Notifications
Clear all
Topic starter
12/06/2026 8:58 pm
TL;DR: Regular SaaS stack review, centralized management, auditing, procurement discipline, and security policies are the basics for reducing waste, improving visibility, and limiting compliance risk in SaaS-heavy environments, according to Zluri. The deeper issue is that SaaS sprawl is also identity sprawl, so governance breaks when access, ownership, and offboarding are not tied to the application lifecycle.
NHIMG editorial — based on content published by Zluri: SaaS Management 5 Vital Strategies for Unlocking Sustainable Business Growth
Questions worth separating out
Q: How should teams govern SaaS applications that accumulate hidden access over time?
A: Treat SaaS governance as an identity lifecycle problem.
Q: Why do centralized SaaS controls matter for IAM programmes?
A: Centralized controls matter because SaaS sprawl fragments visibility, which makes entitlement review and revocation inconsistent.
Q: What breaks when SaaS offboarding is not tied to access removal?
A: The organisation keeps paying for applications while their access remains active.
Practitioner guidance
- Map every SaaS app to an owner, approver, and revocation path Create a control record for each application that includes business owner, technical owner, admin accounts, service accounts, and the exact process used to remove access when the app is retired or a vendor relationship changes.
- Tie SaaS procurement to identity and access review Require security and IAM sign-off before purchase renewals so new apps cannot bypass entitlement review, offboarding planning, or logging requirements.
- Automate offboarding for both people and machine access Use lifecycle workflows to remove dormant users, API keys, integration tokens, and delegated admin permissions when the app is no longer needed or the relationship changes.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- App discovery methods and the product's claimed visibility across a large SaaS estate.
- Examples of centralized SaaS administration across procurement, usage, and renewal workflows.
- The vendor's descriptions of audit logging, compliance monitoring, and event tracking.
- How the article positions cost optimization, contract management, and usage reporting for implementation teams.
👉 Read Zluri's article on five SaaS management strategies for sustainable growth →
SaaS stack sprawl and access control: what teams are missing?
Explore further
12/06/2026 10:43 pm
SaaS management is an identity governance discipline, not just a spend discipline. The article is right to connect efficiency, security, and compliance, but the deeper truth is that SaaS sprawl creates unmanaged identity surfaces faster than most programmes can classify them. Every new application adds human access, delegated admin rights, and often machine credentials that outlive the business need. Practitioners should treat SaaS governance as part of IAM and NHI lifecycle control, not as a separate procurement exercise.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own SaaS risk when procurement, IAM, and security overlap?
A: Ownership should be shared, but accountability must be explicit. Procurement controls spend, IAM controls access, and security controls logging and policy enforcement. If no one owns the handoffs, applications will be approved, renewed, and retired without proper identity governance.
👉 Read our full editorial: SaaS management and identity control: what growth teams miss
