Spreadsheets fail because they are manually updated, lag behind user behaviour, and cannot validate whether a licence is still assigned, used, or approved. At scale, they become a record of prior assumptions rather than current access state, which makes them unsuitable for renewal and revocation control.
Why This Matters for Security Teams
SaaS licence governance is not just a procurement problem. It determines whether dormant accounts, over-assigned premium seats, and unmanaged service access remain available long after the business no longer needs them. Manual tracking creates a dangerous gap between what was approved and what is actually in use, which complicates renewal decisions, access reviews, and audit evidence. Current guidance in the NIST Cybersecurity Framework 2.0 emphasizes governance and asset visibility, but spreadsheets rarely provide either at the speed required by SaaS sprawl.
That matters because licence governance often intersects with credential exposure, orphaned accounts, and shadow IT. NHIMG research on the Ultimate Guide to NHIs — Regulatory and Audit Perspectives shows that evidence quality becomes a recurring control issue when identity records are fragmented across teams and tools. For SaaS, the same pattern appears when finance, IT, and security each maintain their own version of “active.” In practice, many security teams encounter wasted spend and revocation failures only after a renewal overage, audit finding, or access incident has already exposed the gap.
How It Works in Practice
Effective SaaS licence governance depends on continuously reconciling three states: assigned, used, and approved. A spreadsheet can record these states, but it cannot prove them. At scale, the control needs to be driven by source systems such as the SaaS admin console, identity provider, HR feed, and ticketing records, then compared automatically against policy. The operational goal is not a static inventory but a living control loop that flags stale allocations, reclaimed seats, and exceptions for review.
Best practice is to define which events update the record of truth. For example, HR termination can trigger seat revocation, inactivity thresholds can trigger reclaim workflows, and procurement approval can gate new allocation. That workflow aligns with Top 10 NHI Issues because the same governance failure appears whenever identity state is separated from operational reality. The difference is that SaaS licence control is usually simpler than full NHI lifecycle management, but it still fails if the data is stale.
- Use the identity provider or HRIS as the primary source for joiner, mover, leaver status.
- Pull usage data from SaaS audit logs rather than relying on self-reported ownership.
- Track approvals separately from assignments so exceptions remain visible.
- Automate reclaim and renewal decisions with policy thresholds, not manual reminders.
For organisations building a broader governance model, the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful because it reinforces the same principle: lifecycle state must be measurable, current, and actionable. These controls tend to break down when SaaS ownership is decentralized across departments because no single team can validate usage, approval, and entitlement changes in real time.
Common Variations and Edge Cases
Tighter licence control often increases operational overhead, requiring organisations to balance reclaimed spend against user friction and admin effort. That tradeoff is especially visible in fast-moving environments where employees share tools, rotate projects, or use burst access for short-term work. There is no universal standard for this yet, but current guidance suggests that exception handling should be explicit rather than hidden in a spreadsheet note.
One common edge case is service or bot accounts tied to SaaS integrations. Those seats may appear inactive, yet they remain operationally necessary, so governance must distinguish human usage from system usage. Another is pooled or shared licensing, where a simple one-seat-per-person model breaks down. In those cases, policy needs to define who owns the exception, how reuse is measured, and when a review is mandatory. The governance problem is also broader when the organisation depends on evidence for audit or legal review, because a spreadsheet usually cannot show who changed what, when, and why.
NHIMG’s 2024 ESG Report: Managing Non-Human Identities notes that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which is a reminder that identity governance gaps rarely stay theoretical. The same discipline that protects NHI lifecycles helps SaaS programmes avoid stale entitlements and renewal waste. For teams comparing control models, this is where spreadsheets stop being a light process aid and start becoming a liability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-1 | Licence governance needs clear ownership and current state visibility. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale entitlements and poor lifecycle control mirror NHI credential governance gaps. |
| NIST AI RMF | Governance and monitoring map to managing dynamic operational risk in SaaS estates. |
Define licence ownership and keep SaaS state continuously reconciled to business and security records.
Related resources from NHI Mgmt Group
- How does the consumer-secret-entitlement model help with governance at scale?
- Why do SSO tools often fail to solve access governance on their own?
- Why do shadow SaaS apps create a governance problem, not just an IT inventory problem?
- Who should own SaaS governance when access, licensing, and renewals overlap?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
