SaaS sprawl: what it means for IAM, access, and governance

TL;DR: Enterprises still rely on spreadsheets for SaaS management, even though only 20% use SaaS management platforms and manual tracking leaves access, usage, and compliance decisions inconsistent, according to Zluri. The deeper issue is that SaaS sprawl turns identity governance into a visibility problem, not just a tooling problem.

NHIMG editorial — based on content published by Zluri: SaaS management in the enterprise

By the numbers:

• Only 20% on the whole use SaaS management platforms.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations govern SaaS sprawl across identity and access teams?

A: Organisations should govern SaaS sprawl as an identity lifecycle issue, not as a simple procurement list.

Q: Why do spreadsheets fail as a control model for enterprise SaaS management?

A: Spreadsheets fail because they are manual, static, and dependent on people remembering to update them.

Q: How can security teams tell whether a SaaS application is still worth keeping?

A: Security teams should look at actual usage, owner accountability, and integration depth rather than license count alone.

Practitioner guidance

• Replace manual SaaS inventories with an authoritative system of record Use a managed platform or equivalent control process to track application ownership, usage, and access changes automatically.
• Tie SaaS offboarding to identity lifecycle events Make application removal, role removal, and access revocation part of the same offboarding workflow so dormant SaaS accounts do not survive employee or team changes.
• Review overlapping SaaS functionality before renewals Map duplicate features across applications before contracts renew so procurement decisions reflect real usage rather than historical purchases.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• How Zluri structures SaaS management around dashboards, usage data, and spend tracking for enterprise teams
• How its platform connects to SSO and directory systems such as Okta or Active Directory in practice
• How feature-level usage intelligence can reveal overlapping functionality across applications
• How the article positions automation and AI inside future SaaS management architectures

👉 Read Zluri's analysis of enterprise SaaS management and sprawl →

SaaS sprawl: what it means for IAM, access, and governance?

Explore further

View Full Forum →  |  NHI Foundation Course →