TL;DR: Shadow IT, SaaS sprawl, and third-party data handling can outpace spreadsheet-based ITAM and leave organisations without clear ownership, contract oversight, or security accountability, according to Zluri's discussion with Jeremy Boerger. The governance problem is not visibility alone. It is the gap between knowing software exists and being able to control access, data flow, and offboarding.
NHIMG editorial — based on content published by Zluri: Best Practices 8 Key Learnings about Shadow IT and Rethinking ITAM from Jeremy Boerger
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern shadow IT in SaaS-heavy environments?
A: Security teams should combine discovery, ownership, and lifecycle control.
Q: Why does SaaS adoption create IAM and data governance risk?
A: SaaS adoption creates risk because access, data placement, and accountability are distributed across multiple parties.
Q: What breaks when SaaS is managed only in spreadsheets?
A: Spreadsheets can track inventory, but they do not enforce offboarding, permission changes, or evidence of review.
Practitioner guidance
- Build a governed SaaS discovery process Correlate expense data, SSO logs, browser signals, and procurement records so unsanctioned applications are detected before they become business dependencies.
- Assign identity ownership for every SaaS relationship Require a named business owner, technical owner, and offboarding owner for each application so revocation, review, and exception handling are never ambiguous.
- Review data residency and backup paths before approval Validate where production data, backups, and subcontracted processing occur, and document whether those locations align with contractual and regulatory obligations.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Jeremy Boerger's full interview context on why ITAM thinking still matters in SaaS-heavy environments.
- The discussion of procurement, SaaS management platforms, and how organisations try to track software outside spreadsheets.
- The hospital transcription example showing how third-party data handling can create hidden downstream risk.
- The practical commentary on cost control, documentation, and why better evidence changes internal decision-making.
👉 Read Zluri's discussion of shadow IT and SaaS governance challenges →
Shadow IT and SaaS governance: where ITAM breaks down?
Explore further
Shadow IT is a lifecycle problem before it is a software problem. The article shows that once business users can self-provision SaaS, the real failure is not discovery alone but the absence of a governed joiner-mover-leaver path for software relationships. That is why ITAM and identity governance must converge on ownership, review, and revocation. Practitioners should treat every unsanctioned SaaS app as an unmanaged identity surface.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Our research also shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
A question worth separating out:
Q: Who is accountable when third-party SaaS mishandles company data?
A: The customer remains accountable for how its data is selected, shared, retained, and governed, even when a third party processes it. Vendor contracts may shift operational tasks, but they do not erase the organisation's duty to understand residency, backup handling, subcontractors, and breach obligations. Accountability follows the data owner, not just the service provider.
👉 Read our full editorial: Shadow IT and SaaS governance expose the limits of ITAM