SaaS vendor management and app sprawl: what IAM teams miss

TL;DR: As SaaS portfolios expand, vendor management increasingly determines whether organisations can see redundant apps, control renewal risk, and reduce shadow IT, according to Zluri. The deeper issue is that SaaS governance is really identity governance for applications, contracts, and access lifecycles.

NHIMG editorial — based on content published by Zluri: SaaS Management SaaS Vendor Management: A 101 Guide

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern SaaS vendor sprawl without losing control of access?

A: Start by treating each SaaS subscription as an access relationship, not just a contract.

Q: Why do SaaS tools create identity risk even when they are approved?

A: Approved SaaS tools still create risk when ownership, renewal, and offboarding are not maintained.

Q: How do organisations know if SaaS vendor management is actually working?

A: Look for fewer redundant applications, lower renewal churn, clean ownership records, and a measurable drop in unused licenses and unsanctioned tools.

Practitioner guidance

• Create a single ownership record for every SaaS app Tie each subscription to one accountable business owner, one technical owner, and one review cadence so no renewal or access decision happens without a named approver.
• Link renewals to access and usage review Require usage evidence, license counts, and current integrations before any renewal is approved, then revoke access and reclaim seats for apps that no longer have a business purpose.
• Inventory shadow IT through identity signals Use corporate email registrations, SSO logs, and procurement records to surface unapproved apps, then move each one into review or offboarding before the next billing cycle.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• Detailed SaaS vendor management checklist for day-to-day administration and renewal tracking
• Step-by-step guidance on selecting a SaaS management platform based on seats, compliance, and ownership
• Practical examples of how to track SLAs, contracts, and renewal dates across departments
• Implementation considerations for automating onboarding, offboarding, and access control workflows

👉 Read Zluri's guide to SaaS vendor management and app lifecycle control →

SaaS vendor management and app sprawl: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →