TL;DR: SaaS sprawl, shadow IT, and fragmented access governance are pushing organisations toward platforms that combine discovery, lifecycle automation, and review workflows, according to Zluri. KuppingerCole’s executive view highlights that SaaS management and IGA now need to operate as one control plane, not separate programmes.
NHIMG editorial — based on content published by Zluri: a summary of KuppingerCole's executive view on Zluri's SMP and IGA
Questions worth separating out
Q: How should teams govern SaaS access when the application estate keeps changing?
A: Start with discovery, not policy.
Q: Why do shadow IT and SaaS sprawl break access governance?
A: Because governance only works on systems you can see.
Q: What do security teams get wrong about access reviews for SaaS apps?
A: They often treat reviews as a periodic checkbox instead of a decision process grounded in app usage and ownership.
Practitioner guidance
- Build a single SaaS inventory before automating governance Consolidate application discovery data from SSO, HR, SaaS APIs, and manual app lists into one authoritative register.
- Tie onboarding and offboarding to authoritative identity events Connect joiner-mover-leaver triggers to SaaS provisioning and deprovisioning workflows so access changes follow employment changes.
- Use access reviews to resolve entitlement drift, not confirm noise Feed reviewers with application usage, owner context, and entitlement history so they can make real decisions instead of rubber-stamping permissions.
What's in the full report
Zluri's full review covers the operational detail this post intentionally leaves for the source:
- Detailed breakdown of the AuthKnox discovery engine and how its integrations surface SaaS inventory data
- Workflow examples for onboarding, access requests, reviews, and deprovisioning across SaaS applications
- Benchmark-style claims about automation rates, license optimisation, and audit readiness improvements
- Product-specific notes on compliance reports, deprovisioning playbooks, and multi-level review flows
👉 Read Zluri's executive view on SaaS management and IGA →
SaaS visibility and access governance: are your controls keeping up?
Explore further
SaaS governance is now an identity problem, not just an IT operations problem. Once application discovery, access requests, reviews, and deprovisioning sit in separate tools, accountability fragments and control evidence becomes harder to prove. That fragmentation is what shadow IT exploits. Practitioners should treat SaaS management and IGA as one governance domain.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why discovery quality is a governance issue, not a reporting nice-to-have.
A question worth separating out:
Q: What is the difference between SaaS management and IGA in practice?
A: SaaS management focuses on discovering applications, tracking usage, and optimising spend. IGA focuses on access requests, reviews, lifecycle actions, and audit evidence. In modern environments the two overlap, because you cannot govern SaaS access well if you cannot first identify which applications exist and who is connected to them.
👉 Read our full editorial: SaaS management and IGA are converging around identity control