How do teams know whether SaaS spend optimisation is actually working?

Why This Matters for Security Teams

SaaS spend optimisation is only real when it changes buying and access decisions, not when it produces a prettier dashboard. Security, IT, and finance teams often track usage in different systems, so they can see activity but not prove whether dormant licences were reclaimed, duplicate tools were removed, or renewals were renegotiated. That gap matters because unused subscriptions still create cost, access risk, and admin overhead. The same governance blind spots that show up in Snowflake breach reviews and Salesloft OAuth token breach analysis also appear in SaaS cost controls: if you cannot connect entitlement, usage, and renewal timing, you cannot trust the outcome. Current guidance in the NIST Cybersecurity Framework 2.0 still points toward governance, asset visibility, and continuous monitoring as the basis for dependable decisions. In NHI Management Group research, only 5.7% of organisations have full visibility into their service accounts, which is a useful warning sign for any environment that still separates identity data from operational usage data. In practice, many security teams discover SaaS waste only after a renewal has already locked in spend, rather than through intentional optimisation.

How It Works in Practice

Reliable SaaS optimisation depends on joining three records into one workflow: contract terms, product usage, and licence assignment. That gives teams a way to test whether a subscription is actually delivering value or just sitting on the shelf. The most useful platforms do not stop at login counts. They show whether a licence is assigned, whether the user is active, whether the app overlaps with another tool, and when the renewal clock expires. That makes the savings model auditable instead of aspirational. A practical workflow usually includes:

• Mapping each SaaS app to an owner, cost centre, and renewal date.
• Comparing assigned licences with actual usage over a defined review window.
• Flagging dormant or lightly used licences for reclaim, downgrade, or removal.
• Detecting overlapping apps so consolidation decisions can be made before renewal.
• Tracking realised savings after the change, not just projected savings.

This is where governance and evidence meet. The NIST Cybersecurity Framework 2.0 supports the broader discipline of asset visibility and control, while NHIMG case analysis such as the BeyondTrust API key breach and Dropbox Sign breach shows why disconnected access records are risky even when the immediate goal is cost control. Where teams get value is in proving that a reclaimed licence stayed reclaimed and that the renewal baseline really moved. These controls tend to break down in large federated SaaS estates because local owners approve renewals before central usage data is current.

Common Variations and Edge Cases

Tighter optimisation controls often increase coordination overhead, so organisations have to balance savings potential against review effort and political friction. That tradeoff becomes visible in a few common cases. First, enterprise apps with shared or pooled licences may look underused even when they are still needed for surge demand, so simple dormancy thresholds can create false positives. Second, seasonal businesses may see legitimate usage spikes that make short review windows misleading. Best practice is evolving here, and there is no universal standard for what inactivity period is “enough” across every SaaS category. Another edge case is app sprawl caused by decentralised procurement. In that model, one department may cancel a tool only to have another buy a similar one later, so the organisation records savings without actually reducing spend. For security teams, the important question is whether optimisation data feeds into renewal governance and access cleanup, not whether it can produce a one-time report. NHIMG research on the Sisense breach also reinforces the need to understand tool ownership and downstream access paths, because unmanaged integrations often survive longer than the licence itself. The clearest sign that optimisation is working is durable spend reduction tied to verified usage decline, not a temporary dip in assigned seats.

Related resources from NHI Mgmt Group

• How do teams know whether risk-based verification is actually working?
• How do teams know whether configuration visibility is actually working?
• How do security teams know whether AI authorization for ePHI is actually working?
• How do security teams know whether continuous authorisation is actually working?