TL;DR: Traditional software asset management struggles with SaaS discovery, usage control, renewal tracking, and offboarding, while SaaS management platforms are built for those workflows, according to Zluri. The governance shift is from license administration to continuous SaaS visibility, cost control, and access lifecycle management.
NHIMG editorial — based on content published by Zluri: SaaS Management SAM vs. SMP: Why SMP is a Better Option for SaaS Management
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should teams govern SaaS applications beyond basic software asset management?
A: Treat SaaS governance as an identity and lifecycle problem, not just a procurement problem.
Q: Why do SaaS tools create governance gaps that traditional SAM misses?
A: Traditional SAM focuses on licences and deployment, while SaaS usage often starts through SSO, direct login, or integrations that bypass procurement visibility.
Q: How can organisations tell if SaaS management is actually working?
A: Look for fewer orphaned subscriptions, shorter time to remove access after offboarding, cleaner renewal decisions, and a lower number of duplicate applications.
Practitioner guidance
- Map SaaS control ownership to identity ownership Assign each SaaS application a business owner, an access owner, and a renewal owner so discovery, access review, and offboarding are not handled by separate teams with conflicting views.
- Connect discovery to identity telemetry Use SSO logs, directory data, and app integrations alongside procurement records so the organisation can see where SaaS is actually used, not just what has been bought.
- Tie renewals to access validation Require renewal approval to confirm current users, active integrations, and business justification before a subscription is extended, especially for apps with admin or data-sharing privileges.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A side-by-side breakdown of SAM and SMP capabilities for SaaS discovery, cost management, and compliance workflows.
- Examples of Zluri's nine discovery methods and how they map to real SaaS inventory blind spots.
- Operational detail on renewal calendars, ownership assignment, and offboarding workflows for abandoned apps.
- Specific examples of risk scoring and threat-level assessment for SaaS applications.
👉 Read Zluri's comparison of SAM and SMP for SaaS management →
SAM vs SMP: what it means for SaaS governance teams?
Explore further
SaaS governance has become an identity problem disguised as an asset problem. The article frames SAM as an inventory discipline and SMP as a SaaS control layer, but the real shift is that access, ownership, and offboarding now define the governance outcome. Procurement alone cannot see delegated access paths, and licence reconciliation alone cannot remove abandoned identity relationships. Practitioners should treat SaaS governance as part of the identity lifecycle.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should be accountable when SaaS access or renewals get out of control?
A: Accountability should sit with named application owners, supported by IAM, procurement, and security. The key is that ownership must be explicit enough to answer who approves access, who validates renewal need, and who removes access when the app is no longer required.
👉 Read our full editorial: SaaS management platforms expose the limits of legacy SAM