They should automate reclamation based on actual usage, then align those actions to offboarding and recertification events. If a license is inactive, but the account still exists, the problem is not cost alone. It is persistent access that no longer has a business need.
Why This Matters for Security Teams
Unused SaaS licenses are often treated as a procurement or cost-optimisation problem, but the security issue is more serious: a licence that is no longer needed can still represent an active account, an authenticated session, or a lingering access path. That is why license reclamation belongs with identity governance, not just finance. NHI Management Group’s research shows only 20% of organisations have formal processes for offboarding and revoking API keys, and that gap is directly relevant when SaaS access outlives business need.
Security teams should also think beyond the app owner’s immediate workflow. SaaS entitlements accumulate through role changes, project churn, temporary approvals, and integrations that never get reviewed. When these accounts remain active, they can become low-visibility access points similar to the patterns seen in the Salesloft OAuth token breach and the BeyondTrust API key breach. The right control objective is to remove standing access that no longer maps to a current business purpose, and to prove that removal happened consistently. This aligns with the access governance intent in the NIST Cybersecurity Framework 2.0. In practice, many security teams discover dormant SaaS access only after an audit, a cost review, or an incident exposes it.
How It Works in Practice
The most effective approach is to automate reclamation around actual usage, then tie that automation to the identity lifecycle. That means defining inactivity thresholds by application risk, checking usage signals from the SaaS platform, and triggering a review or removal when the account has not been used within the approved window. For higher-risk tools, current guidance suggests shortening the threshold and requiring explicit reauthorization rather than allowing silent renewal.
Operationally, the workflow should connect HR events, manager attestation, and access recertification. When someone changes teams or leaves, the system should reconcile entitlement data, suspend or delete the license if it is no longer needed, and revoke any connected tokens, OAuth grants, API keys, or service account links. License reclamation is only complete if the associated authentication paths are also removed. That is where NHI hygiene overlaps with SaaS governance: stale accounts can persist even after the visible licence is reclaimed.
Teams should also separate three states that are often confused:
- unused license, where the entitlement exists but no recent activity is detected
- dormant account, where the identity still exists but has not authenticated recently
- orphaned access, where the account or integration no longer has a business owner
A practical control set combines usage telemetry, recertification, and revocation automation, with exceptions recorded for shared systems and regulated retention requirements. This is consistent with the identity-risk themes in the Ultimate Guide to NHIs, especially where access review and offboarding processes are incomplete. These controls tend to break down in organisations with fragmented SaaS ownership and no authoritative source of truth for who approved the original entitlement.
Common Variations and Edge Cases
Tighter reclamation usually reduces waste and exposure, but it also increases the chance of disrupting legitimate work if business context is missing. Organisations need to balance faster removal against the operational cost of false positives, especially in teams that use SaaS tools sporadically or only during specific projects. There is no universal standard for inactivity thresholds yet, so best practice is evolving toward risk-based tuning rather than one fixed rule.
Special handling is needed for shared seats, contractor accounts, executive approvals, and service-linked identities that are licensed through human workflows. In those cases, usage alone is not enough. A license may appear unused while the account still supports a workflow, a delegated integration, or a compliance retention requirement. Teams should also watch for applications where the licence is stripped but cached sessions, refresh tokens, or connected apps remain valid. That creates the same residual-access problem seen in breach patterns such as the Snowflake breach and the Dropbox Sign breach.
Where reporting is weak, current guidance suggests starting with a small set of high-value SaaS platforms, then expanding automation after the ownership model and exception process are stable. The rule of thumb is simple: if the business cannot explain why the account still exists, it should not keep its access by default.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential lifecycle and revocation for stale SaaS access. |
| NIST CSF 2.0 | PR.AA-1 | Supports identity proofing and access accountability for dormant accounts. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access review is central to removing unused licenses. |
Map SaaS reclamation to identity lifecycle controls and verify owners during recertification.
Related resources from NHI Mgmt Group
- How should teams reduce the risk of orphaned service accounts and stale tokens?
- How do teams know whether identity hygiene is actually improving?
- How should security teams prevent unwanted persistence in Active Directory and Entra ID?
- How should teams secure non-human identities across cloud and SaaS?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
