GETTING A HANDLE ON SAAS SPRAWL & SECURITY

SaaS sprawl is now an identity security problem

Nobody sets out to build a sprawling, half-documented SaaS estate. It just happens. A team needs a workflow tool. Sales adds an automation platform. Marketing connects something to the CRM “just for this campaign.” Finance signs off because the monthly cost looks harmless. Someone creates an admin account. Someone grants OAuth access. Someone leaves the company. Nobody remembers who owns the app.

And then, one day, the business has a hundred-plus SaaS applications, three versions of the same tool, a handful of dormant admins, several mystery integrations, and enough “temporary” access to give our auditor a lot of paperwork.

That’s the real problem with SaaS sprawl. It’s not only software sprawl. It’s identity sprawl.

It’s reported that companies use an average of 106 SaaS applications, down slightly from 112 in 2025, but the consolidation rate slowed from 14% to 5% year over year. Organizations may be trimming a few tools, but our notoriously unwieldy business SaaS estate isn’t going to magically tidy itself.  

Why SaaS sprawl happens

SaaS sprawl happens because SaaS works.

Modern teams can buy, trial, integrate, and deploy software without waiting six months for central IT to emerge from a procurement bottleneck. That speed is useful to stay competitive. It lets departments solve problems quickly, support remote teams, automate manual work, and experiment with AI-enabled tools (and their inevitable web of invisible AI trust chains) where AI access controls are an afterthought.

That same convenience creates blind spots. Apps are adopted outside normal review. Users are often added without clear ownership. Contractors keep access after projects end. OAuth grants and API tokens sit quietly in the background. AI assistants like OpenClaw connect to data sources because they make productivity easier, until they start rummaging through sensitive systems with the passion of a 40-lb raccoon at an open buffet. All this adds to cybersecurity risk.

The Cloud Security Alliance’s 2025 SaaS security research found that 86% of organizations now treat SaaS security as a high priority, while 63% report external data oversharing and 56% say employees upload sensitive data to unauthorized SaaS apps. That is when SaaS sprawl stops being an operational nuisance and becomes a serious data exposure problem.  

The security risk hiding in plain sight

The central question is not “How many apps do we have?” It is:

Who can access what, through which app, with what level of privilege, and does anyone still know why?

SaaS environments are full of human and non-human identities: employees, admins, contractors, service accounts, API keys, OAuth tokens, bots, integrations, and now AI agents. Each identity can become an access path. Each access path can become a risk. Each unowned app can become a compliance gap.

Verizon’s 2025 Data Breach Investigations Report found that credential abuse remained the leading initial access vector at 22%, with vulnerability exploitation close behind at 20%. For SaaS-heavy organizations, every unmanaged app expands the credential attack surface.  

A 2025 Google Threat Intelligence report showed this in the real world. Attackers abused compromised OAuth tokens from a third-party Salesforce integration to access customer environments and search stolen data for secrets, including AWS keys, cybersecurity passwords, and Snowflake tokens. That’s SaaS sprawl’s ugly cousin: integration sprawl.  

Discovery comes before control

We cannot secure what we do not know exists.

Effective SaaS sprawl management starts with discovery across multiple signals: SSO logs, identity provider groups, finance and expense data, browser usage, OAuth grants, HR records of movers, leavers, and joiners, cloud permissions, SaaS admin consoles, and ticketing systems. The goal is to build a living map of applications, users, owners, permissions, integrations, and risky access patterns.

That map needs to answer practical questions. Which apps are business-critical? Which ones contain regulated data? Which users have admin rights? Which third-party apps can read or export data? Which accounts are dormant? Which access was granted for a project that ended during the reign of someone’s previous laptop?

Once discovery is in place, the work becomes more valuable: remove unused access, assign app owners, enforce least privilege, expire temporary permissions, automate access reviews, and require approval for sensitive roles.

Secure SaaS sprawl by governing access

The mistake is treating SaaS security as a one-time cleanup. SaaS sprawl is not a weekend decluttering project. It is a living access governance problem.

The practical approach is to make access visible, time-bound with just-in-time access, owned, and reviewable. High-risk privileges should not be permanently assigned because “someone might need them one day.” Admin access should be justified, approved, logged, and removed when no longer needed. Contractor access should follow the project. Non-human identities should have owners, scoped permissions, and rotation policies.

This is where identity-first governance becomes the control layer. Instead of trying to manually police every SaaS app in isolation, organizations need a consistent way to understand entitlements, detect excessive access, automate access requests, and generate evidence.

Compliance needs evidence, not optimism

Regulators are not asking whether SaaS feels broadly under control. They want proof.

NIS2 establishes a cybersecurity framework across 18 critical sectors in the EU, while DORA focuses specifically on ICT risk, resilience, and third-party technology providers.  

SaaS sprawl lives exactly where compliance gets messy: third-party systems, sensitive data, unclear ownership, weak offboarding, excessive privilege, and poor audit trails.

A useful SaaS security program should automatically produce evidence: who requested access, who approved it, what changed, when it expired, whether privileged access was reviewed, and which stale entitlements were removed.

Don’t kill SaaS. Govern it.

The answer to SaaS sprawl isn’t to say no to every tool. That way lies shadow access, angry teams, and someone buying software on a corporate card under the title of “miscellaneous productivity.”

The better answer is disciplined visibility and access/identity governance.

Know what exists. Know who owns it. Know who can access it. Know what it connects to. Know whether access is still justified. Remove what is unnecessary. Time limit what’s risky. Review what remains. Keep evidence as we go. 

Another advantage is that when we fix access visibility, we can save on SaaS costs as any license waste becomes apparent. Once organizations gain proper visibility into SaaS identities, entitlements, and usage patterns, security and cost optimization stop being separate conversations. The same visibility that exposes risky access invariably exposes wasted spend.

SaaS sprawl has become identity and access sprawl. And identity sprawl is where attackers, auditors, and wasted budget all meet.

If your organization wants to take control of your SaaS sprawl and wants to know who can access what, when, and for how long, start our free trial or ask us for a demo, and in around 30 minutes, you’ll see every application, identity, entitlement, and access path—then get plain-English one-click recommendations to do something proactive about it.

Nik Hewitt

Technology

July 16, 2026

Don't fall behind the curve

Discover powerful features designed to simplify access management, track progress, and achieve frictionless JIT.

Free trial