Automating SaaS management: Extend IAM to regain time, trust, and control

Security leaders are under pressure to manage an expanding number of SaaS apps and shadow IT. Automation transforms the fight for visibility into a framework of continuous monitoring.

Virtually every company runs on more SaaS than it can see, and spends more on it than it can control.

From analytics tools to HR platforms and AI agents, every new license improved productivity while expanding the surface that IT and security must protect.

For years, Identity and Access Management (IAM) and Identity Governance and Administration (IGA) systems formed the backbone of enterprise security, authenticating users, enforcing policies, and governing access. But the perimeter they were designed to protect no longer exists.

In today’s open SaaS workplace, anyone with an email address can add a new application outside SSO and beyond IT’s visibility. Security’s role is shifting from rigid enforcement to managing visibility and flexibility.

There are now three distinct categories of SaaS that every organization runs: 

• Managed apps behind SSO and IAM

• Business-managed apps owned by teams, even if not centrally managed

• Unmanaged apps and AI, a.k.a. shadow IT, operating invisibly

The amount of work happening on unsanctioned tools and outside of policy is alarming. The 1Password Annual Report 2025: The Access-Trust Gap found that:

• 52% of employees admit to downloading work apps without IT approval.

• 37% admit they don’t always follow their company’s AI usage policies

• 70% of security leaders say SSO is insufficient for managing employee identities. 

Addressing these gaps between access and trust has spread IT teams thin and created the need for SaaS Management Platforms (SMPs). SMPS are tools that help organizations maximize efficiency from SaaS and AI while reducing risks from third-party services and managing the compounding complexity of SaaS sprawl.

What IAM can’t see and how SaaS management closes the gap

SSO is an essential first line of defense for authenticating users and revoking access, but it stops at the login screen. It doesn’t reclaim unused licenses, delete dormant accounts, or monitor the countless unfederated apps that employees adopt outside its environment.

An SMP extends IAM’s reach across the full SaaS ecosystem. SMPs continuously discover applications, automate onboarding/offboarding, and manage licensing to offer a comprehensive view of every app, every user, and every dollar spent under a single pane of glass.

SMPs like Trelica by 1Password connect IAM, governance, and finance systems by replacing manual oversight with automation that enforces policy, improves compliance, and creates a flexible, dynamic platform to verify and manage access. 

The first step in that process is discovery. SMPs uncover every application in use across the organization. By integrating with IdPs, HR and finance systems, and browsers, they reveal the full scope of SaaS activity that IAM alone can’t see, allowing teams to effectively govern access and control costs.

Risk hides in unmanaged SaaS and AI

The rise of SaaS accelerated innovation, but it also fragmented control. Employees create accounts faster than security can track them. Many apps bypass an IAM, creating an invisible layer of shadow IT and quietly expanding the attack surface. 

When left unchecked, uncontrolled SaaS creates four broad types of risk: security and compliance gaps, operational inefficiencies, and financial waste.

Closing IAM security gaps

Apps are more than a convenience; they’re an access decision, a compliance liability, and a governance responsibility. In the hands of an IT admin managing a dense workload, the risks are most present at key moments within employee lifecycle management. 

1Password’s 2025 Annual Report, "The Access-Trust Gap," found that 38% of breached organizations linked incidents to unmanaged applications. 

Without a solution to track shadow IT and sanctioned apps, or standardization and automation to make workflows consistent, it can often be a guessing game of who had access to what. 

Manual Joiner, Mover, and Leaver (JML) processes can lead to orphaned accounts, lost data, and excess SaaS spending. In fact, 1Password found that 38% of employees have accessed accounts from a previous employer. 

Trelica closes these gaps by automating application discovery, license revocation, and offboarding. 

When using Trelica to automate deprovisioning, Flipdish found that the average employee uses 40-50 apps and was able to deactivate accounts and reclaim licenses to improve security from unfederated SaaS. 

With a clear view of who has access to what, and what has access to what, teams can ensure employee data, emails, files, and licenses are properly handled through consistent, audit-friendly workflows, and leavers can no longer access business apps or data that may result in material risk or a potential breach, taking a huge amount of pressure off security teams. 

Continuous compliance at scale

Sensitive information spreads through managed and unmanaged SaaS and AI tools alike with no audit trail, creating risks that IAM alone can’t govern at scale. This lack of visibility makes it difficult to meet SOC 2 requirements around data security, availability, and integrity, especially for shadow IT operating outside central control.

Equally important is data governance. 

