SaaS Management FAQ

Created 5 February, 202614 min read

A comprehensive guide to SaaS Management, Shadow IT discovery, license optimization, and governance.

Basic SaaS Management

What is SaaS Management?

SaaS Management is the practice of discovering, monitoring, and optimizing the Software-as-a-Service applications used across an organization. It provides visibility into what SaaS tools employees are using, how much they cost, who has access, and whether subscriptions are being fully utilized. SaaS Management helps organizations reduce costs, eliminate security risks from unauthorized applications, ensure compliance, and make informed decisions about technology investments.

Why is SaaS Management important?

SaaS spending has grown exponentially as organizations adopt cloud-based applications for every business function. The average enterprise now has 3-5 times more SaaS applications than IT departments realize, with employees independently adopting tools without approval. This creates significant problems: wasted spending on unused licenses, duplicate applications with overlapping functionality, security vulnerabilities from unvetted software, and compliance risks from data stored in unknown locations. SaaS Management addresses these challenges by providing visibility and control.

What is the difference between SaaS Management and Software Asset Management?

Software Asset Management (SAM) traditionally focuses on installed software, perpetual licenses, and compliance with vendor agreements. SaaS Management specifically addresses cloud-based subscription applications that users access through web browsers and identity providers. While SAM tracks what's installed on devices, SaaS Management tracks what users are accessing online, often without anything installed locally. Modern IT Asset Management platforms like CerteroX combine both capabilities to provide complete visibility across installed software and SaaS subscriptions.

How much can organizations save with SaaS Management?

Organizations implementing comprehensive SaaS Management report up to 40% reduction in SaaS spend through license optimization. Common savings opportunities include reclaiming licenses from inactive users, eliminating duplicate applications that serve the same function, consolidating overlapping subscriptions, and negotiating better terms with vendors based on actual usage data. The savings come from visibility that most organizations lack without dedicated SaaS Management practices.

Who should be responsible for SaaS Management?

SaaS Management responsibility typically falls to IT Asset Management teams, IT Operations, or dedicated SaaS Management roles. Effective SaaS Management requires collaboration between IT (for discovery and technical governance), procurement (for contract management and vendor negotiations), finance (for budget tracking and cost allocation), and security (for risk assessment and compliance). Business units that own specific applications should also participate in usage reviews and optimization decisions.

Shadow IT

What is Shadow IT?

Shadow IT refers to technology used within an organization without official IT approval or oversight. In the SaaS context, this includes cloud applications that employees adopt independently, often using personal accounts or departmental credit cards without IT involvement. Shadow IT creates risks because IT cannot secure, manage, or optimize what it doesn't know exists. Common examples include project management tools, file sharing services, design applications, and AI tools that employees start using to improve productivity.

How big is the Shadow IT problem?

Organizations typically discover they have 3-5 times more SaaS applications than they thought once they implement proper discovery. A company that believes it has 50 SaaS applications often discovers 150-250 after comprehensive discovery. This gap represents Shadow IT that has accumulated over years of employees adopting tools without central oversight. The problem has accelerated with remote work, where employees have more freedom to adopt tools outside IT's visibility.

Why do employees use Shadow IT?

Employees adopt Shadow IT primarily because they need tools to do their jobs and the official procurement process is too slow, too restrictive, or doesn't provide alternatives. When IT says "no" or takes months to approve software, employees find their own solutions. Often Shadow IT represents genuine business needs that IT hasn't addressed. Effective SaaS Management doesn't just block Shadow IT but also provides faster paths to approved alternatives so employees don't need to work around IT.

What are the risks of Shadow IT?

Shadow IT creates multiple organizational risks. Security risks arise when IT cannot assess whether applications meet security standards, implement proper access controls, or respond to breaches in unknown systems. Compliance risks occur when data is stored in applications that don't meet regulatory requirements or data residency policies. Financial risks include wasted spending on duplicate subscriptions, lack of negotiating leverage with vendors, and inability to forecast IT costs accurately. Operational risks emerge when critical business processes depend on applications that IT doesn't support or even know about.

How do you discover Shadow IT?

Modern SaaS Management platforms discover Shadow IT through multiple methods. Browser extensions deployed to managed devices detect web application usage across Chrome, Edge, and Firefox. Identity provider integrations with systems like Microsoft Entra ID (formerly Azure AD) and Okta reveal applications accessed through single sign-on. Native messaging components for Windows capture authentication events. By combining these discovery methods, platforms like CerteroX for SaaS build a comprehensive inventory of all SaaS applications in use, not just those IT has sanctioned.

SaaS Discovery and Visibility

How does SaaS discovery work?

SaaS discovery uses multiple techniques to identify cloud applications across the organization. Browser extension discovery deploys lightweight extensions to managed devices that detect when users access web applications, capturing the application name, URL, and usage frequency. Identity provider discovery connects to authentication systems (Entra ID, Okta) to identify applications users access through single sign-on. Native messenger components capture Windows authentication events for additional visibility. Combining these methods provides comprehensive coverage of both sanctioned and Shadow IT applications.

What browser extensions are used for SaaS discovery?

CerteroX for SaaS uses browser extensions for Chrome, Edge, and Firefox that can be deployed silently through GPO (Group Policy Objects) or Intune for managed devices, or installed manually by users. These extensions detect when users access web applications and report usage data back to the SaaS Management platform. The extensions are lightweight and designed to minimize impact on browser performance while providing comprehensive visibility into SaaS usage patterns.

How does identity provider integration work?

Identity provider integration connects SaaS Management platforms to authentication systems like Microsoft Entra ID and Okta. When users access applications through single sign-on (SSO), the identity provider logs these authentication events. SaaS Management platforms use API connectors to retrieve this data, revealing which applications users access through SSO. This method is particularly effective for discovering sanctioned applications that IT has integrated with SSO but provides less visibility into applications users access with separate credentials.

What SaaS categories are typically discovered?

SaaS Management platforms discover applications across all business categories including productivity tools (Microsoft 365, Google Workspace), collaboration platforms (Slack, Microsoft Teams, Zoom), customer relationship management (Salesforce, HubSpot), project management (Asana, Monday, Jira), design tools (Figma, Canva, Adobe Creative Cloud), development platforms (GitHub, GitLab, Atlassian products), and increasingly, AI and generative AI tools. The diversity of categories reflects how SaaS has permeated every business function.

What is Shadow AI and why does it matter?

Shadow AI refers to generative AI tools and services that employees use without official approval, including ChatGPT, Claude, Midjourney, DALL-E, and hundreds of other AI applications. Shadow AI has emerged as a significant subcategory of Shadow IT as employees rapidly adopt AI tools to improve productivity. Organizations need visibility into Shadow AI for security reasons (sensitive data may be shared with AI services), compliance reasons (some AI tools may not meet data handling requirements), and cost reasons (AI spending can escalate quickly). CerteroX for SaaS includes Shadow AI detection as part of comprehensive SaaS discovery.

License Optimization

What is SaaS license optimization?

SaaS license optimization is the process of matching subscription quantities to actual usage, eliminating waste from unused or underutilized licenses. Most organizations over-license SaaS applications because they lack visibility into actual usage. Optimization involves identifying inactive users who have licenses they don't use, reclaiming those licenses, right-sizing subscription tiers based on feature usage, and consolidating overlapping applications. The goal is ensuring every license delivers value without paying for unused capacity.

How do you identify unused SaaS licenses?

SaaS Management platforms identify unused licenses by tracking user activity over time. Users who haven't accessed an application in 30, 60, or 90 days may have licenses that can be reclaimed. Platforms track last login dates, frequency of access, and depth of usage to identify candidates for license reclamation. CerteroX for SaaS provides license utilization analysis that highlights underused subscriptions and calculates cost per user to help prioritize optimization efforts.

