Building a SaaS inventory: what's actually running in your business?

The average SMB has 47 active SaaS subscriptions. Half of them fly completely under the radar. Without an inventory, access management is impossible — you can't check the doors if you don't know they exist.

Access management without an inventory is a losing battle. You can only review who has access to what once you know what "what" actually exists.

How to put together a working list

\n
1. Start with your credit card and bank statements. Filter for recurring charges from SaaS vendors. This covers your known subscriptions.
\n
2. Ask every department head. "Which tools does your team use that weren't set up through IT?" Brace yourself for the answers.
\n
3. Check your DNS logs (or use Cloudflare). Which domains are visited most often from company devices? *.slack.com, *.notion.so, *.hubspot.com …
\n
4. SSO logs. If you use Microsoft 365 or Google Workspace as your SSO provider, all connected apps are listed in the admin console.
\n
5. Map out your shadow IT. Tools people bought with personal accounts and personal email addresses — you'll want to either formalise or replace these.
\n

What to record for each SaaS tool

\n
• Name + URL
\n
• Business purpose (in 1 sentence)
\n
• Data classification: what sensitive data does it hold?
\n
• Number of users + €/month
\n
• Owner (internal responsible party)
\n
• Admin account: where are the credentials stored?
\n
• MFA: on / off / per-user
\n
• SSO: yes / no / possible-but-not-enabled
\n
• Contract end date
\n

Frequency: update every quarter

Tie this to your access review. One review moment, two goals: check existing access and bring your inventory up to date.

Save money while you tidy up

Every time you run an inventory round, you'll find 2–5 subscriptions you can cancel or scale back. That more than pays for the effort.

See also: cleaning up shadow IT for the human side of the story (colleagues don't love it when you take away their favourite tool).