Because subscription renewals continue unless someone actively intervenes. If ownership is unclear, the contract renews, the licence remains allocated, and the organisation keeps paying for capacity that no longer produces value. This is a lifecycle failure, not just a budgeting issue.
Why This Matters for Security Teams
Unused SaaS licences are not harmless leftovers. They are an ongoing cost signal that ownership, review, and revocation have failed somewhere in the lifecycle. When a team stops using an app but no one cancels the contract, removes entitlements, or confirms the business owner, renewals continue automatically and the organisation keeps paying for dormant capacity. That same pattern shows up in identity risk, where unmanaged access persists long after the original need has ended.
The practical issue is not just software spend. Unused licences often sit alongside forgotten service accounts, stale API keys, and unclear app ownership, which makes them a governance problem as much as a procurement problem. NHI Management Group has highlighted how poor lifecycle control is a recurring failure mode in the real world, especially when offboarding is informal and visibility is weak, as seen in the Ultimate Guide to NHIs. That same lifecycle weakness is reflected in incidents like the Snowflake breach, where identity and access sprawl became operationally expensive and risky.
For security teams, this matters because unused access is rarely discovered through routine hygiene. It is usually found only after a renewal bill, an audit exception, or an incident response review. In practice, many organisations notice the waste only after the contract has already rolled over and the money is gone.
How It Works in Practice
SaaS spend continues because subscription systems are designed to renew by default unless someone acts. A licence can remain allocated even when the app is no longer in active use, especially when procurement, IT, and application owners each assume another team is responsible. Current guidance from the NIST Cybersecurity Framework 2.0 supports treating this as an asset and access governance issue, not only a finance issue.
In operational terms, the control points are straightforward:
- Identify the business owner for every SaaS application and renewal.
- Track active use, not just purchased seats, to distinguish adoption from allocation.
- Review entitlements before renewal windows so unused licences can be removed or downgraded.
- Connect offboarding to licence reclamation so departing staff do not leave dormant access behind.
- Reconcile procurement records with actual logins, API usage, and admin assignments.
This is where identity governance overlaps with NHI management. If a SaaS app also uses API keys, service accounts, or OAuth tokens, the licence may be “unused” by humans while machine access still exists. The BeyondTrust API key breach and the Salesloft OAuth token breach both illustrate how lingering non-human access can keep value and risk alive after the original user workflow has stopped.
Using an NHI lens also helps explain the economics. If only 5.7% of organisations have full visibility into service accounts, as NHI Management Group notes in the Ultimate Guide to NHIs, then it is no surprise that unused SaaS licences and dormant access are often discovered too late. These controls tend to break down when ownership is split across procurement, IT, and business teams because no single group is accountable for renewal and revocation.
Common Variations and Edge Cases
Tighter licence controls often increase administrative overhead, requiring organisations to balance spend reduction against operational friction. That tradeoff is real: over-aggressive reclamation can interrupt legitimate work, while under-governed renewals keep waste accumulating.
Best practice is evolving, but current guidance suggests a few edge cases deserve special handling. First, some licences are intentionally held in reserve for surge demand, so “unused” does not always mean “unnecessary.” Second, usage data can be misleading when apps are seasonal or accessed by automation rather than humans. Third, enterprise contracts may bundle multiple modules, making simple seat counting less useful than application-level owner review.
Another common exception is shadow IT. A team may stop formally using a tool, but still keep a paid account alive for exports, historical data, or a one-time integration. In those cases, the right action is not immediate cancellation but explicit migration planning and data retention review. If the app has secrets, tokens, or connected workflows, the same offboarding discipline used for NHIs should apply before renewal. That is why lifecycle controls, not just invoice checks, are the durable fix.
When licence ownership sits with a departed employee, a merged department, or a third-party admin, the process breaks down because no one has authority to decide whether the subscription should continue.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.GV-1 | Licence waste persists when ownership and governance are unclear. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Dormant SaaS access often includes stale machine identities and secrets. |
| NIST AI RMF | MAP | Lifecycle mapping helps locate where unused access and spend accumulate. |
Assign explicit SaaS owners and renewal accountability under ID.GV-1.
Related resources from NHI Mgmt Group
- How should teams govern SaaS licences as part of identity management?
- How should security teams manage SaaS app inventory as the business grows?
- How should teams stop SaaS apps from being renewed after the business no longer needs them?
- How should teams govern SaaS licences when users can sign up outside IT?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