What is license reclamation?

License reclamation is the process of removing licenses from inactive users and either reducing subscription quantities (reducing cost) or redeploying those licenses to users who need them (avoiding new purchases). Effective reclamation requires accurate usage data, defined policies for what constitutes "inactive," and workflows for removing access. Organizations that implement regular license reclamation cycles typically reduce SaaS spending significantly without impacting productivity.

How do you handle overlapping applications?

Many organizations have multiple applications that serve the same purpose, such as three project management tools or five file sharing services, because different departments adopted different solutions independently. SaaS Management platforms help identify these overlaps by categorizing applications by function. Organizations can then consolidate to preferred applications, reducing both subscription costs and complexity. Consolidation requires change management to migrate users from retiring applications to the chosen standard.

What is vendor rationalization?

Vendor rationalization is the strategic reduction of SaaS vendors to simplify management, increase negotiating leverage, and reduce costs. Instead of having subscriptions with dozens of vendors, organizations identify preferred vendors for each category and consolidate. This reduces administrative overhead, enables volume discounts, simplifies security reviews, and makes contract management easier. SaaS Management platforms support rationalization by providing visibility into the full vendor landscape.

Renewal Management

Why is SaaS renewal management important?

SaaS subscriptions typically renew automatically, often with price increases, unless organizations actively manage renewals. Without renewal management, organizations continue paying for applications they no longer need, miss opportunities to negotiate better terms, and face unexpected cost increases. Effective renewal management requires knowing when subscriptions renew, reviewing usage before renewals to right-size quantities, and negotiating with vendors while you still have leverage (before the renewal date passes).

How do you track SaaS renewal dates?

SaaS Management platforms maintain a calendar of renewal dates for all tracked subscriptions, providing alerts 90, 60, and 30 days before renewals so organizations have time to review and act. CerteroX for SaaS includes SaaS contract renewal tracking as a core capability. Without centralized tracking, renewal dates are scattered across emails, contracts, and vendor portals, making it easy to miss optimization opportunities.

What should you review before SaaS renewals?

Before each SaaS renewal, organizations should review current license quantities versus actual usage to identify optimization opportunities, feature tier usage to determine if a lower tier would suffice, user satisfaction and business value to confirm the application is still needed, alternative applications that might better serve the need, and contract terms to identify negotiation opportunities. This review process, enabled by usage data from SaaS Management platforms, can significantly reduce renewal costs.

How do you negotiate SaaS renewals?

Effective SaaS negotiation requires accurate usage data that demonstrates your actual needs versus contracted quantities. When you can show a vendor that only 60% of your licenses are actively used, you have leverage to reduce quantities or negotiate price reductions to justify maintaining current quantities. Timing matters as well: vendors are more flexible before renewal dates than after. Multi-year commitments, consolidated purchases, and competitive alternatives also provide negotiation leverage.

Security and Compliance

What security risks does Shadow SaaS create?

Shadow SaaS creates security risks because IT cannot assess, monitor, or protect applications it doesn't know exist. Unvetted applications may have inadequate security controls, exposing organizational data to breaches. Employees may share sensitive data with SaaS applications that don't meet security standards. When employees leave, their access to Shadow SaaS applications may not be revoked because IT doesn't know the accounts exist. Shadow SaaS also bypasses security reviews that would identify applications with poor security track records or concerning data handling practices.

How do you identify risky SaaS applications?

SaaS Management platforms help identify risky applications by maintaining databases of application security characteristics, flagging applications that may not meet organizational standards. Risk indicators include lack of SOC 2 compliance, inadequate encryption, data residency in unapproved locations, poor privacy practices, or security incidents in the application's history. CerteroX for SaaS enables risky app identification and supports policies for approved and denied application lists to guide users toward secure alternatives.

How does SaaS Management support access governance?