Each SaaS vendor manages data differently, and without centralized oversight, control quickly breaks down. Trelica extends IAM and IGA solutions by automated policy enforcement for data storage, access, and sharing, through an approved hub of applications that teams can access. With a clear log, the path to compliance with international standards, like ISO 27001, is much clearer.

For ElectroNeek, centralization with Trelica made the SOC 2 audit process faster, easier, and less stressful for everyone involved.

“Instead of presenting auditors lots of confusing, interrelated spreadsheets, we now use Trelica to quickly show exactly which people and roles have access to which systems and applications,” said Oleg Lekuchev, Vice President of IT.

With an SMP in place, compliance becomes a consistent, continuous process where security and governance operate in sync.

When manual control slows IT down

The Access-Trust Gap found that 73% of employees are encouraged to use AI for some part of their workload, and 30% say they are “encouraged to experiment with generative AI for any task.”

As employees adopt more tools to move faster, the processes that manage those tools have not kept pace. 

In many organizations, a single offboarding can take hours of coordination between IT, HR, and department leads, often managed through tickets and spreadsheets, just to ensure accounts are deactivated and licenses reclaimed. This keeps teams from doing the work that actually drives the business forward and introduces risk when steps are missed or delayed.

SMPs like Trelica eliminate that inefficiency by automating the manual processes that slow IT and security teams down. It replaces ticket-based onboarding, offboarding, and license updates with policy-driven workflows that ensure every access change is secure, auditable, and immediate. By removing human bottlenecks and standardizing repetitive tasks, Trelica gives teams time back while reducing the risk of error or oversight.

At Moonpig, SaaS automation replaced up to three hours of manual work per departing employee with just 25 minutes of repeatable, verifiable processes. “Trelica allows us to focus on value-added projects and support our end users in the best way possible,” said Bill Penberthy, Head of IT.

Automation with SMPs offers teams the productivity promised by SaaS and AI tools without slowing anyone down.

The financial costs of incomplete identity governance

Managed or otherwise, SaaS licenses increase in price over time; it’s part of the model. Without oversight, licenses linger, renewals go unchecked, and redundancies arise.

At ElectroNeek, Trelica escalates anomalies and unexpected SaaS expenses to offer granular cost-control to the rapidly growing business.

1Password’s report found that on average, 34% of a company’s apps aren’t protected by SSO. That means even when IT revokes access through SSO via their IdP, accounts can remain active and billable. Automation is the only scalable way to manage SaaS risk because you can’t control the SaaS you can’t see.

Trelica automates every stage of lifecycle management, including provisioning and revoking access, reclaiming unused licenses, and tracking renewals to create a single, auditable system for visibility, compliance, and control.

And when you free IT admins from repetitive, error-prone tasks, you give them more time to focus on the crucial steps of retiring duplicated apps and identifying and removing unused licenses that mean real, tangible financial gains to the organization.

With Trelica, Zuora was able to:

• “Right-size” licensing across five of its most widely used applications

• Downgrade 20% of accounts that weren’t using paid features for immediate and significant cost savings

• Discover and eliminate redundant tools, cutting renewals for its enterprise file-sharing app by more than 50%.

Automation as a strategic driver

Ask any IT or security leader what they need more of, and they’ll tell you the same thing: time. 

Automating SaaS management reduces risk and gives teams more time, replacing manual tasks with policy-driven workflows that enforce access governance continuously.

As part of 1Password’s Extended Access Management suite, Trelica by 1Password expands visibility across SaaS and AI tools, closing the Access-Trust Gap that IAM leaves behind. 

Trelica continuously discovers SaaS and AI tools across the business, integrating with IdP, HR, and finance systems, as well as browsers, to maintain an up-to-date inventory of every app in use. That ongoing visibility turns SaaS management from a reactive cleanup process into proactive governance.

For scaling organizations, it integrates with Okta, Microsoft 365, and Google Workspace; connects to finance systems, expense tools, and browsers; and offers more than 300 direct integrations and a library of 40,000 applications to uncover what’s happening beyond SSO.

By automating the work that once demanded constant coordination and scrutiny, teams can focus on strategy instead of spreadsheets. The outcomes are controlled spending, reduced oversight, faster operations, lower risk exposure, and a governance model that scales with the pace of SaaS adoption. In the modern enterprise, governance must enable efficiency, not restrict it.

The first step

Watch our webinar, What successful IT teams get right about SaaS management, to learn how IT leaders are transforming SaaS management with automation.