What's in the full article
1Password's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step workflow patterns for automating SaaS discovery and routing new apps into review.
- Detailed offboarding motion for reclaiming licenses, transferring ownership, and notifying managers.
- Operational examples for replacing spreadsheets with repeatable access review workflows.
- Renewal workflow detail for aligning IT, procurement, and finance on the same SaaS data set.
👉 Read 1Password's guide to SaaS discovery, offboarding, and access reviews →
SaaS sprawl and shadow IT: where identity governance breaks down?
Explore further
SaaS sprawl is an identity governance failure before it is a cost problem. The article shows how easy sign-up paths and weak follow-through create unmanaged access, not just unused licenses. When tools sit outside the review and offboarding motion, the enterprise loses both control evidence and lifecycle visibility. Practitioners should treat SaaS portfolios as governed identity surfaces, not just software spend.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- That visibility gap matters because 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who should own SaaS renewal decisions when security, IT, and finance all see different data?
A: Renewal decisions should be made from a shared source of truth that combines contract terms, license usage, renewal dates, and tool overlap. When each team sees different numbers, auto-renewals and true-ups become the default. Shared visibility lets the business challenge waste before it compounds.
👉 Read our full editorial: SaaS sprawl is really an identity governance problem