They should automate inventory discovery, usage review, and renewal alerts so the control process scales with the number of applications. A manual spreadsheet approach breaks down as the portfolio grows, while automated review lets teams focus on deciding what to keep, retire, or consolidate.
Why This Matters for Security Teams
SaaS waste is rarely just a finance problem. It often signals shadow access, orphaned accounts, duplicated tooling, and licenses that remain active long after a team stops using them. When procurement, IT, and security each maintain their own spreadsheets, the process turns into a manual reconciliation exercise that cannot keep pace with modern SaaS sprawl. The result is higher spend, weaker governance, and more exposure to forgotten identities and stale entitlements.
The practical issue is that SaaS inventory and access drift behave like non-human identity problems: they multiply faster than people can review them. NHI Mgmt Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is a useful warning sign for broader identity visibility discipline. Teams that rely on manual review often discover waste only after renewal has already locked in another year of cost. In practice, many security teams encounter unnecessary SaaS renewals only after finance questions the bill, rather than through intentional control design.
How It Works in Practice
The goal is to replace manual chasing with a lightweight control loop that continuously discovers applications, measures usage, and surfaces renewal risk early. That means connecting identity providers, expense systems, SSO logs, and SaaS admin APIs so the inventory is updated automatically rather than copied into a spreadsheet once a quarter. The best practice is evolving toward policy-driven review, where the system flags apps with no login activity, no recent API calls, no assigned owner, or overlapping function.
A workable process usually includes:
- automatic discovery of SaaS apps from SSO, SAML, OAuth, and expense data;
- usage thresholds that distinguish active, low-use, and dormant applications;
- renewal alerts tied to owner attestations and contract end dates;
- retirement workflows that revoke access, export needed data, and close the loop;
- consolidation reviews that compare duplicate tools before renewal.
For governance teams, the objective is not perfect certainty but enough reliable telemetry to make renewal decisions early. The NIST Cybersecurity Framework 2.0 supports this kind of continuous visibility and risk-based action, while the Snowflake breach and BeyondTrust API key breach show why dormant access and weak lifecycle control can become security issues, not just cost inefficiencies. When spend review and access review are unified, teams can eliminate waste without adding another monthly spreadsheet ritual. These controls tend to break down in organisations that lack a single owner for SaaS procurement because app data remains fragmented across finance, IT, and departmental budgets.
Common Variations and Edge Cases
Tighter SaaS governance often increases operational overhead at first, requiring organisations to balance savings against review friction. The tradeoff is real: aggressive deprovisioning can interrupt legitimate work, especially when apps are shared across departments or used only during seasonal cycles. Guidance suggests using risk-based thresholds instead of one-size-fits-all rules, but there is no universal standard for this yet.
Common edge cases include tools purchased on corporate cards, applications accessed without SSO, and platform features embedded inside larger suites that are hard to separate cleanly. Finance may want cost reduction, while security wants stronger access control, and IT may need a clean inventory before anyone can act. That is why automation should focus on surfacing decisions, not making them silently. A renewal workflow that asks the owner to confirm business value, usage, and data sensitivity usually scales better than a rigid deletion rule. NHI Mgmt Group’s research on the Salesloft OAuth token breach shows how unmanaged tokens and stale app relationships can persist far beyond initial approval. In practice, the hardest SaaS waste to remove is the app that is still technically needed, but no one can prove why.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Continuous SaaS inventory and renewal review support risk management governance. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Dormant SaaS accounts and tokens are a classic non-human identity lifecycle issue. |
| NIST AI RMF | Risk-based review and accountability align with AI RMF governance principles for automation. |
Use governed automation to flag SaaS waste while keeping human approval for retention decisions.
Related resources from NHI Mgmt Group
- How do IT teams reduce SaaS risk without slowing down users?
- How should teams reduce SaaS licence waste without breaking access for users who still need it?
- How can IAM teams reduce manual work without weakening controls?
- How should higher-education teams modernise IAM without creating more manual work?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
