Start with the applications that have active logins but unclear ownership or low utilisation. Those are usually the fastest path to risk reduction because they often expose unmanaged access, redundant contracts, and stale entitlements at the same time.
Why This Matters for Security Teams
saas sprawl is rarely just a procurement problem. It becomes a security and governance issue when applications accumulate without clear ownership, when former pilot tools quietly retain logins, and when low-use services continue to hold active entitlements. That combination creates redundant spend, but more importantly it expands the number of places where secrets, tokens, and delegated access can be abused. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs — Key Challenges and Risks, which is a useful warning sign for the broader identity sprawl problem. The first review should therefore focus on applications that can still authenticate but no longer have a clearly accountable business owner. Those are the systems most likely to hide stale access paths, orphaned integrations, and duplicate contracts. The security team’s goal is not simply to cut tool count, but to find where governance has drifted away from reality. NIST Cybersecurity Framework 2.0 treats asset and access visibility as a baseline capability for managing risk. In practice, many security teams discover the true extent of SaaS sprawl only after a vendor renewal, a breach review, or a failed offboarding event has already exposed the gap.How It Works in Practice
A workable first pass starts by building a list of applications with active sign-ins, API connections, and SSO or SCIM provisioning, then sorting that list by ownership clarity and utilisation. Apps with active logins but no named business owner should be reviewed before higher-profile tools, because they are the easiest to leave behind during reorganisations and the hardest to govern later. A practical review usually includes:- Confirm who approved the app, who receives alerts, and who can disable access.
- Check whether the app is tied to SSO, local credentials, shared accounts, or third-party OAuth grants.
- Identify dormant users, stale roles, and service integrations that outlive the original use case.
- Compare licence count, login frequency, and data sensitivity to determine whether the app is essential or merely persistent.
Common Variations and Edge Cases
Tighter SaaS review cycles often increase administrative overhead, so organisations have to balance speed of cleanup against the risk of disrupting legitimate workflows. Current guidance suggests prioritising by risk, not by volume, because a low-use app can still be a critical pathway into data or identity systems. The usual edge cases are the ones that look harmless at first:- Finance, HR, and sales tools that integrate deeply with directory services or exports.
- Legacy apps with low login counts but permanent admin tokens.
- Department-owned SaaS purchased outside central procurement, where ownership records are incomplete.
- Vendor-managed portals where access is delegated, but revocation depends on manual ticketing.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | SaaS sprawl review starts with knowing what applications exist. |
| NIST CSF 2.0 | PR.AC-4 | Unclear owners and stale entitlements map directly to access control gaps. |
| OWASP Non-Human Identity Top 10 | NHI-01 | SaaS apps often hide unmanaged non-human identities and exposed credentials. |
Find every service account, token, and API key tied to each app before deciding what to retire.
Related resources from NHI Mgmt Group
- How can organisations tell whether identity sprawl is getting out of control?
- Should organisations prioritise external exposure or internal credential governance first?
- How can organisations decide which NHIs to remediate first?
- Should organisations treat Skills as a new class of non-human identity control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org