Compare the number of applications in review workflows with the number of applications employees actually use. If your IGA system covers only integrated tools, then review completion rates can look healthy while most access remains outside certification. Coverage, not workflow completion, is the real metric.
Why This Matters for Security Teams
Access review programs are often judged by completion metrics, but SaaS risk is exposed by coverage gaps, not by how many certifications were closed. If the review queue only includes integrated applications, shadow IT, direct SaaS logins, and inherited entitlements can remain outside governance. That creates a false sense of control, especially when auditors only see the workflow rather than the actual application footprint.
For identity and access teams, the real question is whether every business-critical SaaS app is in scope, mapped to an owner, and tied to a reliable source of truth. The OWASP Non-Human Identity Top 10 is a useful reminder that identity programs fail when they do not account for all access paths, not just the ones that are neatly integrated. NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is a strong signal that visibility gaps are common across both human and non-human access.
In practice, many security teams discover missing SaaS coverage only after an audit request, a breach review, or a user complaint has already surfaced the blind spot.
How It Works in Practice
Reliable coverage testing starts by comparing three inventories: the applications employees actually use, the applications enrolled in your identity governance and administration workflow, and the applications that enforce access through direct local accounts or federated logins. If those sets do not match, access review completion rates are misleading. Current guidance suggests treating “in review” as a process status and “in scope” as the actual control objective.
A practical method is to reconcile SaaS discovery sources from finance, SSO logs, browser telemetry, CASB findings, and procurement records against the IGA application catalog. Then segment the results into: integrated apps, apps with partial coverage, and apps with no certification path at all. That last group is the danger zone. For application owners, each app should have a named reviewer, a review cadence, and a documented entitlement source, including direct SaaS roles and group-based assignments.
The most effective programs also verify that access review campaigns include dormant but still active SaaS tenants, outsourced business tools, and apps with admin-only interfaces that bypass the main IAM stack. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks is relevant here because over-privileged and poorly visible identities tend to survive in systems that are assumed to be governed. That pattern often extends to SaaS API keys, service accounts, and app-level tokens used to automate business workflows.
- Measure total SaaS footprint, not just certified applications.
- Compare review scope to SSO, procurement, and usage telemetry.
- Flag apps with local accounts or unsynced roles as coverage gaps.
- Validate that every in-scope app has an owner and a review path.
These controls tend to break down in decentralized SaaS environments where business teams can buy and enable apps without centralized identity onboarding because the governance system never sees the initial application relationship.
Common Variations and Edge Cases
Tighter access-review scoping often increases operational overhead, requiring organisations to balance audit completeness against the cost of continuous discovery and manual reconciliation. That tradeoff becomes especially visible in SaaS-heavy environments with frequent app changes, mergers, or departmental self-provisioning. Best practice is evolving, and there is no universal standard for exactly how much shadow IT tolerance is acceptable.
One common edge case is federated SaaS that looks covered because it is connected to SSO, even though privileged roles are assigned locally inside the application. Another is mixed human and non-human access, where the same SaaS platform contains employee accounts, vendor accounts, and automation identities under different review rules. In those cases, a clean workflow can still miss the accounts that matter most. The 52 NHI Breaches Analysis shows why teams should not assume that good governance on paper means strong control in practice.
For leadership reporting, the strongest metric is coverage percentage by total SaaS population, not campaign completion rate. A second useful measure is the percentage of applications with verified entitlement sources and active reviewers. If the denominator is unclear, the review program is probably measuring process efficiency rather than actual access governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Covers discovery and governance gaps for non-human access in SaaS ecosystems. |
| NIST CSF 2.0 | PR.AC-1 | Access control scope must cover all assets, not only the ones in workflow. |
| NIST CSF 2.0 | GV.OV-01 | Governance oversight should validate whether the control actually covers the environment. |
Map every SaaS app and service account to a governed owner, then verify it is included in review scope.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
