Five things successful IT teams get right about SaaS management

It’s easy to see how SaaS sprawl happens if you picture the moment it starts. A team is blocked, someone needs a tool ASAP, and the answer to their problems lies just behind a free trial, so they sign up for a new tool. No one is being careless. They’re being efficient. The problem is that follow-up rarely keeps pace with new sign-ups, especially when the card on file belongs to "the company" and the requester has already moved on to the next priority.

Months later, you realize you are paying for services you don’t use and can’t remember how to log in to, let alone cancel. Every invitation to “try this new tool” adds another subscription, another license, and another place where company IP is stored. Over time, this SaaS sprawl creates an environment overrun with shadow IT and unmanaged apps that IT, security, and finance teams can’t fully see or control.

To get ahead of this, IT teams turn to SaaS management, a process for discovering in-use apps, managing access, and optimizing software spend. At its core, SaaS management ensures the right people have access to the right tools while removing unnecessary access to reduce security risks and overspending.

Without this process, unmanaged SaaS causes serious problems. Cost control suffers because companies waste an average of $18 million annually on unused SaaS licenses. Risk grows because 52% of employees use apps not approved by IT, and 38% of employees retain access to data after leaving a company. When app usage is spread across too many places, it becomes nearly impossible to show auditors who has access or what has changed over time.

While SSO is an undeniably valuable tool for managing access, 70% of professionals agree it isn't a complete solution for securing identity. Between apps that lack SCIM support and the "long tail" of unknown shadow IT, successful IT teams have to move beyond manual audits and spreadsheets.

Let’s look at the five things successful IT teams do differently to manage and secure SaaS.

Five tips to improve SaaS management

#1: SaaS discovery does not equal SaaS management

Employees and business units are signing up for new SaaS and AI apps faster than IT can keep track of them. IT teams can get a list of some new apps, but what happens next?

The common pattern: IT discovers apps through a mix of SSO logs, audits, and expense reports, but the process stops at the spreadsheet. Knowing an app exists doesn't tell you who is using it, why they need it, or if a redundant tool already exists in your ecosystem. When teams operate in silos, you don't just get redundant apps, you get redundant bills. Conducting a SaaS audit once a year is not enough.

What successful IT teams do instead: They treat discovery as the start of a workflow, not a final report. They leverage automation to continuously pull shadow IT and shadow AI into a unified list, then immediately add context: who is using it, when it was last used, and how access is granted. Every newly discovered app moves through a deliberate "in review" process where stakeholders are surveyed for business context before IT decides to manage, consolidate, or sunset the tool.

How 1Password SaaS Manager helps:

• Discover SaaS usage: Capture a list of every newly discovered app and each user to immediately understand who is using what.

• Turn discovery into management: Use automated "new app discovered" workflows to move items off the IT backlog and into an active review process.

• Automate user surveys: Automatically reach out to users via Slack, Microsoft Teams, or email to gather essential business context the moment an app is found.

• Continuous Shadow IT/AI monitoring: Maintain a real-time, unified list of all unmanaged tools so nothing, including tools outside of SSO, slips through the cracks.

• Streamline license reclamation: Use automated workflows to communicate with users about license removal or plans to consolidate redundant tools.

#2: Offboarding is more than removing access to SSO

The easiest offboarding mistake is disabling SSO and relying on manual app clean-up to finish the job.

The common pattern: IT teams know deactivating SSO access is not a complete offboarding plan, but the rest of the work is manual across dozens of apps. Removing a user in SSO or IdP blocks access to applications behind SSO, but it doesn’t necessarily delete licenses in each app, revoke OAuth tokens, or transfer ownership of files, calendars, or shared resources. That is where the long tail of unmanaged apps can leave accounts and data lingering after an employee departs.

What successful IT teams do instead: They treat SaaS offboarding as an end-to-end workflow. It begins with the discovery list to identify every app a user touched, even those outside of SSO. They trigger automated deprovisioning and license reclamation for each app, keeping the process consistent so the long tail doesn’t become a hiding place for lingering access. Crucially, they build business continuity into the motion: ownership of shared resources is transferred, and managers are notified for review, ensuring work doesn't get stranded when an employee leaves.

How 1Password SaaS Manager helps: 

• Complete end-to-end workflows: Build automated workflows that cover every critical offboarding step, from recovering licenses to transferring ownership of email inboxes, calendars, and shared files to managers.

• Automated license reclamation: Instantly revoke access and reclaim paid seats to prevent unused licenses from impacting your budget.

• Automated manager notifications: Trigger messages via Slack, Microsoft Teams, or email to prompt managers for any necessary manual actions regarding a departure.

#3: Mitigate compliance and security risks with automated access reviews

Once you centralize and automate access reviews, you will never do them in spreadsheets manually again.

The common pattern: Access reviews are a manual frenzy of spreadsheets and "static" exports compiled in a frenzy before a deadline. Because the process is error-prone and slow, permissions inevitably drift as people change roles, teams reorganize, and former employees retain access, leaving the door open for security risks.

