How to regain visibility and control with SaaS and AI governance

SSO and card data are useful but incomplete because many tools enter through free tiers, personal signups or alternate access paths. The webinar’s outcome is a visibility approach that combines multiple signals so you can identify what is in use and who is using it, then decide what requires governance.

Treat AI like SaaS: define guardrails, keep the process practical and focus first on visibility and measurement. The outcome is an AI governance baseline that covers approved tools, data handling expectations and reporting requirements so teams can adopt AI with less risk.

If you cannot see what apps exist, how they connect or whether access is removed when users leave, you increase exposure to data loss and incidents. The outcome is reduced cyber risk by prioritizing control for sensitive apps and closing offboarding and integration gaps.

Start with renewal discipline: track notice periods, identify what you already pay for and prevent silent renewals that lock spend for another term. The outcome is faster savings because you regain negotiation leverage before cancellation windows close.

AI tools can be consumption-based, credit-based or bundled into higher tiers that become hard to downgrade once adopted. The outcome is fewer surprises by tracking usage, educating users on efficient prompting and requiring measurable reporting from vendors.

[00:04] Introduction: Managing SaaS and AI complexity

[00:04] Leigh Martin:

Welcome to this session on navigating the SaaS and AI landscape. This discussion focuses on understanding SaaS sprawl, governing AI adoption, and managing risk in increasingly complex technology environments.

[00:20] Rich Gibbons:

This is a critical moment for organizations as SaaS and AI adoption accelerates, creating both opportunities and new challenges for ITAM, FinOps, and security teams.

[00:54] Key themes: SaaS sprawl, governance and AI risk

[00:54] Leigh Martin:

This session covers:

• Understanding SaaS and AI sprawl
• Establishing governance frameworks
• Managing risks in AI and SaaS ecosystems
• Navigating vendor complexity and competition

[01:26] Why SaaS sprawl happens

[01:26] Leigh Martin:

SaaS sprawl happens because software is easy to adopt. Users can access tools quickly with minimal friction, often requiring only a login or payment method.

The main challenge is lack of visibility, especially when:

• Tools are purchased outside centralized procurement
• Free or freemium tools are widely used
• Data sources such as credit card usage or SSO provide incomplete insight

[03:02] Rich Gibbons:

SaaS naturally spreads across organizations because:

• Individuals, teams, and departments adopt tools independently
• Approval processes are bypassed
• Agility is prioritized over governance
• The same characteristics that make SaaS attractive also drive sprawl.

[04:58] How shadow IT and user behavior drive SaaS growth

[04:58] Leigh Martin:

SaaS adoption often happens through:

• User preference (e.g., switching collaboration tools)
• External collaboration with partners
• New hires introducing familiar tools

[07:20] Rich Gibbons:

Strict restrictions rarely work. Users will find ways around them.

Effective governance should act as a guardrail, allowing flexibility while maintaining control and avoiding uncontrolled proliferation.

[09:00] Vendor strategy and the growth of SaaS ecosystems

[09:00] Rich Gibbons:

SaaS growth is also driven by vendor strategy. Publishers are actively pushing subscription models, leading to:

• Duplicate tools with similar functionality
• Increased operational overhead
• Complex licensing structures and pricing tiers

Organizations often manage hundreds of SaaS tools, each with its own:

• Portal
• Licensing model
• Renewal cycle

[12:43] The reality of SaaS application usage

[12:43] Leigh Martin:

Most organizations underestimate their SaaS footprint.

While many believe they manage around 100–150 applications, the actual number is often closer to 1,000 applications per organization when all usage is considered.

This includes:

• Paid subscriptions
• Free tools
• Bundled applications within suites such as Microsoft 365 or Adobe

Understanding both subscriptions and actual usage is critical for effective cost and risk management.

[15:26] AI adoption and evolving pricing models

[15:26] Rich Gibbons:

AI is following similar patterns to SaaS, with:

• Freemium models
• Tiered pricing
• Consumption-based billing

[16:53] Leigh Martin:

AI introduces new complexity, including:

• Usage-based pricing (e.g., tokens or credits)
• User behavior affecting cost
• Prompt quality influencing consumption

Without governance, organizations risk:

• Uncontrolled spending
• Inefficient usage
• Poor cost predictability

[19:26] AI sprawl, vendor lockin, and rapid adoption

[19:26] Leigh Martin:

AI adoption is accelerating, often bundled into enterprise software.

