SaaS visibility and offboarding gaps: what IAM teams miss

TL;DR: OnLoop reduced wasted SaaS spend, improved app visibility, and automated offboarding after replacing spreadsheet-driven access tracking with Josys, according to Josys. The underlying lesson is that shadow SaaS, stale access, and audit prep debt are identity governance problems, not just IT housekeeping.

NHIMG editorial — based on content published by Josys: How OnLoop Enhanced SaaS Visibility and Boosted IT Efficiency with Josys

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should teams govern SaaS access when apps are discovered informally?

A: Start by treating discovery as a governance control, not just inventory.

Q: Why do spreadsheet-based access trackers create lifecycle risk?

A: Spreadsheets age faster than access changes.

Q: What breaks when offboarding is still a manual process?

A: Manual offboarding leaves a gap between departure and revocation, which is where residual access survives.

Practitioner guidance

• Centralise SaaS discovery and ownership records Replace spreadsheet registers with a continuously updated inventory that links each app to an owner, usage status, and access state.
• Automate leaver-triggered revocation Connect departure events to scheduled removal steps so access is revoked across all connected apps without manual chasing.
• Tie review evidence to live entitlement data Keep access and ownership records current enough to support SOC 2 and internal reviews without rebuilding evidence at quarter-end.

What's in the full article

Josys's full case study covers the operational detail this post intentionally leaves for the source:

• The SaaS Discovery Dashboard workflow used to map active tools, shadow apps, and license status.
• The exact automated offboarding sequence used to revoke access when people leave.
• The team-level ownership model the organisation plans to roll out next.
• The compliance review workflow that supported SOC 2 preparation and audit readiness.

👉 Read Josys's case study on OnLoop's SaaS visibility and offboarding improvements →

SaaS visibility and offboarding gaps: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →