SaaS Sprawl — IT definition

SaaS sprawl refers to the uncontrolled growth of SaaS applications in use across an organization, typically well beyond what the CIO officially knows. It is one of the most structuring — and most problematic — phenomena of 2020s IT.

Per Productiv, an average company uses 285 SaaS apps in 2024, up from 130 in 2019. Large enterprises often top 500 to 1,000 applications. And per BetterCloud, the CIO officially knows only 30 to 50 % of these applications — the rest is Shadow IT or undocumented IT.

Causes of SaaS sprawl

Several converging factors feed the sprawl:

• •Near-zero purchase friction: anyone can subscribe to a SaaS with a personal credit card or a free trial in minutes.
• •Multiple decision makers: marketing, HR, sales, finance, engineering buy their own tools without central coordination.
• •Freemium models: viral adoption inside teams before contracts come in.
• •M&A: each acquisition adds the SaaS portfolio of the acquired entity.
• •Turnover and silos: tools bought by a team outlive its departure or breakup.
• •Tech innovation: new SaaS launched weekly, adopted fast, forgotten slowly.

Symptoms

SaaS sprawl shows in several measurable symptoms:

• •Functional duplicates: 3 videoconferencing tools, 5 project management tools, 7 note-taking apps.
• •Ghost licenses: users gone for months still keeping their access.
• •Spend scattered: spend across hundreds of corporate cards, invisible to financial control.
• •Security surface: SaaS apps outside SSO, without MFA, holding sensitive data.
• •Data scattered: customer data in 15 unsynchronized tools.
• •Fragile compliance: impossible to produce an exhaustive GDPR or NIS2 inventory.

Hidden costs

SaaS sprawl generates several cost layers:

• •Direct costs: unused licenses (30 to 40 % of the estate per Zylo), functional duplicates.
• •Integration costs: maintenance of integrations between redundant tools.
• •Operational costs: user support multiplied by 10 tools rather than 2.
• •Security costs: incident remediation tied to forgotten SaaS.
• •Compliance costs: longer audits, potential fines.
• •Opportunity costs: time lost between tools, data not consolidated.

Estimated total: 20 to 40 % of SaaS spend of an average enterprise, hundreds of thousands of euros per year for a 200-employee SMB.

Cyber risks

Every ungoverned SaaS is:

• •One more user account to compromise.
• •A potential data leak (a sales rep copying their CRM into a non-approved tool).
• •An unaudited integration with other systems.
• •A target for credential stuffing (password reuse).
• •A risk to suppliers and customers (supply chain attacks).

NIS2, DORA, and GDPR now require an exhaustive map of SaaS handling sensitive data.

How to control SaaS sprawl

Three action pillars:

### 1. Continuous discovery

Identify every SaaS application in use, including the undeclared:

• •SSO logs: applications connected to the identity provider.
• •Browser extensions: passive detection of professional URLs visited.
• •Financial data: expense reports and corporate card analysis.
• •Network discovery: outbound flows toward SaaS domains.
• •API providers: OAuth calls and webhooks.

This is exactly what SaaS Management Platforms (Kabeen, Zylo, BetterCloud, Productiv, Torii) automate.

### 2. Rationalization

Once the picture is taken:

• •Identify duplicates: by functional capability.
• •Negotiate consolidations: move from 3 video tools to 1 enterprise standard.
• •De-assign unused licenses: .
• •Connect validated apps to [SSO](/en/glossary/sso): .
• •Decommission forgotten apps: after a grace period.

See application rationalization.

### 3. Preventive governance

To stop the sprawl from rebuilding:

• •SaaS purchasing policy: any new SaaS must go through a committee.
• •Reference catalogue: validated applications and their alternatives.
• •Onboarding workflow: integrate each new SaaS into SSO and ITAM.
• •Quarterly review: usage, costs, compliance.
• •Awareness: train buyers (managers, business teams) on the stakes.

SaaS sprawl and AI

The sprawl now extends to AI: personal ChatGPT, Claude for developers, Midjourney for marketing, various AI agents — all adopted without approval. This is Shadow AI, the natural evolution of SaaS sprawl into the generative era. Governance must extend accordingly (cf. ISO 42001).