Shadow SaaS and the governance gap teams are missing

TL;DR: SaaS expansion, remote work, and employee-led app adoption have made shadow IT harder to see and govern, while David Foxen argues that many organisations still rely on manual processes, spreadsheets, and incomplete approvals, according to Zluri. The practical problem is not software convenience but fragmented visibility across procurement, finance, and security.

NHIMG editorial — based on content published by Zluri: SaaS Management Software Asset Management with the SAM Beast David Foxen Tathagata Chakrabarti

Questions worth separating out

Q: How should organisations govern shadow SaaS without slowing down business teams?

A: Start by treating unsanctioned SaaS as an identity and access issue, not just a purchasing issue.

Q: Why does shadow SaaS create more risk than traditional software sprawl?

A: Shadow SaaS often comes with built-in authentication, data sharing, and delegated access that extend beyond the original user.

Q: What do security teams get wrong about SaaS inventory management?

A: They often assume a list of applications is enough.

Practitioner guidance

• Build SaaS discovery from multiple control points Correlate SSO logs, finance spend data, procurement records, and expense claims to identify applications that bypass formal approval.
• Classify every unsanctioned app as an access governance exception Assign an owner, a data classification, and an offboarding path to each discovered application so the organisation can revoke access when the business use case ends.
• Move SaaS approval before payment approval Require security review for authentication method, integration scope, and data handling before a corporate card or expense claim can finalise a purchase.

What's in the full article

Zluri's full podcast post covers the operational detail this post intentionally leaves for the source:

• How David Foxen describes SaaS management maturity and the practical role of ITAM in reducing shadow IT
• The procurement, finance, and legal checkpoints that organisations can use to identify unapproved applications
• Examples of how companies use spreadsheets, expense data, and dedicated SaaS tools to track hidden app adoption
• The discussion of how pandemic-era working changed software buying behaviour and expanded the SaaS surface

👉 Read Zluri's podcast discussion on SaaS management and shadow IT →

Shadow SaaS and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →