What is SaaS Management?
SaaS Management is the practice of discovering, governing, and optimising the full portfolio of Software-as-a-Service applications an organisation uses — sanctioned and unsanctioned, paid and free, seat-based and consumption-based. It addresses the reality that SaaS has become the largest software-spend category for most enterprises, the hardest to inventory, and the category where "Shadow IT" and embedded AI features accumulate fastest.
A modern SaaS Management practice answers four questions: What SaaS do we have? Who is actually using it? What are we paying for? What governance, security, and compliance risk does each app carry?
Key takeaways
Modern enterprises typically run hundreds of SaaS applications (industry surveys cite averages from ~125 to ~370 apps depending on definition and company size) — often more than double what IT is aware of.
The three biggest outcomes: cost reclamation (unused or duplicate seats), security & compliance (unsanctioned apps, data locations, offboarding), and operational efficiency (renewal calendar, adoption insight, tool consolidation).
SSO-only discovery misses every app signed up for outside the IdP — a modern SaaS Management tool needs browser-level telemetry, IdP connectors, and deep in-app connectors.
Certero's offering is CerteroX SaaS Management, part of the CerteroX product family — discovers apps across a 35,000-application catalogue using a three-method stack (browser + IdP + 200+ deep connectors) and surfaces embedded-AI features inside apps the organisation already owns.
Why SaaS Management matters
The shift to SaaS happened faster than most governance practices. Individual business units, teams, and even individual employees can subscribe to new tools on a credit card — the product is delivered instantly, the invoice arrives on expenses, and IT, Security, Finance, and Procurement find out later, if at all. The result:
Challenge | Impact |
|---|
Challenge | Impact |
|---|---|
Wasted spend | Unused seats, duplicate tools doing the same job in different departments, auto-renewed licences nobody uses |
Shadow SaaS / Shadow IT | Unvetted applications that may not meet security, data-residency, or regulatory requirements |
Shadow AI inside known apps | Established vendors embed generative AI into products the organisation already owns — often on by default |
Offboarding gaps | Ex-employees still have active accounts in apps IT never knew existed |
Renewal surprises | Auto-renewals and opaque consumption terms expand spend without a decision point |
Compliance exposure | Data stored in unapproved regions, GDPR / sector-specific obligations missed |
Industry research from Productiv, Zylo, and others routinely finds that a meaningful share of SaaS seats — commonly cited in the 20–30% range — is inactive, duplicated, or outright unused. The specific number varies by sector and methodology; the direction is consistent.
What SaaS Management covers
A complete SaaS Management practice runs across three stages:
1. Discovery
Sanctioned apps — everything provisioned through the IdP (Entra ID, Okta, Google Workspace)
Shadow SaaS — credit-card subscriptions, free-tier sign-ups, team tools never approved by IT
Embedded AI features — generative AI now baked into Microsoft 365 Copilot, Salesforce Einstein, Notion AI, Adobe Firefly, Zoom AI Companion, ServiceNow Now Assist, Atlassian Intelligence, and many more
Licence and contract inventory — seats purchased, tier, anniversary, auto-renewal clauses
2. Optimisation
Usage analytics — last login, feature adoption, inactive seats
Licence reclamation — reassign or cancel unused seats before renewal
Tool consolidation — identify apps doing the same job across different teams
Tier right-sizing — match Enterprise / Business / Standard tiers to actual usage
Renewal calendar — no auto-renewal surprises; every renewal becomes a decision
3. Governance
App approval and onboarding — a defensible "request an app" path for end users
Acceptable-use policy — what is sanctioned, what is tolerated, what is blocked
Security review — SOC 2, ISO 27001, data-handling, authentication posture
Offboarding and deprovisioning — SCIM / API-driven account removal when staff leave
Data residency and regulation — GDPR, sector-specific, export controls
SaaS Management vs adjacent practices
The SaaS Management / SMP / SSPM / ITAM boundary causes confusion. The short version:
Practice | Primary focus |
|---|
Practice | Primary focus |
|---|---|
SaaS Management (SMP — SaaS Management Platform) | Discovery + optimisation + governance of the SaaS portfolio — users, seats, spend, shadow IT |
SaaS Security Posture Management (SSPM) | Security configuration inside each SaaS app — misconfigurations, risky permissions, MFA gaps |
IT Asset Management (ITAM) | Full lifecycle management of all IT assets — hardware, installed software, SaaS, cloud |
Identity and Access Management (IAM / IdP) | Authenticates and provisions users; supplies SSO-based inventory to SaaS Management |
Cloud Financial Management (FinOps) | Optimisation of IaaS/PaaS cloud spend (AWS, Azure, GCP, OCI) — overlaps SaaS cost at the edges |
A mature enterprise typically runs all five with clear integration — the SaaS Management platform owns the app portfolio, the IdP feeds it sanctioned users, SSPM covers in-app configuration, ITAM owns the full asset record, and FinOps covers IaaS/PaaS cloud.
The SSO blind spot
Most SaaS Management tools start with IdP (Okta / Entra ID / Google Workspace) as their discovery source. This is essential — but it only sees apps federated through SSO. It misses:
Apps users signed up for with a work email (no SSO)
Free-tier tools adopted by teams
Personal productivity apps used for work
Embedded AI features inside existing SaaS
Many "AI-first" apps that do not yet support enterprise SSO
A serious SaaS Management programme needs three discovery methods in parallel:
Browser-extension telemetry — sees every SaaS URL a user actually visits, regardless of SSO
IdP connectors — the sanctioned baseline
Deep SaaS connectors — pull activity, licence, and account data from inside the major apps (Microsoft 365, Google Workspace, Salesforce, Adobe, Zoom, Slack, Atlassian, ServiceNow, etc.)
All three streams are reconciled against a catalogue of known applications — CerteroX SaaS Management reconciles against a 35,000+-application catalogue using 200+ deep connectors.
How CerteroX SaaS Management helps
CerteroX SaaS Management is part of the CerteroX product family (ITAM, SAM, SaaS Management, Cloud Management, AI Management). It shares an asset catalogue and user record with the other products so organisations can start with SaaS and add adjacent capability without stitching data.
What CerteroX SaaS Management covers
Capability | Detail |
|---|
Capability | Detail |
|---|---|
Three-method discovery | Browser-extension + IdP connectors + 200+ deep SaaS connectors against a 35,000-application catalogue |
Shadow SaaS / Shadow AI discovery | Apps signed up for outside SSO, embedded-AI features inside existing apps |
Usage analytics | Last login, feature usage, inactive seats, licence-tier fit |
Licence reclamation | Identify dormant seats, reassign or cancel before renewal |
Renewal management | Central renewal calendar; no auto-renewal surprises |
Offboarding | Evidence trail for account removal when staff leave |
Governance | Acceptable-use policy support, sanctioned-app lists, request workflow |
Integration | Asset data shared with CerteroX ITAM and CerteroX SAM; cost data feeds into CerteroX Cloud Management / FinOps reporting |
Typical results
Organisations running CerteroX SaaS Management commonly reclaim 20–30% of SaaS spend in the first year through reclaimed seats, tier right-sizing, and eliminated duplicates — with the larger quantitative outcomes coming from renewals that are finally made from evidence instead of last-minute negotiation.
Recognition
#1 rated on Gartner Peer Insights (SAM Tools)
Four-time Gartner Customers' Choice (2019, 2020, 2021, 2024)
97% of customers recommend Certero
Frequently asked questions
What is a SaaS Management Platform (SMP)?
An SMP is the toolset that delivers SaaS Management — discovery, usage analytics, spend optimisation, renewal management, and governance in one place. Analysts have classified SMPs as a category since roughly 2020. Mainstream options include BetterCloud, Zylo, Zluri, Productiv, Torii, Josys, and CerteroX SaaS Management.
How is SaaS Management different from ITAM?
SaaS Management focuses on the SaaS portfolio specifically — apps, users, seats, spend, renewals, governance. ITAM (IT Asset Management) covers the complete asset estate across hardware, installed software, SaaS, and cloud. A mature enterprise runs both; SaaS Management often feeds its data into the broader ITAM record.
How does SaaS Management relate to Software Asset Management (SAM)?
SAM traditionally focused on installed, licence-heavy software from publishers like Microsoft, Oracle, IBM, SAP, and Adobe. SaaS Management covers the cloud-delivered apps replacing or supplementing those. Modern programmes reconcile both in a single effective licence position — Microsoft 365 seats and Windows Server licences appear in the same view.
Does SSO-based discovery give complete SaaS visibility?
No. IdP / SSO discovery only sees apps federated through the identity provider — which is the sanctioned baseline, not the full portfolio. Apps users sign up for with work email outside the IdP, free-tier tools, personal productivity apps, and many new AI apps without enterprise SSO all sit outside IdP visibility. Complete discovery needs browser-level telemetry and deep connectors in addition to the IdP.
How do you discover embedded AI inside apps we already own?
Embedded AI — Microsoft 365 Copilot, Salesforce Einstein, Notion AI, Adobe Firefly, Zoom AI Companion, Atlassian Intelligence, ServiceNow Now Assist — is a separate discovery problem. The app itself is sanctioned; the AI feature may or may not be. Discovery needs feature-level visibility, not just app-level, which requires deep in-app connectors pulling admin configuration and usage. CerteroX SaaS Management surfaces embedded AI features as a distinct inventory alongside the app record.
How do I identify and consolidate redundant SaaS apps?
Consolidation requires two data points per app: category (project management, note-taking, video conferencing, diagramming, etc.) and active usage by team. Once the apps are tagged by category and users are mapped, the overlap is obvious — two project-management tools in Engineering and Operations, three video-conferencing tools across departments. Optimisation then becomes a policy decision: standardise on one, migrate the others.
How long does a SaaS Management implementation take?
The initial discovery — sanctioned baseline, shadow SaaS, embedded AI — typically takes weeks, not months. Tangible financial outcomes usually land in the first renewal cycle for the largest apps in the portfolio. Full governance and policy rollout — acceptable-use, request workflow, offboarding automation — is an ongoing programme rather than a project.
How should I evaluate SaaS Management tools?
Five criteria are usually decisive:
Discovery breadth — does it use browser telemetry, IdP, and deep connectors, or only one?
Catalogue size and accuracy — how many apps are recognised and normalised out of the box?
Embedded-AI visibility — can it see AI features inside existing apps?
Integration with ITAM/SAM/FinOps — or is it a silo?
Customer reference base in your sector and size band
How do I measure SaaS sprawl in my organisation?
Three measures together: app count (total unique SaaS apps in use), tool density (apps per employee — mature enterprises run 10–30 per employee), and category overlap (how many apps perform each of the top 20 functional categories — ideally one, often three or more).
What about data residency and regulatory compliance?
Each SaaS vendor stores data in specific regions with specific controls. Regulation — GDPR, sector-specific rules, export controls — may require data to stay inside a specific jurisdiction or prohibit transfer to others. SaaS Management maintains the inventory of "which app holds what data in which region" so Compliance and Legal can answer that question definitively.
How does SaaS Management support offboarding?
When an employee leaves, every SaaS account they had access to needs to be deprovisioned — not just the IdP-federated ones. Shadow SaaS and embedded AI create the biggest risk because IT does not even know the accounts exist. A SaaS Management tool produces the master list per employee, automates deprovisioning via SCIM / API where available, and creates a ticket for apps that require manual removal.
What is the difference between SaaS Management and SaaS Operations?
SaaS Management is the strategic practice — portfolio, spend, governance. SaaS Operations (SaaS Ops) is the day-to-day execution — provisioning, access management, policy enforcement, automation. Most SaaS Management platforms provide SaaS Ops features; the terms are often used interchangeably.
Where does the ROI from SaaS Management come from?
Four sources, in order: (1) reclaimed unused seats — typically 20–30% of spend is dormant; (2) tier right-sizing — moving power users to higher tiers and occasional users down; (3) tool consolidation — eliminating duplicate apps in the same category; (4) renewal negotiation — entering renewals with evidence instead of the vendor's data. Customers on public review platforms commonly report payback inside the first renewal cycle.
How does CerteroX SaaS Management compare to BetterCloud, Zylo, Productiv, and Zluri?
The three-method discovery stack (browser + IdP + 200+ deep connectors) and the shared asset record across ITAM, SAM, and Cloud Management are the main points of differentiation. Customers whose SaaS estate is large but whose full IT estate also includes significant installed software (Microsoft, Oracle, IBM, SAP, Adobe) typically prefer CerteroX because the same tool covers both. SaaS-only environments have more parity across the category; the deciding factors tend to be catalogue coverage, embedded-AI visibility, and implementation speed.
About Certero
Certero is an independent software vendor specialising in IT Asset Management, Software Asset Management, SaaS Management, Cloud Management, and AI Management. The CerteroX product family shares a single asset record across all products so customers can start with SaaS Management and layer adjacent capability without stitching data. Certero is the only four-time Gartner Customers' Choice for SAM Tools (2019, 2020, 2021, 2024), #1 rated on Gartner Peer Insights, an Oracle Certified Partner, and a FinOps Foundation member with FinOps Certified Platform designation.
Related resources
Last updated: April 2026