Spreadsheets break down because they rely on manual updates and periodic reconciliation, while SaaS access changes continuously. They miss dormant licences, duplicate assignments, and offboarding delays. As the estate grows, the gap between recorded inventory and actual access becomes large enough to create both cost waste and governance risk.
Why This Matters for Security Teams
Spreadsheets are attractive because they are familiar, flexible, and cheap to start with, but SaaS asset management is not a static inventory problem. It is a continuous access-control problem. Accounts appear through self-service signups, integrations, delegated admin actions, and shadow IT, then change again when users switch teams, add apps, or leave. A spreadsheet can record a point in time, but it cannot reliably prove what is currently active.
That gap matters because governance failures usually show up as either wasted licence spend or unmanaged access. When the recorded roster drifts from reality, teams miss dormant subscriptions, duplicate assignments, and stale admin entitlements. NHI Management Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows why lifecycle visibility is central to control, and the same principle applies to SaaS assets even when the asset is not a non-human identity. Current guidance in the NIST Cybersecurity Framework 2.0 also stresses continuous monitoring rather than periodic reassurance.
In practice, many security teams discover spreadsheet drift only after a renewal surprise, an access review failure, or an offboarding complaint, rather than through intentional control testing.
How It Works in Practice
Effective SaaS asset management treats the spreadsheet as a reporting surface, not the system of record. The record of truth should come from live sources such as identity providers, SaaS admin consoles, SSO logs, procurement data, and where relevant, API-based discovery. The spreadsheet can still help with ownership, exception tracking, and remediation queues, but it should not be the mechanism that decides whether access exists.
A better operating model is to reconcile continuously. That usually means pulling in who owns the app, which users are assigned, what privilege tier they hold, when the last login occurred, whether licences are consumed, and whether the application is tied to a department or cost centre. NHI Management Group’s NHI Lifecycle Management Guide is useful here because the same lifecycle logic applies: discover, validate, assign, rotate where applicable, and revoke when no longer needed.
- Use the spreadsheet for exceptions, not for primary entitlement state.
- Synchronise SaaS sources on a fixed cadence and compare against identity and procurement records.
- Flag dormant licences, duplicate owners, and privileged accounts for review.
- Link offboarding to deprovisioning tasks so revocation happens with the personnel event.
This model aligns with the NIST Cybersecurity Framework 2.0 emphasis on asset identification, continuous monitoring, and response. It also mirrors the lessons seen in incidents such as the Snowflake breach, where identity and access visibility became operationally significant. These controls tend to break down when SaaS is acquired outside central IT because the organisation no longer has reliable admin access or authoritative purchase records.
Common Variations and Edge Cases
Tighter SaaS control often increases administrative overhead, requiring organisations to balance accuracy against the effort of keeping records current. That tradeoff becomes sharper in fast-moving environments, especially where business teams can buy apps directly or where multiple subsidiaries each manage their own tenants.
Best practice is evolving for multi-tenant SaaS, federated identity, and app marketplaces. There is no universal standard for how often every field should be reconciled, but current guidance suggests prioritising high-risk applications first: collaboration suites, finance platforms, source-code tools, and any SaaS with external sharing or privileged admin roles. For those environments, stale access is not just a data-quality issue; it is an exposure problem.
Another common edge case is when licence ownership and security ownership are split. Finance may care about renewal counts while security cares about admin rights and offboarding. In that case, a single spreadsheet often becomes a negotiation artifact rather than a control. NHI Management Group’s Top 10 NHI Issues highlights the same governance pattern: visibility without lifecycle enforcement creates false confidence. Spreadsheet workflows also struggle when service accounts, API keys, or automation users are included alongside human seats, because those records need stricter ownership, rotation, and revocation discipline than a manual tracker can sustain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | SaaS asset management depends on maintaining an accurate asset inventory. |
| NIST CSF 2.0 | PR.AA-1 | Spreadsheet drift leads to unmanaged accounts and stale access rights. |
| OWASP Non-Human Identity Top 10 | NHI-01 | The same lifecycle and visibility gaps affect service accounts and API-driven SaaS access. |
Replace manual tracking with lifecycle controls that discover, validate, and revoke access continuously.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
