Spreadsheets go stale quickly and cannot discover shadow IT, so the offboarding team ends up revoking access to only the known applications. That leaves unmanaged tools, personal sign-ups, and browser-based services outside the process. The result is partial revocation and higher residual access risk.
Why This Matters for Security Teams
SaaS inventory is the control surface for joiner-mover-leaver workflows, access reviews, and incident response. When that inventory lives in spreadsheets, it is already outdated by the time it is shared, which means the security team is making revocation decisions from partial data. That creates a blind spot for shadow IT, personal sign-ups, and browser-based services that never enter the spreadsheet at all. Current guidance from NIST Cybersecurity Framework 2.0 is clear that asset awareness must be operational, not archival, and NHIMG’s Top 10 NHI Issues shows how incomplete identity visibility directly increases residual access risk.
Teams usually assume the spreadsheet is “good enough” because it lists the major approved applications, but offboarding failure often begins with the tools no one documented, not the ones everyone remembers. The practical risk is not just missed cleanup; it is also false confidence during audits and incident containment, when responders believe access has been removed across the estate. In practice, many security teams encounter residual SaaS access only after an employee or contractor has already departed, rather than through intentional lifecycle control.
How It Works in Practice
A spreadsheet-based SaaS inventory breaks because it is a manual snapshot of a dynamic environment. New tools appear through self-service trials, department-level purchasing, browser extensions, embedded apps, and unmanaged single sign-on paths. By the time a file is reconciled, one team may have added services, another may have deprovisioned users, and a third may have created shared accounts or API access outside the central record. That is why the control failure is not simply “bad documentation”; it is a mismatch between static records and continuously changing identity relationships.
Effective programs replace spreadsheet governance with operational discovery and lifecycle control. That usually means combining:
- continuous SaaS discovery from SSO, CASB, browser telemetry, or finance signals
- authoritative ownership fields for each app, including business owner and technical owner
- automated offboarding workflows tied to HR events and identity sources
- review of non-interactive access such as API keys, service accounts, and OAuth grants
- exception handling for personal sign-ups and shadow IT that requires explicit remediation
NHIMG’s NHI Lifecycle Management Guide is useful here because the same lifecycle gaps that affect human accounts also affect tokens, service identities, and app connections. For the broader risk pattern, the Ultimate Guide to NHIs — Key Challenges and Risks explains why unmanaged identities persist long after the original business need has ended. In practice, spreadsheet inventories tend to fail hardest in organisations with decentralised procurement, frequent contractor churn, and SaaS buying outside central IT because the system cannot keep pace with how access is actually created.
Common Variations and Edge Cases
Tighter SaaS control often increases operational overhead, requiring organisations to balance faster offboarding against the cost of maintaining a living inventory. That tradeoff is most visible in environments where business units buy their own tools, because security may need to choose between speed and completeness when the catalogue is incomplete.
There is no universal standard for this yet, but current guidance suggests treating spreadsheets as reference material, not the source of truth. Mature teams keep spreadsheets only for exception tracking or remediation queues, while discovery and revocation are driven by systems that can update continuously. The hardest edge case is browser-only or self-registered SaaS with no central SSO, because those services can remain invisible until a breach, audit, or offboarding event forces discovery. NHIMG’s Salesloft OAuth token breach is a reminder that unmanaged app-to-app access can matter as much as user login access.
For organisations with heavy automation, another failure mode is stale owner data. If the person listed in the spreadsheet no longer works there, no one accepts remediation responsibility, and orphaned SaaS access persists. That is where spreadsheet governance usually collapses first, because the inventory can be copied, but accountability cannot.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | Asset inventory must stay current; spreadsheets go stale and miss SaaS. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Stale inventories leave orphaned identities and unmanaged app access behind. |
| NIST AI RMF | Operational governance requires ongoing monitoring of dynamic system state. |
Maintain a live SaaS asset inventory and trigger offboarding from authoritative discovery sources.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
