Notifications
Clear all
Topic starter
12/06/2026 9:04 pm
TL;DR: Inaccurate SaaS management data can hide shadow IT, inflate spend, and leave ex-employees with lingering access, according to Zluri. For identity teams, the core issue is not reporting quality but whether SaaS discovery, source-of-truth tracing, and deprovisioning are accurate enough to support governance decisions.
NHIMG editorial — based on content published by Zluri: What makes Zluri the most accurate SaaS management platform
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should teams govern SaaS apps when discovery is incomplete?
A: Treat incomplete discovery as a control gap, not a reporting flaw.
Q: Why do stale SaaS records create access risk?
A: Stale records can show an app as active, owned, or revoked when the real state has already changed.
Q: What do security teams get wrong about SaaS spend data?
A: They often treat spend data as evidence of control, when it is only one signal.
Practitioner guidance
- Map discovery coverage to governance scope Document which SaaS apps are visible through SSO, finance feeds, direct integrations, device agents, and browser extensions, then label the blind spots before using the platform for access decisions.
- Require source lineage for every governance record Only accept licence, usage, and ownership data when the record can be traced back to the originating system, such as the IdP, finance platform, or application API.
- Reconcile offboarding across the full app estate Validate that leaver processes remove access in every discovered application, not only the applications already linked to HR or SSO records.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The nine discovery methods used to build a SaaS inventory, including SSO, finance systems, direct integrations, desktop agents, and browser extensions.
- The source-level explanation of how licence usage, app ownership, and spend data are mapped back to original systems.
- The operational examples of hidden charges, true-ups, and renewals that make source-of-truth tracing useful in practice.
- The vendor's discussion of how its data model supports deprovisioning and cost optimisation workflows.
👉 Read Zluri's analysis of SaaS discovery accuracy and governance gaps →
SaaS visibility gaps: what identity and security teams miss?
Explore further
12/06/2026 10:54 pm
Accuracy is the control surface, not the dashboard. This article shows that SaaS management succeeds or fails on the quality of its underlying identity and usage data. If discovery is incomplete, freshness is delayed, or provenance is unclear, the platform cannot support real governance decisions. The practitioner conclusion is simple: accuracy is an operational control boundary, not a cosmetic reporting attribute.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
- A separate NHI benchmark found that 97% of NHIs carry excessive privileges, which is why visibility alone is never enough for governance.
A question worth separating out:
Q: Who is accountable when a leaver still has access to SaaS apps?
A: Accountability sits with the organisation that owns offboarding, even if a platform only discovered part of the app estate. If access persists because discovery was incomplete, that is a governance failure in lifecycle management. The fix is to make revocation coverage auditable across every application in scope.
👉 Read our full editorial: SaaS visibility gaps expose shadow IT, spend waste and access risk
