Use multiple discovery signals, not a single source of truth. Combine identity data, finance records, directory information, and direct app integrations so unsanctioned tools, stale subscriptions, and shadow IT are visible in one governance workflow. Discovery is only useful when it produces ownership, usage, and risk context that teams can act on.
Why This Matters for Security Teams
Unmanaged SaaS is rarely discovered through one control plane. Identity logs show who authenticated, finance systems show what was paid for, and directory data shows what was provisioned or abandoned. The risk is not just cost leakage. Unsanctioned apps can receive sensitive data, OAuth consent, or long-lived secrets without ever appearing in a standard inventory. That is why NHI Management Group treats discovery as a governance problem, not a tooling feature.
Visibility gaps are common even in mature environments. In The State of Non-Human Identity Security, Astrix Security & CSA report that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is the same blind spot that often hides shadow SaaS relationships. The practical lesson aligns with NIST Cybersecurity Framework 2.0: asset visibility only matters when it drives action, ownership, and risk treatment. In practice, many security teams encounter unmanaged SaaS only after a finance reconciliation, a breach review, or an OAuth consent alert has already exposed the gap.
How It Works in Practice
Effective discovery starts by correlating multiple signals into one workflow. Identity providers reveal active and stale logins. Finance and procurement records reveal subscriptions, renewals, and surprise charges. Directory and SSO data reveal sanctioned applications, while CASB, OAuth consent, and direct API integrations expose apps that were never formally onboarded. The goal is not a perfect inventory on day one. The goal is a defensible map of what exists, who owns it, and what data or privileges it can reach.
A practical workflow usually includes:
- Ingest IdP, SSO, and MFA events to identify applications with real user activity.
- Match finance, expense, and procurement records to find paid tools without security review.
- Review OAuth grants and API connections for apps with mailbox, file, CRM, or ticketing access.
- Classify each app by owner, business purpose, data sensitivity, and renewal status.
- Route unknown or high-risk apps into an exception or remediation queue.
This approach is consistent with the lifecycle and governance patterns described in NHI Lifecycle Management Guide and the risk context in Ultimate Guide to NHIs — Key Challenges and Risks. It also helps teams connect SaaS discovery to NHI exposure, because many unmanaged applications are reachable through OAuth tokens, service accounts, or API keys rather than direct human logins. The most useful output is a record that can be assigned, verified, and reduced, not a static spreadsheet. These controls tend to break down in federated enterprises and merger environments because app ownership is split across business units, tenants, and shared procurement channels.
Common Variations and Edge Cases
Tighter discovery usually increases operational overhead, requiring organisations to balance visibility against data access, integration maintenance, and false-positive triage. That tradeoff is real, especially when finance data is incomplete or business units buy tools outside central procurement. Best practice is evolving, but current guidance suggests prioritising the signals that produce the fastest ownership resolution rather than trying to normalise every possible SaaS attribute on day one.
Some edge cases need special handling. Consumer-style SaaS used by small teams may never appear in SSO, yet still processes corporate data. Embedded SaaS inside platforms, marketplaces, and AI-enabled workflows can also hide under parent subscriptions, which makes direct vendor discovery important. Organisations should treat OAuth-consented apps as high-value discovery targets because those integrations often outlive the original business need. The governance question is not just whether an app is sanctioned, but whether it still has a valid owner, acceptable data scope, and a reason to remain connected. The account lifecycle and offboarding concerns discussed in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs apply here as well, especially when old subscriptions continue to process secrets or retain dormant access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Unmanaged SaaS discovery is an asset visibility problem. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Unknown SaaS often exposes unmanaged secrets and token paths. |
| NIST AI RMF | GOVERN | Discovery needs ownership and accountability for risky applications. |
Build a living SaaS inventory from identity, finance, and integration signals.
Related resources from NHI Mgmt Group
- How should security teams handle SaaS applications that are bought outside IT?
- How should security teams handle unmanaged SaaS applications in identity reviews?
- How should security teams classify SaaS management platforms in the identity stack?
- How should teams govern lifecycle changes across SaaS applications?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