SaaS access governance ensures the right people have access to the right applications with appropriate permissions. SaaS Management platforms provide user access visibility showing who can access each application, support access reviews to validate that access is still appropriate, enable ownership assignment so someone is accountable for each application, and track user origins (where access was granted, such as Entra ID, Okta, or direct signup). This governance reduces risk from inappropriate access and supports compliance requirements.

How does SaaS Management help with compliance?

SaaS Management supports compliance by providing visibility into where organizational data resides (which applications store what data), demonstrating control over application access and usage, documenting security reviews and approval processes, tracking policy compliance (are users following approved application lists), and enabling audit reporting on SaaS usage and governance. For organizations subject to regulations like GDPR, HIPAA, or SOC 2, this visibility and documentation is essential for demonstrating compliance.

CerteroX for SaaS

What is CerteroX for SaaS?

CerteroX for SaaS is Certero's SaaS Management solution providing Shadow IT discovery, SaaS application visibility, license optimization, and governance capabilities. It uses multiple discovery methods, including browser extensions for Chrome, Edge, and Firefox, plus identity provider integrations with Entra ID and Okta, to build a comprehensive inventory of SaaS applications across the organization. CerteroX for SaaS enables organizations to discover Shadow IT, optimize SaaS spending, and establish governance over their SaaS landscape.

What discovery methods does CerteroX for SaaS use?

CerteroX for SaaS uses four primary discovery methods. Browser extension discovery deploys extensions to Chrome, Edge, and Firefox that detect web application usage. Native Messenger captures Windows SSO authentication events. Entra ID connector integrates with Microsoft's identity platform to discover Azure AD-integrated applications. Okta connector integrates with Okta to discover SSO-connected applications. These methods combine to provide comprehensive visibility into both sanctioned applications and Shadow IT.

What can CerteroX for SaaS discover and manage?

CerteroX for SaaS provides visibility into all SaaS applications in use, identifies Shadow IT and Shadow AI, tracks user access to each application, monitors usage patterns and adoption rates, calculates cost per user and department, tracks subscription renewal dates, analyzes license utilization, supports application classification as managed or unmanaged, enables ownership assignment for accountability, and provides governance through approved and denied application lists.

How is CerteroX for SaaS deployed?

Browser extensions for CerteroX for SaaS can be deployed through GPO (Group Policy Objects), Microsoft Intune, or manual installation. The Native Messenger component installs via MSI and supports silent deployment through GPO, Intune, or SCCM. Identity provider connectors are configured through API integration. The platform itself is cloud-based, requiring no on-premises infrastructure. This deployment flexibility allows organizations to implement discovery quickly across their managed device fleet.

How does CerteroX for SaaS relate to the CerteroX platform?

CerteroX for SaaS is one module of the CerteroX unified platform, which also includes capabilities for IT Asset Management, Software Asset Management, and Cloud FinOps. This unified approach means SaaS visibility integrates with broader IT asset visibility, providing a single source of truth across installed software, SaaS subscriptions, and cloud resources. Organizations using CerteroX get comprehensive hybrid IT visibility rather than siloed point solutions.

What results do customers achieve with CerteroX for SaaS?

Customers implementing CerteroX for SaaS report up to 40% reduction in SaaS spend through discovery of Shadow IT, license optimization, and vendor consolidation. 97% of Certero customers recommend the platform, and Certero is the number one rated solution on Gartner Peer Insights for IT Asset Management. The combination of comprehensive discovery, actionable insights, and integration with broader IT asset management enables organizations to take control of SaaS spending and governance quickly.

About Certero

Certero delivers next-generation AI-powered Hybrid IT Asset Management through CerteroX, the unified platform for ITAM, SAM, SaaS, Cloud, and AI management. As the number one rated solution on Gartner Peer Insights and four-time Customers' Choice winner, Certero helps organizations reverse the trend of IT cost, risk, and governance spiraling out of control.

Founded in 2007 and trusted by organizations in 30+ countries, Certero provides comprehensive visibility and control across the entire hybrid IT landscape.

Learn more: https://www.certero.com

Last updated: February 2026