TL;DR: Enterprises still rely on spreadsheets for SaaS management, even though only 20% use SaaS management platforms and manual tracking leaves access, usage, and compliance decisions inconsistent, according to Zluri. The deeper issue is that SaaS sprawl turns identity governance into a visibility problem, not just a tooling problem.
NHIMG editorial — based on content published by Zluri: SaaS management in the enterprise
By the numbers:
- Only 20% on the whole use SaaS management platforms.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should organisations govern SaaS sprawl across identity and access teams?
A: Organisations should govern SaaS sprawl as an identity lifecycle issue, not as a simple procurement list.
Q: Why do spreadsheets fail as a control model for enterprise SaaS management?
A: Spreadsheets fail because they are manual, static, and dependent on people remembering to update them.
Q: How can security teams tell whether a SaaS application is still worth keeping?
A: Security teams should look at actual usage, owner accountability, and integration depth rather than license count alone.
Practitioner guidance
- Replace manual SaaS inventories with an authoritative system of record Use a managed platform or equivalent control process to track application ownership, usage, and access changes automatically.
- Tie SaaS offboarding to identity lifecycle events Make application removal, role removal, and access revocation part of the same offboarding workflow so dormant SaaS accounts do not survive employee or team changes.
- Review overlapping SaaS functionality before renewals Map duplicate features across applications before contracts renew so procurement decisions reflect real usage rather than historical purchases.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- How Zluri structures SaaS management around dashboards, usage data, and spend tracking for enterprise teams
- How its platform connects to SSO and directory systems such as Okta or Active Directory in practice
- How feature-level usage intelligence can reveal overlapping functionality across applications
- How the article positions automation and AI inside future SaaS management architectures
👉 Read Zluri's analysis of enterprise SaaS management and sprawl →
SaaS sprawl: what it means for IAM, access, and governance?
Explore further
SaaS sprawl is an identity governance problem before it is a cost problem. The article frames SaaS management as a budgeting and tooling issue, but the deeper failure is lifecycle visibility. When applications are added faster than ownership, offboarding, and access review can be enforced, identities accumulate across too many systems for governance to remain reliable. Practitioners should read SaaS sprawl as control erosion, not just software growth.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% on the whole use SaaS management platforms, which shows how much enterprise governance still depends on manual tracking and incomplete visibility.
A question worth separating out:
Q: Who should be accountable for SaaS governance when business teams buy applications directly?
A: Accountability should sit with both the business owner and the identity or IT governance function. Business teams can justify need, but identity teams must ensure access is visible, reviewed, and removed when the need ends. Shared accountability prevents shadow SaaS from becoming permanent.
👉 Read our full editorial: SaaS sprawl exposes the gaps in enterprise identity governance