Start by matching application access to actual identity activity, then compare that usage with assigned licences and entitlement tiers. The goal is to identify duplicate tools, underused features, and seats that were bought for assumptions rather than evidence. This approach makes SaaS rationalisation auditable and creates a clearer business case for consolidation.
Why This Matters for Security Teams
Identity observability is increasingly useful for SaaS cost control because access sprawl often shows up before finance does. Security teams can see which identities are active, which apps are actually being used, and which licences sit idle across human and non-human accounts. That makes it possible to separate genuine operational demand from legacy allocations, duplicated tooling, and features purchased for a projected need that never materialised. NIST’s NIST Cybersecurity Framework 2.0 frames this as governance and asset visibility, not just a procurement problem.
This is especially important where SaaS access is indirectly extended through integrations, shared service accounts, or admin workflows that bypass normal review cycles. NHIMG’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means licence waste can hide inside machine access as easily as employee accounts. In practice, many security teams encounter overspend only after a renewal, merger, or access review has already locked in another year of waste rather than through intentional optimisation.
How It Works in Practice
Identity observability works by correlating authentication, entitlement, and usage signals so teams can answer three questions: who has access, what they actually use, and whether that use justifies the cost. For SaaS rationalisation, the core workflow is to ingest identity events from the IdP, SSO, SCIM, and application audit logs, then enrich them with licence tier, last activity, feature consumption, and owner metadata. That creates a defensible picture of underused seats and redundant applications.
The best results come when teams distinguish between interactive usage and background activity. A user may log in once a quarter but still drive value, while a service account may appear active without consuming paid features. Current guidance suggests separating human, service, and integration identities so that licensing decisions do not treat them as equivalent. NHIMG’s Top 10 NHI Issues and The State of Non-Human Identity Security both reinforce the visibility gap: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
- Map each SaaS app to its licence tiers, renewal dates, and business owner.
- Compare active identities against actual product events, not just sign-in counts.
- Flag duplicate tools that serve the same function but have different spend owners.
- Identify premium features that no monitored identity uses during the review window.
- Confirm whether service accounts or OAuth grants are masking inactive human demand.
This approach is most effective when observability is tied to change management and procurement, so no renewal proceeds without evidence of recent usage and ownership. These controls tend to break down when SaaS platforms expose limited audit data, because licence consumption cannot be mapped cleanly to identity activity.
Common Variations and Edge Cases
Tighter access tracking often increases operational overhead, requiring organisations to balance savings against the cost of deeper data collection and periodic review. Best practice is evolving for environments where consumption-based pricing, pooled licences, or enterprise bundles make “unused” hard to define. In those cases, a low-login user may still be economically justified if the app is reserved for exception handling, compliance evidence, or seasonal peaks.
Teams also need to avoid conflating security risk with spend optimisation. An over-privileged but cheap account can still be a priority because it increases exposure, while an expensive licence tied to a regulated process may be justified even with infrequent use. The strongest programs pair SaaS rationalisation with identity governance, so removal decisions are validated by application owners and not driven by raw inactivity alone.
Where third-party OAuth apps, delegated admin access, or embedded automation are common, account-level reporting can understate real consumption. NHIMG’s 52 NHI Breaches Analysis shows why this matters: hidden machine access can persist after the human workflow looks dormant. The main edge case is highly automated SaaS environments with shared tenancy or API-first usage, where identity observability must be paired with contract terms and product telemetry to avoid false savings claims.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity visibility is essential before rationalising SaaS access and NHI usage. |
| NIST CSF 2.0 | GV.OC-03 | Business context and ownership are required to justify SaaS licences and renewals. |
| NIST CSF 2.0 | PR.AA-01 | Authentication and identity telemetry support accurate access and usage analysis. |
Collect identity activity logs across SSO, SCIM, and apps to identify unused or redundant licences.
Related resources from NHI Mgmt Group
- What should security teams look for in alerting tools that touch SaaS and identity systems?
- How should security teams use GRC to reduce identity-related cyber risk?
- How should security teams reduce identity drift in SaaS and NHI environments?
- How should security teams reduce privileged access risk when identity tools are fragmented?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
