TL;DR: As SaaS adoption expands across departments, fragmented subscriptions, hidden auto-renewals, and shadow IT are forcing procurement teams into reactive oversight, according to Matrix42, with Gartner projecting organisations that fail to manage SaaS lifecycles centrally will be five times more likely to experience cyber incidents by 2027. The governance issue is no longer spend control alone, but whether organisations can maintain a reliable source of truth for software access, usage, and renewal risk.
NHIMG editorial — based on content published by Efecte: The Future of Procurement: Why SaaS Visibility Is Non-Negotiable
By the numbers:
- Gartner projects that organisations failing to manage SaaS lifecycles centrally will be five times more likely to experience cyber incidents by 2027.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should procurement teams govern SaaS tools that arrive outside official channels?
A: They should treat every unsanctioned SaaS purchase as both a spend exception and an identity exception.
Q: Why do hidden SaaS renewals create security risk as well as cost waste?
A: Hidden renewals keep software and its access paths alive after the original business need may have ended.
Q: What breaks when SaaS visibility is missing from identity governance?
A: Offboarding becomes incomplete, duplicate tools remain in place, and access reviews lose context because the organisation cannot see which applications are still active.
Practitioner guidance
- Create a unified SaaS register Link every subscription to an owner, business purpose, renewal date, data classification, and identity integrations so the organisation can answer who can access what and why.
- Require identity review at purchase intake Make SSO, SCIM, API keys, and administrative account ownership part of the approval checklist before any department can onboard a new SaaS tool.
- Tie renewals to usage and access recertification Block automatic renewal until the business owner confirms active use and the identity team confirms that access, integrations, and offboarding controls remain appropriate.
What's in the full article
Matrix42's full post covers the operational detail this analysis intentionally leaves for the source:
- How Matrix42 frames SaaS visibility across procurement, finance, and compliance workflows.
- Examples of the cost and renewal problems that arise when SaaS ownership is distributed across departments.
- The article's broader perspective on managed services for lean procurement teams.
- The vendor's discussion of how European midmarket organisations are approaching the shift to visibility-driven procurement.
👉 Read Efecte's analysis of SaaS visibility and procurement governance →
SaaS visibility and shadow IT: what procurement teams need now?
Explore further
SaaS visibility is now a lifecycle governance issue, not a procurement reporting problem. The article describes a world where buying, renewing, and using software happens across dozens of business functions, which makes central control impossible if teams treat procurement as a separate administrative lane. The deeper issue is that software lifecycle events now affect access, data exposure, and third-party risk. Practitioners should treat SaaS inventory as part of identity governance, not a standalone finance record.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own SaaS governance when procurement, IT, and security all touch it?
A: Ownership should sit with a named business accountable for each application, supported by procurement for commercial control and identity teams for access control. The key is not centralising every task in one team. It is making one party accountable for the full lifecycle so renewals, access, and retirement do not fall between functions.
👉 Read our full editorial: SaaS visibility is becoming a control problem for procurement teams