Nobody decided to have 130 SaaS applications. It happened one Slack integration at a time.
Year one: you have a CRM, email, a project management tool, and maybe a design platform. Eight apps feels manageable. You know who has access. You could list every tool from memory.
Year five: your head of sales signed up for three prospecting tools. Engineering adopted four different monitoring services. Marketing is running campaigns across platforms you’ve never heard of. HR has its own stack. Finance has its own stack. Each department optimized for itself, and nobody optimized for the whole.
Welcome to SaaS sprawl.
Why It Keeps Happening Even When You Know It’s Happening
SaaS sprawl is not a failure of awareness. Most companies know they have too many tools. The problem persists because the forces that create it are stronger than the forces that contain it.
Buying is easier than reviewing. A department head with a company card can sign up for a new SaaS tool in the time it takes IT to schedule a procurement review. The asymmetry between the speed of adoption and the speed of governance is structural.
Apps don’t go away on their own. A tool adopted for a project that ended lives on after the project does. Subscriptions auto-renew. Nobody cancels the account because nobody remembers it exists. The application accumulates users until someone runs an audit and finds accounts for people who left the company two years ago.
Ownership diffuses over time. The person who signed up for the tool gets promoted, leaves, or moves to a different team. The “owner” of the application in practice becomes whoever still remembers the login credentials — and eventually nobody does. Service accounts get created to keep automated integrations running. The application becomes infrastructure that nobody manages.
Procurement and security don’t move at product speed. Enterprise procurement processes were designed for large software contracts, not $29/month subscriptions. Security review timelines that make sense for a core data platform don’t make sense for a productivity tool. When the review process is slower than the problem it’s meant to solve, people route around it.
The Real Cost Isn’t the Licenses
License waste is the most visible cost of SaaS sprawl and the easiest to quantify. Inactive seats, duplicate tools across departments, subscriptions on auto-renew for tools nobody uses — these add up to real money. For a company with 100 employees, $50,000 in wasted annual SaaS spend is common.
But the more important cost is the access risk.
Every application in your environment is a credential surface. Every user account is a potential entry point. When you don’t know all the applications in use, you can’t audit the accounts, can’t enforce access policies consistently, and can’t decommission access when employees leave.
The offboarding gap is where this becomes most acute. An employee departs. IT revokes their access to the core systems — the identity provider, the primary email, the internal tools. But the seventeen SaaS apps that the employee signed up for using their work email? The apps that never got connected to SSO because they didn’t support it, or because nobody got around to it? Those accounts stay active.
The average company takes four to six weeks to fully revoke access after an employee departure — and that’s when someone is actively tracking it. When nobody is tracking it, those accounts can sit open for months.
What Regaining Control Actually Looks Like
There is no shortcut back to 30 applications from 130. Attempts to force consolidation through policy alone tend to generate resentment and push adoption underground rather than reduce it.
What actually works is a combination of visibility, selective governance, and making the managed path easier than the unmanaged one.
Step one is discovery. You cannot govern what you cannot see. This means combining multiple discovery methods: OAuth app audits in Google Workspace and Microsoft 365, expense data analysis to find subscription SaaS spend, DNS traffic monitoring, and direct outreach to department heads. Any single method will miss a significant portion of the actual environment.
Step two is triage, not elimination. Trying to eliminate all unauthorized applications at once is a political and operational project that rarely completes. Triage instead: high-risk apps (those that handle sensitive data, have no security review, and lack SSO) versus low-risk apps (productivity tools with no data exposure). Address the high-risk category first and be practical about the rest.
Step three is governance by default for new applications. The sprawl you already have is a legacy problem. The sprawl you’re creating this quarter is a process problem. A lightweight approval workflow for new SaaS adoptions — fast enough that people don’t route around it — is more valuable than an aggressive cleanup of the existing environment.
Step four is continuous access review. The access state you document today will be wrong in ninety days. People join, people leave, roles change, integrations get set up and forgotten. Access reviews need to be a recurring operational process, not an annual checkbox.
What 130 Applications Tells Your Auditor
When a SOC2 or ISO 27001 auditor asks about your application inventory and you hand them a list of 30 apps, one of two things is true: either you have unusually good procurement discipline, or your list is incomplete.
Auditors know this. The access review requirements in SOC2 CC6.2 and ISO 27001 A.9 require that you can demonstrate systematic review of who has access to which systems. “We audited the apps we knew about” is not a sufficient answer.
The companies that do this well have accepted that the inventory is never perfect and built a process for continuously improving it — automated discovery, regular reconciliation against HR data, and documented exceptions for the edge cases that inevitably exist.
The ones that struggle tend to be waiting for the perfect inventory before starting the governance process. The perfect inventory never arrives. The governance process never starts. The auditor arrives.
Start with what you can see. Expand from there.