SaaS Sprawl: Unmanaged Apps Drain Budgets and Open Security Gaps
Most SMBs run twice the SaaS apps their IT team knows about. That creates redundant costs, ungoverned access, and blind spots attackers exploit.
The average company with 200 employees now runs over 100 SaaS applications, according to BetterCloud’s 2023 State of SaaSOps report. IT departments typically manage fewer than half of them. The rest were purchased on department credit cards, signed up for with free trials that converted to paid plans, or adopted by individual employees who needed a quick fix for a real problem. Those unmanaged applications create two compounding issues: they waste money through redundant subscriptions and unused licenses, and they open security gaps that your existing tools can’t see.
For a 50 to 200 person company, SaaS sprawl is rarely the result of carelessness. It’s the natural outcome of distributed purchasing, rapid team growth, and the sheer number of tools available for every business function. Marketing buys one project management tool, engineering buys another, and operations picks a third. Nobody intended to run three overlapping platforms, but nobody had visibility to prevent it either.
What SaaS Sprawl Actually Looks Like
At a 100-person company, SaaS sprawl follows a predictable pattern. Each department selects tools that solve their immediate needs. Sales adopts a CRM. Marketing signs up for a design tool, an email platform, and a social media scheduler. HR brings in an applicant tracking system and a benefits portal. Finance runs an expense tool and an AP automation platform. Every one of those decisions made sense individually.
The problem becomes visible when you audit the full stack. Zylo’s 2024 SaaS Management Index found that organizations underestimate their SaaS portfolio by 2 to 3x. A company that thinks it uses 40 applications typically uses 80 to 120. The gap comes from free-tier tools, browser extensions, and subscriptions purchased outside of IT procurement.
That gap means your IT provider or internal IT team is securing and managing only a fraction of the tools your employees actually use to do their work. Policies around data protection, access controls, and acceptable use don’t apply to tools nobody knows about.
The Security Risks You Cannot See
Unmanaged SaaS applications bypass every security control your organization has in place. They sit outside your single sign-on (SSO) environment, which means employees log in with standalone passwords that may be reused from personal accounts. They lack multi-factor authentication enforcement, which means a single compromised password gives an attacker full access to whatever data lives in that tool. And they operate without the logging and monitoring your managed applications provide, so you have no way to detect suspicious activity.
Three specific risks stand out for SMBs:
Ungoverned data sharing. Employees upload customer lists, financial reports, and proprietary documents into applications your IT team doesn’t monitor. Those tools have their own data retention policies, their own sharing permissions, and their own breach notification obligations. If an unmanaged SaaS vendor gets breached and your customer data was stored there, you may not find out until the vendor’s public disclosure, weeks or months after the exposure.
Orphaned accounts after employee departures. When someone leaves your company, your IT team disables their Active Directory or Microsoft 365 account and revokes access to managed systems. But accounts in unmanaged SaaS tools remain active indefinitely. A 2023 Productiv study found that 56% of SaaS licenses assigned to departed employees were still active 90 days after their last day. Those orphaned accounts are an open door, especially if the former employee used a personal email address to register. The risk of stolen credentials being used for unauthorized access multiplies when the accounts they unlock are invisible to your security team.
Compliance exposure. Regulated industries face specific requirements about where and how data is stored. HIPAA requires healthcare organizations to track every system that handles protected health information. PCI DSS mandates controls on systems that process cardholder data. The Texas Data Privacy and Security Act (TDPSA) requires businesses to maintain data inventories. Unmanaged SaaS applications make compliance with any of these frameworks unreliable because your data inventory is incomplete by definition.
The Cost Problem Is Bigger Than Most CFOs Realize
Security gets the headlines, but the financial waste from SaaS sprawl compounds quietly. Gartner estimates that 25% of SaaS spend is wasted on unused, underused, or duplicate licenses. For a company spending $200,000 annually on software subscriptions, that’s $50,000 in waste per year.
The waste takes three forms:
- Redundant tools. Three project management platforms, two video conferencing tools, and multiple file-sharing services serving the same function across different departments. Each carries its own per-seat licensing cost.
- Unused licenses. Subscriptions purchased for employees who left months ago, or enterprise plans where only 30% of the paid features are used.
- Tier creep. Free tools that auto-converted to paid plans after trial periods ended, billed to a department credit card and never reviewed.
Most SMBs discover these costs only when someone runs a company-wide software audit for the first time. The total is almost always higher than leadership expected, because the spending is distributed across dozens of cost centers and card statements rather than consolidated in one IT budget line.
Five Steps to Get Your SaaS Stack Under Control
You don’t need a dedicated SaaS management platform to start. The initial steps are operational, and your managed IT provider can handle most of them.
1. Run a discovery audit. Start with a full inventory of every SaaS application in use across the company. Pull data from SSO logs, browser extension reports, expense reports, credit card statements, and DNS queries. The goal is a complete list, not a perfect one. You’ll refine it over time, but you need a baseline.
2. Consolidate redundant tools. Once you have visibility, identify applications that serve the same function. Pick one, migrate the data, and decommission the rest. This is where the immediate cost savings come from. Consolidation around your Microsoft 365 environment is often the fastest win, since most SMBs already pay for collaboration, file storage, and communication tools they aren’t fully using.
3. Enforce SSO and MFA on every business application. Any SaaS tool that handles company data should be behind your SSO provider with MFA enabled. Applications that don’t support SSO should be evaluated for replacement. This single step eliminates standalone passwords, gives you centralized access logging, and makes offboarding reliable because disabling an SSO account revokes access everywhere.
4. Build offboarding into your termination process. Your employee departure checklist needs a step that revokes access to every SaaS application, not just Active Directory and email. This requires the inventory from step one. Without it, your IT team is guessing which accounts to disable, and they will miss the ones they don’t know about.
5. Review quarterly. SaaS sprawl isn’t a one-time problem. New tools get adopted every month. Set a quarterly review cycle where IT and finance jointly audit the software inventory, verify license utilization, and confirm that access controls are current. A regular cybersecurity risk assessment should include SaaS governance as a line item, not treat it as a separate exercise.
Why This Matters for Your Next Insurance Renewal
Cyber insurance carriers have tightened their underwriting requirements significantly. As we covered in our post on 2026 cyber insurance renewal requirements, carriers now ask for documentation of access controls, MFA deployment, and data inventories. Unmanaged SaaS applications make it difficult to answer those questions honestly. If your application states that MFA is enforced on all company systems but half your SaaS stack sits outside your SSO, that’s a gap that could lead to a claim denial.
Getting SaaS sprawl under control isn’t just an IT efficiency project. It directly affects your security posture, your compliance obligations, and your ability to get fair terms on your cyber insurance policy.
Need Help With SaaS Management?
Our team can help you audit your application stack, eliminate redundant costs, and close the access control gaps that sprawl creates.
Get a Free AssessmentWhere to Start This Week
Pull your company credit card statements from the last six months and search for recurring software charges. That single exercise will surface tools your IT team doesn’t know about. Share the list with your IT provider and ask them to map each tool against your SSO inventory. The delta between those two lists is your SaaS sprawl, and closing that gap is the first step toward both cost savings and better security.