They create both risks because unmanaged apps can retain sensitive data access while also carrying duplicate or unused licenses. Security teams lose visibility into who can access the app, and finance loses the ability to see whether the software is still needed.
Why This Matters for Security Teams
Unsanctioned SaaS apps are risky because they often enter the environment through a legitimate user, then persist outside normal procurement, identity, and review processes. That creates two problems at once: security teams lose visibility into what data the app can reach, and finance loses control over whether the subscription is still needed. The same shadow app can also inherit tokens, OAuth grants, or file access that outlast the business need.
This is why guidance in NIST Cybersecurity Framework 2.0 and NHI research both emphasise continuous inventory and access governance rather than one-time approval. NHIMG’s Top 10 NHI Issues also shows that visibility gaps are a recurring failure mode, especially when app permissions are granted informally and never revisited. In practice, many security teams encounter the breach, the billing surprise, or both only after the app has already accumulated dormant access and duplicate spend.
How It Works in Practice
The operational risk comes from how SaaS apps are adopted and authorised. A user connects a tool to email, storage, CRM, or code repositories, often through OAuth or a shared API key. Once that connection exists, the app can continue accessing data even if the user changes roles, leaves the company, or stops using the tool. The result is an identity and cost problem, not just an application inventory problem.
Security teams usually need three controls working together:
- Discovery of all connected SaaS apps, including user-installed integrations and third-party OAuth grants.
- Permission review that maps each app to the data it can read, write, or export.
- Usage and spend review that identifies duplicate licenses, idle seats, and unmanaged renewals.
NHIMG’s Ultimate Guide to NHIs notes that the core challenge is not only credential exposure but also persistent machine-to-machine trust that remains active after the original business need has faded. That is why many teams align this work with NIST CSF 2.0 asset management and access control outcomes, then extend procurement review into security operations. Current practice also favours revoking tokens and deprovisioning licenses together, since removing only one side leaves residual risk.
These controls tend to break down in fast-moving SaaS environments with self-service procurement, decentralised IT buying, and frequent OAuth-based integrations because the app footprint changes faster than review cycles.
Common Variations and Edge Cases
Tighter SaaS governance often increases administrative overhead, so organisations must balance visibility against user friction and business speed. That tradeoff is real, especially in teams that rely on many niche apps, contractor accounts, or temporary integrations.
Best practice is evolving, but current guidance suggests treating unsanctioned SaaS in tiers rather than as a single class of risk. A low-risk collaboration app with no sensitive data exposure should not be handled the same way as an unsanctioned analytics tool with access to customer records. Similarly, not every duplicate license is wasteful in the same way: some are truly dormant, while others are reserved for seasonal demand or project-based work.
There is no universal standard for this yet, but a practical model is to pair procurement controls with identity controls. That means reviewing OAuth consent, session tokens, API keys, and active seats at the same time, then classifying apps by data sensitivity, privilege level, and business owner. For incident response, NHIMG’s Salesloft OAuth token breach is a useful reminder that a sanctioned-looking integration can still become an access path if its grants are never revalidated.
The hardest edge case is when an app is widely used but never formally approved, because security teams must decide whether to grandfather it, restrict it, or retire it without breaking a live workflow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unmanaged SaaS often leaves credentials and tokens unrotated or unrevoked. |
| NIST CSF 2.0 | PR.AC-4 | Third-party app access must be managed and continuously reviewed. |
| CSA MAESTRO | Agentic and SaaS trust chains need continuous governance across identities and integrations. |
Inventory SaaS-connected NHI secrets and automate revocation when apps are unused or unsanctioned.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
