Notifications
Clear all
Topic starter
11/06/2026 11:11 pm
TL;DR: SaaS sprawl grows when teams adopt project tools outside procurement, then leave unused accounts, duplicate subscriptions, and unclear deprovisioning paths behind, according to 1Password. The security issue is not the bill alone, but the identity lifecycle gap that appears when access removal, data reassignment, and ownership are handled inconsistently.
NHIMG editorial — based on content published by 1Password: SaaS optimization in project management tools
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should teams handle unused SaaS accounts without disrupting business work?
A: Treat unused SaaS accounts as lifecycle cases, not simple deletions.
Q: Why does SaaS sprawl create identity governance risk as well as cost waste?
A: Because redundant apps create hidden access paths that IAM teams do not fully inventory.
Q: What do teams get wrong about SaaS deprovisioning?
A: They often confuse disabling a login with retiring access.
Practitioner guidance
- Map every SaaS app to an accountable owner Create a register that ties each collaborative application to a business owner, technical owner, and offboarding approver.
- Test deprovisioning before you automate it Validate what happens when an account is deactivated in each application.
- Use last-login and survey data to identify true redundancy Compare user survey responses with login telemetry and social sign-in data to find applications that are genuinely unused.
What's in the full article
1Password's full blog post covers the operational detail this post intentionally leaves for the source:
- Manual deprovisioning workflows for specific SaaS tools, including how inactive accounts are identified and reviewed.
- Application-specific handling of data, tasks, and reassignment when a user is removed from a platform.
- Practical steps for combining user communication, Slack or email notification, and follow-up before offboarding.
- Migration pacing guidance for moving from one project-management platform to another without a hard stop.
👉 Read 1Password's guidance on SaaS optimisation and deprovisioning →
SaaS sprawl: what IAM teams need to fix beyond cost control?
Explore further
12/06/2026 7:44 am
Identity lifecycle is the real control plane behind SaaS optimisation. The article treats SaaS optimisation as a procurement and cost exercise, but the deeper issue is lifecycle governance. If users can create accounts outside central oversight, then joiner, mover, and leaver processes no longer describe the full state of access. Practitioners should treat every unsanctioned SaaS subscription as an unmanaged identity until it is discovered, assigned, and offboarded.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How can IAM teams support SaaS consolidation without causing user resistance?
A: Use usage evidence, user surveys, and login data to show why consolidation is happening and which tools remain necessary for specialised teams. Then phase the move so new work shifts to the approved platform while older work closes out naturally. Clear communication and staged migration reduce pushback and offboarding errors.
👉 Read our full editorial: SaaS sprawl and deprovisioning expose the real identity gap
