Shadow IT and SaaS governance: where ITAM breaks down

TL;DR: Shadow IT, SaaS sprawl, and third-party data handling can outpace spreadsheet-based ITAM and leave organisations without clear ownership, contract oversight, or security accountability, according to Zluri's discussion with Jeremy Boerger. The governance problem is not visibility alone. It is the gap between knowing software exists and being able to control access, data flow, and offboarding.

NHIMG editorial — based on content published by Zluri: Best Practices 8 Key Learnings about Shadow IT and Rethinking ITAM from Jeremy Boerger

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams govern shadow IT in SaaS-heavy environments?

A: Security teams should combine discovery, ownership, and lifecycle control.

Q: Why does SaaS adoption create IAM and data governance risk?

A: SaaS adoption creates risk because access, data placement, and accountability are distributed across multiple parties.

Q: What breaks when SaaS is managed only in spreadsheets?

A: Spreadsheets can track inventory, but they do not enforce offboarding, permission changes, or evidence of review.

Practitioner guidance

• Build a governed SaaS discovery process Correlate expense data, SSO logs, browser signals, and procurement records so unsanctioned applications are detected before they become business dependencies.
• Assign identity ownership for every SaaS relationship Require a named business owner, technical owner, and offboarding owner for each application so revocation, review, and exception handling are never ambiguous.
• Review data residency and backup paths before approval Validate where production data, backups, and subcontracted processing occur, and document whether those locations align with contractual and regulatory obligations.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Jeremy Boerger's full interview context on why ITAM thinking still matters in SaaS-heavy environments.
• The discussion of procurement, SaaS management platforms, and how organisations try to track software outside spreadsheets.
• The hospital transcription example showing how third-party data handling can create hidden downstream risk.
• The practical commentary on cost control, documentation, and why better evidence changes internal decision-making.

👉 Read Zluri's discussion of shadow IT and SaaS governance challenges →

Shadow IT and SaaS governance: where ITAM breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →