SaaS Management

The Problem of SaaS Sprawl: Where SaaS Management and Identity Governance Meet (And Both Fail)

Aditi Sharma
Director, Strategy & GTM
December 11, 2025
8 MIn read
Table of Contents
Table of Contents
This is also a heading
This is a heading
About the author

Aditi leads Go-to-Market (GTM) and Business Strategy at Zluri, where she helps mid-market organizations modernize their identity governance and access management practices. Prior to Zluri, she was a Management Consultant at McKinsey & Company advising large enterprises on digital transformation, and part of the enterprise software investment team at B Capital. She holds an engineering degree from IIT Kharagpur and an MBA from Harvard Business School.

The CFO emails: "How many SaaS and AI applications are we paying for?"

The CISO Slacks you: "How many SaaS and AI applications do employees have access to?"

Two different stakeholders, two different concerns—both expect you to answer with certainty. You check your systems:

Okta shows 43 applications. Finance reports 78 subscriptions. Network monitoring catches 112 applications.

The actual number is 247.

This isn't a counting error. It's the same root cause breaking two different domains you're responsible for managing.

For SaaS Management: The CFO and Finance need you to optimize costs. You can't optimize costs for applications you don't know exist. You're paying for duplicate tools, unused licenses, and abandoned subscriptions—none of which appear in spend analysis because discovery happens too late.

For Identity Governance: The CISO and Security need you to govern access. You can't govern access to applications you don't know exist. You're running access reviews that miss 60% of actual access, provisioning workflows that don't include tools employees actually use, and offboarding processes that leave former employees with active accounts.

Same problem. Same root cause. Two parallel failures that both land on your desk.

The root cause: traditional discovery methods find applications at the end of a five-stage adoption process. But SaaS and AI sprawl happens at stage one—before you have visibility into either cost or access.

What's Inside

The Five Stages of SaaS Sprawl

Here's how a typical SaaS or AI application enters your environment and creates problems for both domains:

Stage 1: Signup

An employee finds a tool that solves an immediate problem. Marketing needs a design collaboration platform. A developer wants an AI coding assistant. Sales wants a prospect intelligence tool.

They sign up with a corporate email address. No approval required. No IT involvement. No procurement process. Just an email, a password, and they're in.

The application now exists in your environment.

What you can't see for SaaS Management: The application isn't generating charges yet. It's not in the expense system. It's not in any spend report. When Finance asks you to analyze software costs, this application doesn't exist in your data.

What you can't see for IGA: The application isn't in Okta. It's not integrated with your identity provider. It's not in any access review. When Security asks you to certify employee access, this account doesn't appear in your workflows.

You're blind to the same application for both purposes, for the same reason: discovery happens through systems that only catch applications after they've been formally adopted or purchased.

Stage 2: Team Adoption

The employee who signed up invites colleagues. "We're using Figma for the rebrand project—here's the invite link." Five people create accounts. Then ten. Then twenty.

What you can't see for SaaS Management: Still no charges. The team is on a free tier or using trial licenses. Finance sees nothing. When they ask for spend analysis, it shows zero cost. But the actual cost is accumulating—in time spent learning the tool, in data being stored in it, in workflows being built around it.

What you can't see for IGA: Twenty employee accounts that can't be reviewed. Twenty people with access that isn't governed. Twenty accounts that won't be deactivated when people leave. Your access review workflows don't include this application because it's not in your identity system.

Same discovery gap. You're operating without visibility into what's actually happening in your environment for both cost control and access governance.

Stage 3: Purchase

The free tier hits its limits or the trial expires. Someone enters a credit card—corporate or personal—and upgrades to a paid plan.

What you can see for SaaS Management (maybe): If they used a corporate card processed through the expense system, Finance might see a charge. But Finance sees "productivity software - $800/year" and categorizes it under general office expenses. No flag to you that this is a new application requiring evaluation. No notice that a team just committed to annual spend on a tool that might duplicate existing capabilities.

If they used a personal card and expensed it, Finance sees "software reimbursement" with no application name. If the department has a discretionary budget, the charge bypasses Finance entirely—and you never hear about it.

What you can see for IGA: Still nothing. No SSO integration means no visibility. The application has twenty active users, contains business data, and has been in use for weeks—but it doesn't exist in any of your governance workflows.

By Stage 3, the application has been in your environment long enough to become embedded in team workflows, generate actual costs, and create ungoverned access. You're discovering it too late to make proactive decisions for either domain.

Stage 4: IT Discovery (Maybe)

Someone has a permissions question, a security concern, or wants to integrate with another tool. They contact you.

This is when you learn the application exists. Not when it was adopted. Not when the team started using it. Not when the purchase happened. Weeks or months after the application entered the environment.

What you face for SaaS Management: You discover you're paying for a tool that duplicates capabilities you already have. Three teams bought three different project management platforms, none knowing the others exist. By the time you find out, each team has embedded their chosen tool in their workflows. When you tell Finance about potential consolidation, they point out that migration means disruption, which means political resistance from teams who are already productive with their chosen tools.

What you face for IGA: You discover twenty accounts that should have been included in last quarter's access review. You discover that three of those accounts belong to people who left the company months ago—their access was never revoked because your offboarding workflow didn't include an application you didn't know about. When Security asks about it, you have no good answer.

You're now managing reactively for both stakeholders. You're not deciding whether to adopt this tool—that decision already happened. You're deciding how to govern something that's already embedded in operations.

Stage 5: SSO Integration (Maybe)

If you decide to manage the application and have resources to integrate it, you configure SSO. You add it to Okta. You set up provisioning rules. You include it in access reviews.

What you can finally deliver for SaaS Management: The application appears in your IT inventory. Finance can now track it for spend analysis. You can include it in vendor management. You can evaluate it for consolidation opportunities. But you're discovering at Stage 5 something that was purchased at Stage 3, adopted at Stage 2, and signed up for at Stage 1. The CFO asks why you didn't catch this earlier—you don't have a good answer beyond "we didn't know it existed."

What you can finally deliver for IGA: The application appears in your identity system. Security can now review access to it. You can provision it through automated workflows. You can include it in offboarding. But you're governing at Stage 5 something that's been creating ungoverned access since Stage 1. The CISO asks about the ex-employee accounts that remained active for months—again, no good answer beyond "we didn't know the application existed."

Traditional IGA platforms discover applications through IDP and SSO integration—at Stage 5. Traditional SaaS Management discovers through finance systems—at Stage 3 at best. Both methods discover too late to prevent the problems that accumulate in earlier stages. And you're the one fielding questions from both stakeholders about why these problems keep happening.

How the Discovery Gap Creates Cost Problems for Finance

The time gap between Stage 1 (adoption) and Stage 3-5 (when you discover applications) creates four compounding cost problems that Finance holds you accountable for:

1. Duplicate Application Spend

You manage Jira for project management. Finance approved $15,200/year for 45 licenses.

What Finance doesn't know—and what you don't know: Marketing signed up for Monday ($8,400/year, 29 users, Stage 2—no charges yet, using extended trial). Product purchased Asana ($12,600/year, 38 users, Stage 3—Finance coded it as "productivity tools"). Design adopted Notion for project tracking ($4,800/year, 23 users, Stage 4—you just discovered when someone requested Slack integration).

Combined cost: $41,000/year for four tools doing the same thing. The CFO sees the Finance report and asks why you're paying for duplicate tools. Could you consolidate to one? Probably. Should you have prevented three redundant purchases? Definitely.

But you can't prevent what you can't see. By the time you discover the duplication (Stage 3-5), each team has already committed to their tool, built workflows around it, and stored data in it. When you suggest consolidation, teams push back. The cost of consolidation now includes migration effort, workflow disruption, and political capital you need to spend.

Late discovery turns potential prevention into expensive remediation. Finance wants to know why you didn't catch this earlier—the answer is you didn't know these applications existed until teams were already dependent on them.

2. License Waste From Inactive Users

Your Figma subscription shows 50 licenses at $144/year each. Total cost: $7,200/year that Finance approved.

When you finally run comprehensive discovery, you find 73 active accounts:

  • 8 belong to contractors who finished projects months ago (Stage 2 signups, never removed)
  • 12 are duplicate accounts where employees signed up before you provisioned them (Stage 1-2)
  • 3 belong to employees who left the company (Stage 1-2 signups not included in offboarding)

That's 23 unnecessary licenses costing $3,312/year. Multiply this across 247 applications and you're looking at hundreds of thousands in recoverable spend. Finance wants to know why you're not optimizing licenses. The answer: you can't reclaim licenses you don't know about.

Applications discovered at Stage 5 are the ones you're actively managing. Applications stuck in Stages 1-3 accumulate waste because no one's tracking who has access. When the CFO reviews the budget, these inefficiencies show up as "IT not managing software costs effectively"—even though the real problem is discovery gaps, not management failures.

3. Missed Negotiation Opportunities

A team signs up for an analytics platform at Stage 1. Uses the free tier for two months (Stage 2). Purchases at the listed price when they hit limits (Stage 3). Three other teams independently do the same thing over the next six months.

By the time you discover all four subscriptions (Stage 4-5), Finance has paid full price four times. If you'd discovered at Stage 1-2, you could have:

  • Negotiated volume pricing across all teams
  • Evaluated alternatives with better pricing
  • Coordinated adoption to maximize negotiating leverage
  • Standardized on enterprise plans with better per-seat costs

Finance reviews vendor spending and asks why you didn't negotiate better rates. The answer: by the time you knew about each purchase, it had already happened. Late discovery means paying retail prices repeatedly when enterprise pricing was available. The cost difference isn't just inefficiency—it's compounding waste that grows with every independent purchase Finance processes without your input.

4. Hidden Category Spending

The CFO asks you: "What's our AI tools spend?"

Finance reports $47,000 based on invoices they processed. You report the same number because that's what's in your systems. Reality: $89,000, because:

  • Developers signed up for AI coding assistants and expensed them on personal cards (Stage 1-3, Finance sees "software reimbursement" not "AI tools")
  • Marketing bought AI image generation tools through agency budgets (Stage 3, Finance categorizes as "consulting services" not "software")
  • Sales purchased AI sales intelligence platforms through departmental discretionary budgets (Stage 3, bypasses central procurement entirely)

You can't manage category spending when applications are discovered months after purchase and miscategorized when they are discovered. The CFO thinks AI spending is $47K. Finance builds next year's budget on that number. You can't optimize a budget that's actually $89K because your discovery methods only catch what's properly categorized in systems you monitor.

When the actual spending emerges during quarterly reviews, it looks like you've lost control of software spend. The real problem: discovery gaps that let purchases happen outside your visibility.

How the Same Discovery Gap Creates Governance Problems for Security

The same time gap between Stage 1 (adoption) and Stage 5 (when you discover applications) creates three parallel governance failures that Security and GRC hold you accountable for:

1. Access Reviews That Miss 60% of Actual Access

Your quarterly access review asks managers to certify employee access. The review covers 43 applications in Okta (Stage 5 applications).

Manager reviews Sarah's access: "Project management tool - Approved."

What the review doesn't show: Sarah has access to three different project management tools:

  • Jira in Okta (Stage 5) - shows in review
  • Monday that Marketing adopted (Stage 2) - doesn't show in review
  • Asana that Product purchased (Stage 3) - doesn't show in review

The manager approves "project management access" thinking Sarah has access to one tool. She actually has access to three. Two of those access grants are ungoverned because they're not in your IGA system.

The manager isn't failing to review properly. The access review is failing because it only shows Stage 5 applications. Applications in Stages 1-4 remain invisible to your governance workflows.

When auditors ask for proof of quarterly access reviews, you show them certifications covering 43 applications. What you can't tell them: employees have access to 247 applications. Your access reviews cover 17% of actual access. The other 83% is ungoverned because discovery happened too late to include it in reviews.

The CISO asks why access reviews aren't comprehensive. You explain that managers can only certify access you know about. Security points out that ungoverned access is still your responsibility, regardless of when you discovered it.

2. Provisioning Automation That Can't Match Reality

You write a provisioning rule: "Marketing role gets access to design tools."

But which design tools? The one in Okta that you integrated (Stage 5)? The one Marketing adopted six months ago that's now their primary tool (Stage 2)? The one a contractor introduced that half the team uses (Stage 1)?

New marketing hire starts. Your provisioning system grants access to the Stage 5 tool. She needs the Stage 2 tool to collaborate with her team. She can't do her job because your automation is provisioning access based on what you know about (Stage 5) rather than what employees actually use (Stages 1-3).

You fall back to manual provisioning for every access request. What was supposed to be an automated workflow becomes a ticketing process because your IGA system doesn't know which tools each team actually uses.

When the COO reviews IT efficiency metrics, manual provisioning rates are climbing. The explanation—that you can't automate what you haven't discovered—doesn't change the metric. The provisioning automation isn't broken. The discovery is broken. You're automating based on outdated application inventory because discovery happens at Stage 5 while usage happens at Stages 1-2.

3. Offboarding That Leaves Former Employees With Access

Sarah leaves the company. Your offboarding workflow revokes access to applications in your IGA system—the 43 Stage 5 applications you know about and integrated.

But Sarah's accounts in Stage 1-4 applications remain active:

  • The AI coding assistant she signed up for (Stage 1) - still active
  • The design collaboration tool her team adopted (Stage 2) - still active
  • The analytics platform Marketing purchased (Stage 3) - still active
  • The project management tool you discovered but haven't integrated yet (Stage 4) - still active

Three months after Sarah left, someone notices her name still appears as owner on a critical tool. She has access to:

  • Customer data from the CRM integration her team built
  • Financial information from the analytics platform she configured
  • Strategic documents from the collaboration tool where she's still admin

This isn't a theoretical risk. Former employee access is consistently one of the top vectors for data breaches. Not because you don't have offboarding processes—because those processes only cover applications you know about.

When the CISO reviews security incidents and finds ex-employee accounts, the question is always: "Why wasn't this caught during offboarding?" The answer—that you didn't know the application existed—doesn't reduce the security exposure or the compliance violation.

The same discovery gap that creates cost problems for Finance (by hiding spend) creates governance problems for Security (by hiding access). You're operating on incomplete information for both domains because you're discovering at Stage 5 what's actually happening at Stage 1.

Why You're Caught Between Two Failing Domains

Here's what makes this worse than just two separate problems: the failures reinforce each other, and you're accountable to both stakeholders.

Cost waste enables governance failures: When Finance can't see duplicate applications, teams keep using all of them. When teams use three project management tools, you can't write provisioning rules that work consistently. Can't certify access when managers don't know which tools serve which purposes. License waste continues because no one can identify which tools should be consolidated.

Governance failures enable cost waste: When you can't govern applications in Stages 1-3, teams adopt without coordination. Product buys a tool without knowing Marketing already has something similar. Cost waste multiplies because governance isn't preventing duplicate purchases before they happen.

Both fail from late discovery: Finance discovers at Stage 3 (purchase) or later. Security discovers at Stage 5 (SSO integration) or never. By the time either stakeholder sees an application, it's already generating costs, creating ungoverned access, and embedded in workflows.

The CFO and CISO both ask why you can't manage this better. The answer is they're both relying on discovery methods that find applications too late. Finance tracking catches purchases weeks after they happen. IGA platforms catch integrations months after adoption. You're managing reactively for both because discovery is reactive.

The solution isn't better cost optimization or better access governance. Those are symptoms. The solution is an earlier discovery that reveals applications before they generate compounding costs and ungoverned access for both domains you're responsible for managing.

What Earlier Discovery Enables You to Deliver

Discovering applications in Stages 1-3 instead of Stages 3-5 changes what you can deliver to both stakeholders:

For Finance and Cost Management:

Stage 1-2 discovery lets you prevent duplicate purchases. You catch applications when 5-10 people are using them, before they scale to 50. Before someone enters a credit card. Before costs compound. You can evaluate the tool against existing alternatives, decide whether to integrate or migrate, and prevent purchases before they happen. When Finance asks about software spend control, you can show prevention instead of explaining why cleanup is expensive.

Stage 3 discovery enables proactive negotiation. You catch purchases close to when they happen, while teams are still in trial or early paid periods. You can negotiate volume pricing before usage scales, consolidate licenses across departments who bought independently, coordinate with similar tools other teams are evaluating. When the CFO reviews vendor spending, you're negotiating enterprise terms instead of explaining why you paid retail four times.

Continuous discovery prevents category spending blind spots. When you discover AI tools at Stage 1-2 instead of months later, you can track actual category spending, negotiate enterprise agreements that cover all teams, identify duplicate AI capabilities before multiple teams purchase independently. When Finance asks "what's our AI spend," you have an accurate answer.

For Security, GRC, and Access Governance:

Stage 1-2 discovery makes access reviews complete. Instead of reviewing 43 applications, you review all 247. Managers can make informed decisions about whether employees need access to three different project management tools or just one. When auditors ask for access reviews, you can show compliance reports that accurately reflect actual access, not just Stage 5 access. The CISO sees comprehensive governance instead of partial coverage.

Stage 2-3 discovery makes provisioning automation work. You know which tools each team actually uses, not just which tools are in Okta. You can write provisioning rules that grant access to tools employees need for their jobs, not just tools you've integrated. When the COO reviews IT efficiency metrics, provisioning automation rates improve because you're automating against complete application inventory.

Stage 1-4 discovery makes offboarding complete. Sarah leaves the company. Your offboarding workflow revokes her access to all 247 applications, not just the 43 in your IGA system. No more ghost accounts appearing months later because you didn't know those applications existed. When Security reviews ex-employee access exposure, the answer is "none" instead of "we're still finding accounts."

Earlier discovery doesn't fix everything. But it shifts you from reactive documentation to proactive management for both stakeholders.

How You Can Discover Earlier Than Stage 5

Traditional IGA platforms discover applications through IDP and SSO integration. This is Stage 5 discovery—after you've learned about applications, evaluated them, decided to integrate them, and completed technical implementation.

Traditional spend tracking discovers through finance systems. This is Stage 3 discovery—after applications have been purchased and generated charges that Finance processes.

Discovering in Stages 1-3 requires methods beyond IDP integration and finance tracking. Comprehensive discovery requires:

Multiple detection methods working together: Browser monitoring catches usage at Stage 1-2. Email analysis spots signup confirmations at Stage 1. Network monitoring detects application traffic at Stage 1-2. Desktop agents find standalone applications that don't run in browsers. API integrations with Google Workspace and Slack reveal authorized apps users enable without your involvement.

Each method discovers applications at different adoption stages. Combined, they catch applications throughout the lifecycle—not just at the end when SSO integration finally happens.

Continuous automated discovery: Applications get adopted continuously. Every day, employees sign up for new tools. Every week, departments purchase new applications. Discovery needs to be continuous because adoption is continuous. For mid-market IT organizations without resources to manually hunt for applications, this requires automation that runs without constant intervention.

Early-stage findings surfaced to you for both purposes: When discovery catches an application at Stage 1-2, you can act on it for both Finance and Security. You can evaluate cost implications and prevent duplicate purchases. You can decide whether to integrate, assess security requirements, plan provisioning rules. Early discovery serves both stakeholders because both need you to act before the application reaches Stage 5.

The goal isn't discovering every application the moment someone creates an account. That's impossible when hundreds of employees can sign up for thousands of applications. The goal is discovering applications early enough that you can govern proactively instead of documenting reactively.

The Mid-Market (500-5000 employees) IT Challenge

Enterprise organizations can throw resources at this problem. They hire consultants to inventory applications. They build custom discovery tools. They dedicate teams to monitoring adoption.

Mid-market IT faces a different reality:

You can't assign someone full-time to hunt for applications. Discovery needs to work without constant manual intervention.

You can't build custom integrations for every detection method. Discovery needs to work out of the box.

You can't stop employees from signing up for tools they need. Shadow IT will continue because approval processes are slower than finding solutions independently.

This is why comprehensive discovery requires methods beyond IDP and SSO integration. It's the only way to achieve visibility in mid-market environments where:

  • Applications get adopted through every possible path
  • Finance systems only catch some purchases
  • SSO integration only happens for some applications
  • You need complete visibility to answer both the CFO and CISO

Traditional IGA vendors will tell you they support application discovery. What they won't tell you: their discovery works through SSO integration, which only catches applications you've already integrated with your identity provider.

The other 60% of applications—shadow IT, departmental purchases, trial signups, non-integrated tools—remain invisible to you for both cost management and access governance.

Why This Matters Now

Every day without comprehensive discovery, both problems worsen and you field questions from both stakeholders:

The cost problem compounds: More licenses get purchased without coordination. More duplicate tools get adopted. More unused accounts accumulate. That $340K spend becomes $400K, then $500K, as applications multiply faster than either Finance or you can track them. The CFO's quarterly reviews get harder to explain.

The governance problem compounds: More employees get access to applications you don't know about. More accounts remain active after people leave. More compliance violations accumulate as access reviews fail to cover actual access. The CISO's security posture reports show increasing gaps.

You're not starting fresh with a clean slate. You're inheriting years of SaaS and AI sprawl that accumulated while you were discovering at Stage 5. Applications adopted at Stage 1, purchased at Stage 3, embedded in workflows by Stage 4—all before you saw them.

Traditional approaches tell you to implement better governance: require approval for new applications, enforce purchasing through IT, mandate SSO integration before adoption. All reasonable policies for future applications. None of them address the 204 applications that already exist in your environment, adopted before governance existed.

When Finance asks why spend is over budget, the explanation that applications were purchased outside your visibility doesn't help. When Security asks why ex-employee accounts exist, the explanation that applications weren't discovered during offboarding doesn't reduce the risk.

The Path Forward

If your IGA platform shows 43 applications and Finance reports 78 subscriptions, but your actual environment has 247 applications, you have a discovery problem that's creating failures for both stakeholders you serve.

You can't optimize costs for Finance when you're discovering applications months after purchase. You can't govern access for Security when you're discovering applications after they're embedded in workflows. You're discovering at Stage 5 what needs to be discovered at Stage 1.

The solution isn't better cost optimization or better access governance. Those are symptoms. The solution is an earlier discovery that reveals applications before they generate compounding costs and ungoverned access.

You can't eliminate the discovery gap entirely. Applications will always be adopted before you're involved. But you can shrink the gap from months to weeks, from hundreds of undiscovered applications to dozens, from reactive documentation to proactive management.

Start by understanding where your discovery currently happens. If you're discovering through Finance systems (Stage 3), you're finding applications weeks or months after adoption. If you're discovering through SSO integration (Stage 5), you're finding applications only after you've integrated them.

Both discoveries are too late. The applications you need to discover are in Stages 1-2, before they've generated costs Finance will ask about and access Security will flag.

This is where managing SaaS and Identity Governance intersect—at the same discovery gap, failing for the same reason, landing on your desk as two separate stakeholder concerns. Fix discovery, and both domains become manageable. Continue discovering at Stage 5, and both will continue failing while SaaS and AI sprawl compounds daily.

You can't manage costs you can't see. You can't govern access you don't know about. Start by seeing what's actually there—early enough to do something about it for both Finance and Security.

How Zluri Solves Both Problems in a Single Platform

The dual failure problem requires a unified solution. You can't fix SaaS Management and Identity Governance separately when they both fail from the same root cause.

Zluri provides comprehensive discovery, SaaS management, and identity governance in a single platform—designed specifically to solve the Stage 1-5 gap that creates problems for both Finance and Security.

Comprehensive Discovery That Catches Stage 1-2 Shadow Sprawl

Zluri uses nine discovery methods working simultaneously to detect applications throughout the adoption lifecycle:

  • SSO/IDP integration: Catches Stage 5 applications you've already integrated
  • Finance system integration: Catches Stage 3 purchases across expense systems
  • Browser extensions: Detects Stage 1-2 web application usage before charges
  • Desktop agents: Identifies Stage 1-2 installed applications
  • CASB integration: Monitors cloud application traffic at Stage 1-2
  • MDM integration: Tracks mobile applications on employee devices
  • API integrations: Reveals OAuth apps authorized in Google Workspace, Slack, Microsoft 365
  • HRMS integration: Maps employee data to application usage
  • Directory integration: Syncs with Google Directory and Azure AD

No single method provides complete visibility. Zluri combines all nine to catch applications at Stages 1-3—before they become embedded, before they generate duplicate costs, and before they create ungoverned access.

SaaS Management That Delivers for Finance

Once Zluri discovers applications early, you can optimize costs proactively:

Eliminate duplicate applications: Identify three teams using three project management tools before they commit workflows. Consolidate to one tool while migration is still manageable.

Reclaim wasted licenses: Find inactive users, ex-employee accounts, and duplicate accounts across all 247 applications—not just the 43 in Okta. Recover hundreds of thousands in unnecessary spend.

Negotiate better terms: Catch multiple teams evaluating the same tool at Stage 1-2. Negotiate volume pricing before anyone purchases, saving 30-40% compared to four independent retail purchases.

Track actual spending: See the full $340K in SaaS spend, not just the $200K Finance reports. Identify applications purchased through departmental budgets, personal cards, or miscategorized as "consulting services."

When the CFO asks about software costs, you have accurate data. You can show prevention instead of explaining cleanup.

Identity Governance That Delivers for Compliance, Security and Efficiency

Zluri's IGA capabilities work across all discovered applications—not just Stage 5 SSO-integrated apps:

Complete access reviews: Review access to all 247 applications, not just the 43 in Okta. Managers certify access based on complete visibility into which tools employees actually use.

Automated provisioning: Write provisioning rules that work because Zluri knows which tools each team uses. New marketing hires get access to the design tool Marketing actually uses, not just the one in your SSO portal.

Complete offboarding: Revoke access to all applications when employees leave—including Stage 1-4 applications that aren't in your IGA system. No more ghost accounts appearing months later.

Compliance reporting: Show auditors access reviews that cover actual access, not just 15% of it. Demonstrate governance that includes shadow sprawl, not just managed applications.

When the CISO asks about access reviews, you show comprehensive coverage. When auditors ask about ex-employee access, the answer is "none"—not "we're still finding accounts."

One Platform, Both Stakeholders

The power of Zluri isn't just combining SaaS Management and IGA—it's that comprehensive Stage 1-3 discovery serves both purposes simultaneously:

  • Finance sees cost optimization opportunities the moment applications are detected
  • Security sees governance gaps the moment applications are detected
  • You act on Stage 1-2 discoveries before they create problems for either stakeholder

Instead of managing two separate tools with two separate inventories discovering at two different stages, you manage one platform with one complete inventory discovering throughout the adoption lifecycle.

The CFO gets accurate spend data and optimization recommendations. The CISO gets complete access governance and compliance reporting. You get a single source of truth that serves both stakeholders—and answers both their questions from the same discovery foundation.

Built for Mid-Market IT

Zluri's automated discovery runs continuously without requiring dedicated resources. You don't need to:

  • Assign someone full-time to hunting for shadow sprawl
  • Build custom integrations for each detection method
  • Manually correlate data from nine different sources
  • Choose between serving Finance or serving Security

The platform works out of the box with the nine discovery methods pre-configured. Applications detected at Stage 1-2 automatically flow into both SaaS Management workflows (cost optimization, license reclamation) and IGA workflows (access reviews, provisioning, offboarding).

You discover early. You optimize costs for Finance. You govern access for Security. All from one platform designed to solve the discovery gap that breaks both domains.

Schedule a demo to see how Zluri's unified platform solves both the cost problem and the identity and access governance problem—by fixing the discovery problem that causes both.

Frequently Asked Questions

What is SaaS sprawl?
SaaS sprawl refers to the uncontrolled proliferation of SaaS and AI applications within an organization. It occurs when employees, departments, and teams independently adopt applications without central IT oversight, leading to redundant tools, ungoverned access, and untracked spending. Organizations typically have 3-6 times more applications than IT believes they're managing.

How does SaaS sprawl affect both Finance and IT Security?
SaaS sprawl creates parallel failures for both stakeholders. For Finance and the CFO: duplicate application purchases, wasted licenses, missed negotiation opportunities, and hidden spending that makes budgets inaccurate. For Security and the CISO: incomplete access reviews, failed provisioning automation, ex-employee accounts that remain active, and compliance violations from ungoverned access.

Why can't IT just track all SaaS purchases through Finance?
Finance-based tracking only catches applications that generate charges through monitored channels. It misses: free tier applications, personal card purchases that are expensed, departmental budget purchases that bypass central tracking, miscategorized transactions coded as "consulting" instead of "software," and trial periods that haven't converted to paid yet. Finance typically sees 40-60% of actual SaaS spending.

What's the difference between SaaS Management and Identity Governance?
SaaS Management focuses on cost optimization—tracking software spend, eliminating duplicate tools, reclaiming unused licenses, and negotiating better vendor terms. Identity Governance (IGA) focuses on access control—reviewing who has access to what, automating provisioning/deprovisioning, and ensuring compliance. Both fail when you can't see all the applications in your environment.

Why do access reviews fail when there's SaaS sprawl?
Access reviews only cover applications in your IGA system (typically 30-40% of actual apps). When managers certify that "Sarah has appropriate project management access," they're approving access to one tool while Sarah actually has access to three—two of which aren't in the review because IT hasn't discovered them yet. Reviews fail because they're incomplete, not because managers aren't doing their jobs.

How does SaaS sprawl cause offboarding failures?
Offboarding workflows only revoke access to applications IT knows about. When an employee leaves, your automation deactivates their accounts in 40-50 applications (the ones in your IGA system). But their accounts in the other 200+ applications remain active because those apps aren't in your offboarding workflow. Three months later, ex-employees still have access to customer data, financial information, and business systems.

What's the actual cost of duplicate SaaS applications?
Mid-market organizations commonly pay $30,000-$100,000+ annually for duplicate tools. Example: Jira ($15K/year), Monday ($8K/year), Asana ($13K/year), and Notion ($5K/year) all doing project management—$41K total when one tool would suffice. Multiply this across collaboration tools, analytics platforms, communication tools, and AI assistants.

How much of our SaaS spend is actually hidden from Finance?
Studies show reported SaaS spend is typically 40-70% lower than actual spend. If Finance reports $200K in SaaS costs, reality is often $300K-$350K once you include departmental purchases, personal card expenses, miscategorized transactions, and free tiers that will eventually convert to paid. The gap represents spending IT can't optimize because Finance can't see it.

Can't we just require all SaaS purchases go through IT approval?
Policy doesn't solve discovery problems. Even with strict approval policies, employees adopt applications because: approval processes are slower than signing up directly, departments have budget autonomy, teams don't consider "trying a free tool" as requiring approval, and contractors/agencies introduce tools during engagements. The solution is detecting applications early (Stages 1-3) when you can still influence decisions, not preventing all adoption.

Why does provisioning automation break with SaaS sprawl?
You write provisioning rules like "Marketing role gets design tool access." But which design tool? The one in Okta, or the one Marketing actually uses that IT hasn't integrated? When teams use Stage 1-2 applications that aren't in your IGA system, automation provisions access to the wrong tools. New hires can't do their jobs, and IT falls back to manual ticketing because automation doesn't match reality.

How do we explain failed access reviews to auditors?
When auditors ask for quarterly access reviews, you show certifications covering 40-50 applications. The problem: employees actually have access to 200-300 applications. Your reviews cover 15-25% of actual access. The other 75-85% is ungoverned because applications were adopted at Stages 1-2 before IT discovered them. This creates compliance gaps regardless of how well you execute reviews on known applications.

What discovery methods work earlier than Stage 5?
Stage 1-2 detection (before embedding): Browser extensions, desktop agents, CASBs, MDM, API integrations. Stage 3 detection (at purchase): Finance system integration with automated SaaS identification. Stage 5 detection (after integration): SSO/IDP integration—too late to prevent costs or governance problems. You need all methods working together to catch applications throughout the adoption lifecycle.

Who owns fixing SaaS sprawl—Finance or IT Security?
Both stakeholders need you to fix discovery, but you own the problem as IT Director/Manager. Finance holds you accountable for cost control and vendor management. Security holds you accountable for access governance and compliance. You're caught between two failing domains with one root cause: incomplete visibility into what applications exist in your environment. Fix discovery, and you can deliver for both stakeholders.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

Vamsi Krishna Gajula
December 5, 2025
December 5, 2025

Top 20 SaaS Management Platforms [2026]

Aditi Sharma
December 2, 2025
December 2, 2025

Best 10 Software License Management Tools in 2026

Sethu Meenakshisundaram
December 2, 2025
December 2, 2025

How to Choose a SaaS Management Platform? [Updated - 2026]

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
Platform
SaaS Management
Access Management
Access Reviews
Access Requests
Integrations
Compliance Readiness
SOC2
ISO 27001
HIPAA
SOX ITGC
PCI DSS
Why Zluri
Customer Stories
Product Tours
ROI Calculator
Solutions
Identity & Application Visibility
Uncover Shadow IT
Monitor AI Apps
Access Requests
Identity Lifecycle Management
Access Reviews
Resources
Blogs
Whitepapers
Webinars
Help Docs
Support
Trust Center
Sitemap
Company
Our Story
Careers
Events
Partners
Security
Contact Us
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms