Because they only show applications that are tied to central identity flows. Employees can buy software directly, access tools through browsers, or connect apps through finance-approved spend and custom integrations. A discovery programme needs those extra signals or it will undercount shadow IT and miss real usage.
Why This Matters for Security Teams
SSO and directory data are useful, but they are not a complete picture of software use. They mostly capture applications routed through central identity flows, while many business tools appear through browser sign-ups, card-based purchasing, finance-approved subscriptions, or embedded integrations that never touch the directory. That gap matters because discovery and control decisions are only as strong as the sources behind them.
For security teams, the practical risk is undercounting shadow IT, missing active SaaS usage, and assuming a clean app inventory when the environment is already fragmented. NIST Cybersecurity Framework 2.0 treats visibility as a foundational capability, not a one-time inventory exercise, and that is especially true when identities and purchases are spread across multiple control planes. In NHI programs, the same pattern shows up in hidden service connections and unmanaged tokens, which is why the Ultimate Guide to NHIs — Key Research and Survey Results is so direct about visibility gaps. In practice, many security teams encounter the real application footprint only after an audit, incident, or finance reconciliation has already exposed it.
How It Works in Practice
Effective SaaS discovery uses multiple signals and then reconciles them into one inventory. SSO logs show which apps are federated. Directory records show who can authenticate centrally. But neither source will reliably capture browser-only access, direct-to-vendor purchases, or applications linked through payment systems and downstream integrations. Discovery programmes work better when they correlate identity, endpoint, finance, network, and browser telemetry.
That usually means combining:
- SSO and IdP logs for federated application use
- Directory and RBAC data for assigned access and group memberships
- Expense, procurement, and card transaction records for self-purchased SaaS
- Browser and endpoint telemetry for apps used without federation
- CASB or SaaS posture data for external tenant activity and risky integrations
This approach aligns with the visibility and governance themes in Ultimate Guide to NHIs, because application sprawl often creates hidden machine identities, OAuth grants, and API keys alongside human access paths. It also echoes the practical guidance in NIST Cybersecurity Framework 2.0, which expects organisations to identify assets and dependencies across the environment rather than rely on a single authoritative source. Used properly, discovery is not just a report, but a continuous reconciliation process that flags mismatches between what IT thinks exists and what employees actually use. These controls tend to break down when business units adopt SaaS through self-service purchasing, because finance, identity, and browser signals rarely line up on the same day.
Common Variations and Edge Cases
Tighter discovery usually increases operational overhead, requiring organisations to balance completeness against privacy, data quality, and response time. That tradeoff is real, especially in environments with distributed procurement or global teams. There is no universal standard for this yet, but current guidance suggests that teams should prioritise the highest-risk blind spots first rather than chase perfect inventory from day one.
Some SaaS products are intentionally invisible to central SSO because they support guest access, consumer sign-ups, or delegated admin models. Others are embedded into workflows through signed OAuth consent rather than direct logins, which means the app may not appear in the directory at all while still having meaningful data access. This is where incidents such as the Salesloft OAuth token breach and the BeyondTrust API key breach matter operationally: they show how access can persist outside the visibility of standard identity reports. In practice, the edge cases are not exceptions to the problem. They are often where the most sensitive usage hides first.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Discovery gaps are an asset inventory and visibility problem. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Hidden SaaS often creates unmanaged non-human identities and tokens. |
| NIST AI RMF | Data and system visibility is required for trustworthy governance. |
Correlate identity, finance, endpoint, and network signals into one continuously updated SaaS inventory.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