Challenges include:

• Bundle-based pricing models (e.g., Copilot, enterprise tiers)
• Difficulty downgrading once adoption increases
• Rapid user uptake across multiple AI tools

[21:13] Rich Gibbons:

AI sprawl now mirrors SaaS sprawl, but with greater urgency due to:

• Increased attention and investment
• Rapid market expansion
• Emerging governance gaps

[22:23] End-user AI vs back-end AI services

[22:23] Leigh Martin:

AI exists at multiple layers:

• End-user tools (e.g., ChatGPT, Copilot)
• Back-end services (e.g., data platforms, automation workflows)

Back-end AI introduces hidden risks, such as:

• Unexpected consumption costs
• Automated processes scaling usage
• Limited visibility into billing and usage patterns

This creates overlap between SaaS management, FinOps and cloud cost management.

[24:45] Governance, visibility and cyber risk

[24:45] Leigh Martin:

The biggest governance challenge is visibility.

Without visibility, organizations cannot manage:

• Usage
• Risk
• Compliance

[25:48] Leigh Martin:

Risks include:

• Data leakage through unapproved tools
• Uncontrolled file sharing platforms
• SaaS integrations exposing sensitive data

[27:37] Rich Gibbons:

SaaS applications are potential attack surfaces. Strong ITAM practices support cybersecurity by ensuring visibility and control over all applications in use.

[29:47] Managing SaaS lifecycle, access, and risk posture

[29:47] Leigh Martin:

Organizations must manage:

• Application onboarding and approval
• Security posture
• Access and offboarding
• Integration risks

No single tool solves all these challenges.

Instead, organizations must combine:

• SaaS management platforms
• Security posture tools
• Identity and access management
• Governance processes

[32:41] Vendor pressure and enterprise licensing risk

[32:41] Rich Gibbons:

Vendors often identify widespread internal usage and push organizations toward enterprise agreements.

Without visibility, organizations risk:

• Overcommitting to large contracts
• Paying for unnecessary licenses

Understanding real usage is critical before entering negotiations.

[34:27] Generative AI adoption and enterprise impact

[34:27] Leigh Martin:

Since the launch of ChatGPT, generative AI adoption has increased rapidly across enterprises.

AI is being used for:

• Content creation
• Automation
• Productivity improvements

However, governance challenges include:

• Pricing uncertainty
• Data security risks
• Rapid, uncontrolled adoption

[37:33] AI bias, accuracy, and trust considerations

[37:33] Leigh Martin:

AI outputs are not always reliable. Risks include:

• Inconsistent results
• Bias in training data
• Incorrect or fabricated answers

AI should be treated as a support tool, not a source of verified truth.

[40:33] Rich Gibbons:

Real-world cases show that incorrect AI outputs can create legal and operational risk.

Organizations must maintain human oversight and validation.

[41:38] Private AI models and internal use cases

[41:38] Leigh Martin:

Private AI models trained on internal data can improve reliability, but they still require:

• Governance
• Validation
• Clear use cases

AI should enhance decision-making, not replace critical processes.

[42:18] Pricing pressure, vendor dynamics, and regulation

[42:18] Leigh Martin:

AI is driving pricing changes across enterprise software.

Organizations must account for:

• Vendor-driven price increases
• New AI charges and bundles
• Competitive market pressure

[47:59] Rich Gibbons:

Regulation, such as the EU AI Act, is introducing new governance requirements, reinforcing the need for structured AI management.

[52:18] Why there is no single tool for SaaS and AI management

[52:18] Leigh Martin:

There is no single platform that solves SaaS and AI management completely.

Organizations need:

• Multiple tools
• Integrated processes
• Clear governance frameworks

[53:12] Rich Gibbons:

People and processes are as important as technology.

Success depends on how tools integrate and how teams collaborate.

[54:02] First steps: visibility and prioritization

[54:02] Leigh Martin:

The first step is always visibility:

• Identify all applications in use
• Understand usage patterns
• Connect data across systems

Next, prioritize based on organizational goals:

• Cost optimization
• Risk management
• Automation
• Vendor management

[56:22] Quick wins: renewal and spend management

[56:22] Rich Gibbons:

One immediate opportunity is renewal management.

Organizations often:

• Miss renewal windows
• Overpay for unused tools
• Lack insight into contract terms

Improving renewal visibility can deliver rapid cost savings.

[58:21] Final takeaways

[58:21] Rich Gibbons:

SaaS and AI challenges are significant, but organizations can take practical steps to:

• Improve visibility
• Control costs
• Reduce risk

[59:20] Leigh Martin:

AI cannot be avoided. The focus must be on governance, visibility, and responsible adoption.