What successful IT teams do instead: They stop treating access reviews as a one-off project and start treating them as a repeatable process. Reviews are scheduled, not improvised. Access is reviewed with context, including role, department, risk level, and external identities. And when access needs to be updated, teams can act directly from the review dashboard to revoke or adjust access immediately, producing clean documentation for faster audits. The work becomes less about chasing confirmations and more about maintaining visible control.

How 1Password SaaS Manager helps:

• Centralize access reviews: Bring all applications, including those that aren’t behind SSO, into a single, unified access review process.

• Replace spreadsheets with standardized workflows: Eliminate manual data entry and "static" exports by reviewers for faster, automated review cycles.

• Enable in-line remediation: Adjust permissions or revoke access directly from the access review dashboard the moment a discrepancy is identified.

• Gain context for every user: View access levels alongside critical data points like role, department, and risk level to make informed security decisions.

#4: Connect SaaS usage to license spend data

If you can’t tie license entitlements to actual SaaS usage, you can’t control SaaS spend.

The common pattern: IT grants access quickly to keep employees productive, but visibility stops at "has access." Without usage data, you end up paying for inactive licenses for people who haven't logged in for months or entire teams on premium tiers they don't actually need. This results in wasted spend hidden in plain sight, ongoing operational costs of manual audits, and removals that divert IT from higher-value work.

What successful IT teams do instead: They connect license usage directly with spend data to make optimization a daily operation, not a pre-renewal fire drill. They set clear inactivity thresholds of 30, 60, or 90 days to identify waste. Then, they automate the "reclamation" by prompting users via Slack, Microsoft Teams, or email to confirm they still need access before a seat is downgraded or removed. They keep waste from compounding quietly, one seat at a time.

How 1Password SaaS Manager helps: 

• Correlate usage with spend: Utilize 350+ direct API integrations with the most commonly used business apps to automatically track login data with license expenditures.

• Continuous optimization: Move away from last-minute budget scrambles by reclaiming unused licenses and optimizing seats continuously.

• Identify tier-level waste: Downgrade users on expensive premium tiers who only require basic functionality.

#5 Manage contract renewals proactively with shared visibility across IT and procurement

Tie usage and contract data together to give IT and procurement teams the information they need to avoid surprise true-ups and negative impacts on your budget.

The common pattern: When a renewal looms, IT and Finance find themselves in a manual "chase." Finance asks the questions, “Do we need this? Is it being used?” but the answers are isolated in fragmented systems. IT has to sift through contract details that live in procurement tools, while usage data is buried in IdP reports, app-admin consoles, and ad hoc exports.

Without a unified view, decisions are made on incomplete data. This leads to a reactive cycle: auto-renewals lock in bloated seat counts, surprise true-ups occur when teams add licenses unnecessarily, and redundant tools persist because no one can see the overlap. Ultimately, IT and Finance end up looking at different numbers, which means lost negotiation leverage and preventable year-over-year spend increases.

What successful IT teams do instead: They bring contract, spend, and usage data together into a single view of the SaaS portfolio, so everyone, including IT, procurement, and finance, plans renewals from the same source of truth. That view shows what you are paying for, who is using it, renewal dates, renewal status, license availability, and overlapping tools by category. When data is shared and up to date, renewals stop being a last-minute scramble and become a normal operational workflow: align early, negotiate with confidence, and consolidate where it makes sense.

How 1Password SaaS Manager helps:

• Centralize contract and vendor data: Integrate directly with finance tools or use 1Password SaaS Manager’s built-in AI tool to upload and extract key details from contracts.

• Establish a shared source of truth: Give IT, Finance, and Procurement a unified view of the entire SaaS portfolio, including spend, usage, and renewal status.

• Surface tool overlap and redundancy: Automatically identify overlapping tools to support informed consolidation and cost-cutting decisions.

• Trigger proactive renewal notifications: Use automated workflows to alert the right stakeholders 30, 60, or 90 days before a contract expires, avoiding overspending.

• Negotiate with data-driven confidence: Approach renewals with real-time utilization data to ensure you only pay for the apps and licenses the company actually needs.

A faster way to see, manage, and optimize your SaaS environment

SaaS sprawl happens because everyone is trying to get work done, using the best tools available to them. The difference with successful IT teams is that they don’t rely on one-time audits or spreadsheets to stay in control. They build repeatable SaaS management processes that maintain visibility, ensure secure onboarding/offboarding, validate access reviews continuously, optimize licenses before waste compounds, and bring contract renewals into a shared view with procurement and finance.

Customers choose 1Password SaaS Manager because it delivers rapid, automated visibility into their SaaS environment, cuts manual work, and centralizes spend optimization.

By turning SaaS management into a repeatable, automated workflow, you can stop worrying about the "free trial" that started it all. You can let your teams move fast and stay efficient, knowing that your SaaS stack and your budget are no longer piling up in the dark.