TL;DR: Real-time visibility into app usage, shadow IT, and license optimisation lets IT translate access data into finance decisions, while also strengthening governance over who can reach which SaaS tools, according to Lumos. The deeper lesson is that access visibility is no longer just an IAM control, but a shared operating layer for spend, risk, and accountability.
NHIMG editorial — based on content published by Lumos: How Lumos Uses Lumos to Build the CIO-CFO Partnership
Questions worth separating out
Q: How should teams govern shadow IT discovered through OAuth-connected apps?
A: Treat it as an access governance issue, not only a software inventory issue.
Q: Why do unused SaaS licenses matter to identity governance?
A: Unused licenses often indicate that access was granted without being continuously validated against current need.
Q: How can security teams connect access visibility to business decisions?
A: Build reporting that combines application usage, access assignments, and vendor spend in one view.
Practitioner guidance
- Correlate authentication sources with SaaS usage Join Google OAuth, Okta, and app telemetry so the team can see which applications are actually active, not just approved on paper.
- Classify shadow IT as an access-governance issue Track unapproved apps as unmanaged identity reach, then route them into review, ownership assignment, and risk triage instead of treating them only as procurement exceptions.
- Use license utilisation to trigger entitlement review Flag underused tools, duplicate vendors, and dormant access tiers during renewal and access review cycles so spend optimisation also reduces governance drift.
What's in the full article
Lumos's full blog post covers the operational detail this post intentionally leaves for the source:
- How Lumos maps app usage across Google OAuth, Okta, and other authentication sources to reveal shadow IT
- The internal workflow used to identify underutilised licenses and consolidate redundant vendors
- Examples of how the IT team uses usage evidence in conversations with finance and app owners
- The platform workflow Lumos uses to turn visibility into action across governance and spend decisions
👉 Read Lumos's post on how visibility strengthens CIO-CFO alignment →
Shadow IT, SaaS spend, and access governance: what teams miss?
Explore further
Visibility is now the control plane for both spend and access governance. When organisations cannot see which SaaS apps are in use, they lose the ability to govern shadow IT, validate entitlement scope, or justify vendor rationalisation with evidence. That is not just an operational gap, it is a governance failure across human identities and the NHI-like app access paths they create. The implication is that access visibility has become a prerequisite for credible IAM decision-making.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why delegated app access often escapes governance review.
A question worth separating out:
Q: What should organisations review first when SaaS sprawl is getting out of control?
A: Start with the applications that have active logins but unclear ownership or low utilisation. Those are usually the fastest path to risk reduction because they often expose unmanaged access, redundant contracts, and stale entitlements at the same time.
👉 Read our full editorial: CIO and CFO alignment depends on identity visibility and access control