They need to work together because SaaS discovery, access review, and offboarding are identity lifecycle controls, while IAM holds the policy and entitlement context. If those functions stay separate, organisations can renew software that no longer has a business owner and leave orphaned access behind.
Why This Matters for Security Teams
SaaS management and IAM teams are both managing identity-adjacent controls, but they usually see the environment through different lenses. SaaS teams track applications, licences, owners, and renewals, while IAM teams own policy, authentication, entitlement design, and access review. When those views are disconnected, organisations can keep paying for apps after the business need is gone, miss orphaned accounts, and fail to revoke access when staff, contractors, or integrations change.
This gap is not theoretical. NHI Management Group research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation. That is why lifecycle governance has to span both app inventory and identity controls, not sit with one team alone. The control logic aligns closely with the NIST Cybersecurity Framework 2.0 because asset visibility, access governance, and recovery all depend on shared operational ownership. In practice, many security teams encounter orphaned SaaS access only after a renewal, audit finding, or incident has already exposed the disconnect.
How It Works in Practice
The collaboration model works best when SaaS management feeds authoritative application context into IAM, and IAM feeds entitlement and access context back into SaaS governance. SaaS teams should maintain the system of record for application ownership, business purpose, contract date, and offboarding triggers. IAM teams should maintain the system of record for who can authenticate, what roles or groups exist, and how access is approved, time-limited, and reviewed. Together, they create a closed loop for discovery, review, and revocation.
Operationally, this means shared workflows for:
- Discovery of unsanctioned or duplicate SaaS applications.
- Mapping each app to a business owner and technical owner.
- Reviewing active users, tokens, service accounts, and admin roles.
- Revoking access automatically when an employee leaves, a project ends, or a vendor is retired.
- Auditing renewals against actual usage and entitlement risk.
For non-human access, this joint model becomes even more important. SaaS tools often expose API keys, OAuth tokens, and service accounts that outlive the team that created them. NHI Management Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows why lifecycle control must include inventory, rotation, and revocation, not just sign-in policy. The same report notes that 97% of NHIs carry excessive privileges, which is a strong signal that entitlement review cannot remain isolated inside one workflow. Current guidance suggests pairing SaaS discovery with IAM approval records so the access decision and the software decision are reconciled before renewal. That control model also fits the NIST Cybersecurity Framework 2.0 functions for Identify, Protect, and Govern. These controls tend to break down in fast-moving SaaS estates where app sprawl, shadow IT, and unmanaged service accounts outpace manual review cycles.
Common Variations and Edge Cases
Tighter joint governance often increases process overhead, so organisations have to balance control quality against onboarding speed and decentralised procurement. That tradeoff is real, especially in companies where business units buy SaaS directly and IAM only learns about the tool after accounts already exist. Best practice is evolving, but there is no universal standard for this yet: some organisations place SaaS owners inside procurement, others inside security operations, and others under IT. The important part is not the org chart, but the shared control point.
Edge cases usually appear when the application is customer-facing, developer-owned, or heavily automated. In those environments, access may be granted through delegated admin roles, SCIM provisioning, federated SSO, or long-lived API credentials rather than normal employee accounts. That means revocation has to cover tokens, bots, integrations, and partner access, not just human users. NHI Management Group’s Top 10 NHI Issues is useful here because it highlights how secrets sprawl and excessive privilege persist when ownership is unclear. The practical rule is simple: if SaaS management cannot prove who owns the app and IAM cannot prove who still has access, the organisation does not have a complete control picture. In those cases, shared governance tends to fail most often during mergers, rapid vendor adoption, or offboarding of high-change engineering teams.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Shared SaaS and IAM ownership depends on clear operational context. |
| OWASP Non-Human Identity Top 10 | NHI-01 | SaaS tokens and service accounts are NHIs needing lifecycle control. |
| NIST AI RMF | Governance processes need accountability across identity and app operations. |
Use AI RMF governance-style accountability to define who owns access decisions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
