Security teams should measure discovered app coverage, dormant account volume, license reclamation rates, and the share of client SaaS under delegated control. Those signals show whether governance is actually operating or whether the MSP is only managing the visible subset of the estate.
Why This Matters for Security Teams
Multi-tenant SaaS governance fails quietly when security teams measure only the accounts they can see, not the full set of tenants, delegated admins, and shadow integrations that actually hold data access. The issue is not just inventory accuracy. It is whether the organisation can prove who is governing which slice of the estate, under what authority, and with what ongoing oversight. NIST’s Cybersecurity Framework 2.0 emphasises governance and risk management outcomes, which is exactly where SaaS oversight often breaks down.
NHIMG research on the Regulatory and Audit Perspectives shows why this matters operationally: auditors and internal reviewers increasingly expect evidence that control ownership, lifecycle handling, and delegated access are measurable rather than assumed. The same pattern appears in SaaS estates where third-party admins, MSPs, and business units all influence access but none of them owns the whole risk picture. In practice, many security teams discover governance gaps only after an audit exception or customer complaint exposes the unmanaged half of the estate.
How It Works in Practice
Effective measurement starts by separating governance coverage from service delivery. A managed service provider may report on tickets closed, licenses saved, or policy checks completed, but those numbers do not reveal whether the tenant set under management is complete. Teams should track metrics that show control reach, control quality, and control persistence.
At minimum, that means measuring discovered app coverage against an external source of truth, dormant account volume across each tenant, license reclamation rate after inactivity thresholds, and the percentage of client SaaS accounts or apps operating under delegated control. Those signals show whether governance is operating across the estate or only in the portion already mapped. For broader control design, the Top 10 NHI Issues is a useful reminder that visibility, lifecycle discipline, and excessive privilege are recurring failure modes, even when the subject is SaaS rather than infrastructure.
Useful measurement practices include:
- Track discovered apps as a percentage of finance, procurement, and SSO-confirmed SaaS spend.
- Measure dormant accounts by tenant, owner, and last-use age, not just in aggregate.
- Record license reclamation as a rate and a time-to-reclaim metric.
- Tag every delegated admin relationship, then measure how many tenants are still governed through shared or inherited authority.
- Review whether remediation actions actually reduce ungoverned exposure over time.
For benchmark thinking on control maturity, the State of Non-Human Identity Security highlights how often organisations lack full visibility into third-party access paths, which maps closely to SaaS delegation blind spots. These controls tend to break down when SaaS is procured outside central IT because the governance signal becomes fragmented across business owners, MSP dashboards, and vendor admin consoles.
Common Variations and Edge Cases
Tighter measurement often increases operational overhead, requiring organisations to balance better assurance against more reconciliation work and slower reporting. That tradeoff is especially visible in multi-tenant environments where each customer, business unit, or region has different admin boundaries, contract terms, and retention rules.
There is no universal standard for this yet, but current guidance suggests separating metrics for owned tenants, delegated tenants, and externally administered tenants rather than blending them into one compliance score. That distinction matters because high licence reclamation may look healthy while delegated-control exposure remains high, which means the governance model still depends on inherited trust.
Another edge case is partial telemetry. Some SaaS platforms expose tenant-level logs but not enough detail to prove dormant-account status or delegated privilege paths. In those cases, teams should measure what is verifiable and label the rest as unobservable rather than assuming absence of risk. The 2024 ESG Report: Managing Non-Human Identities reinforces why this discipline matters: many organisations already suspect or confirm NHI compromise, so weak measurement should be treated as a governance defect, not a reporting inconvenience.
Finally, customer-managed tenants under a shared MSP model need explicit exception tracking. If the MSP can only govern a subset of tenants, the metric should show that limit clearly. Otherwise, the organisation may confuse service completeness with actual security coverage.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Measurement must show governance coverage and risk ownership across tenant boundaries. |
| OWASP Non-Human Identity Top 10 | NHI-01 | SaaS tenants and delegated admins create identity sprawl that mirrors NHI inventory gaps. |
| NIST AI RMF | Governance metrics must support accountability and ongoing monitoring of autonomous access paths. |
Define SaaS governance metrics that prove coverage, ownership, and remediation at the tenant level.
Related resources from NHI Mgmt Group
- How do security teams measure whether employee experience platforms are helping governance?
- How should security teams connect SaaS contract review to access governance?
- How should security teams use IAST and RASP in NHI governance?
- How should security teams design authentication for multi-tenant SaaS apps?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
