Stop SaaS Sprawl: A CFO & CIO Guide to Spend Control

SaaS sprawl is the uncontrolled growth of software-as-a-service tools across an organisation, where teams sign up independently, creating duplicate apps, wasted spend and unmanaged security risk. In 2025, enterprises in the US, UK and EU are reducing SaaS sprawl by building a full SaaS inventory, tightening renewals and access governance, and using dedicated SaaS management platforms for visibility, spend optimisation and compliance.

Introduction

If you’re a CIO or CFO in a Fortune 1000-style organisation, you’re probably feeling the effects of SaaS sprawl every budgeting cycle. Marketing in New York buys one CRM, sales in London another, product teams in Berlin quietly adopt three different AI tools and nobody has a single view of what’s actually in use.

By 2025, global SaaS spending is expected to reach roughly $300 billion, with enterprises often running hundreds of cloud apps each. Without a plan, that scale quickly turns into software as a service sprawl: uncontrolled growth, rising costs and mounting compliance exposure.

What Is SaaS Sprawl in the Enterprise?

SaaS sprawl in the enterprise is the uncontrolled proliferation of SaaS applications across business units, regions and teams, beyond what IT and procurement can see or govern. It’s different from healthy cloud adoption because spend, access and data flows are no longer centrally managed, which increases cost, security and compliance risk.

SaaS sprawl vs “normal” SaaS growth

In “normal” SaaS growth, you still have.

A central system of record for apps and vendors

Standard onboarding/offboarding and access controls

Clear ownership for each application

Software as a service sprawl appears when:

Any team can swipe a credit card and buy tools without review

You have overlapping apps (3–4 project tools, multiple CRMs, duplicate BI platforms)

Nobody can answer “which apps does this user have?” with confidence

Recent research suggests enterprises now manage an average of 200–300 SaaS apps, yet IT directly oversees only a minority of that spend.

How SaaS sprawl shows up in US, UK and DACH enterprises

You’ll see SaaS sprawl slightly differently by region and regulator.

US-based enterprises (New York, Austin, Seattle) often wrestle with growth-at-all-costs cultures: every product squad adopts its own stack, while HIPAA, SOC 2 and PCI DSS obligations still apply for healthcare and financial data.

UK organisations (London scale-ups, FCA-regulated firms) face UK-GDPR and Open Banking obligations, but still have teams quietly adopting SaaS for analytics, customer engagement and shadow AI.

DACH & wider EU (Berlin, Munich, Frankfurt) juggle GDPR/DSGVO, BaFin expectations and works council (Betriebsrat) concerns about employee monitoring when they deploy SaaS usage analytics.

In all three regions, shadow IT and shadow AI tools (unapproved gen-AI SaaS) are now major drivers of cloud app sprawl in enterprises. Mak It Solutions’ own work on shadow IT suggests that roughly 30 40% of enterprise SaaS may sit outside formal IT governance.

SaaS sprawl statistics and trends for 2025

A few 2024–2025 trends explain why this is now a board-level topic:

Global SaaS spend is projected at around $300B in 2025, up strongly from 2024.

Enterprises commonly run 200+ SaaS apps, and IT directly manages only a fraction of the contracts and spend.

Studies show SaaS adoption has risen more than 700% since 2016, with a growing share of that usage classed as shadow IT.

Cloud app sprawl in enterprises isn’t slowing. The real question for CIOs and CFOs in 2025 is how to regain control without crushing innovation.

Why SaaS Sprawl Happens So Fast Even with Policies in Place

SaaS sprawl accelerates because sign-up is low friction, budgets are decentralised and most enterprises still lack a real-time inventory of browser-based SaaS. Traditional software asset management (SAM) tools were designed for on-prem licences, not hundreds of web apps tied to SSO and expense systems.

Self-service SaaS, credit cards and shadow IT inside teams

Modern SaaS is intentionally easy to adopt.

Free trials, team-based pricing and in-app upgrades

Monthly billing on credit cards with minimal procurement friction

Integration marketplaces that encourage “just try it” behaviour

In San Francisco or London product teams, it’s normal for a lead engineer or PM to spin up a new analytics, feature flag or collaboration tool in minutes. Multiply that across dozens of squads and you get shadow IT SaaS in marketing, sales, HR and finance long before IT even sees the first invoice.

Mak It Solutions covers this dynamic in depth in Shadow IT Management in 2025: From Risk to Strategic Asset, which shows how unsanctioned SaaS and AI tools spread across New York, London and Berlin teams. (Mak it Solutions)

Distributed work, multi-region teams and multi-currency subscription chaos

Remote and hybrid work across the US, UK, Germany and wider EU add more complexity:

A designer in Manchester buys a tool in GBP, while a data team in Berlin pays in EUR and a US growth team in Austin pays in USD.

Multi-currency FX fees, VAT handling and tax treatments differ by country.

Local subsidiaries often sign their own contracts with vendors like Atlassian, Salesforce or smaller SaaS startups.

Without a consolidated SaaS inventory and spend view, finance teams discover duplicate subscriptions and region-specific pricing gaps late in the year, just as budgets are closing.

Why traditional SAM tools can’t keep up with SaaS sprawl

Classic SAM platforms were built for:

Per-device or per-user licence keys

On-prem or VDI software tracked through agents

Annual true-up cycles with a small number of mega-vendors

They don’t see browser-only SaaS very well, especially when:

Apps are authenticated via SSO (Okta, Entra ID) and just-in-time provisioning

Teams sign up with work emails but pay via expense tools

Shadow AI tools never go through procurement at all

That’s why we now see a dedicated SaaS management market projected to reach several billion dollars by 2030, driven by the need for discovery, spend management and automated governance.

 Spend, Licences and Renewals

Financially, SaaS sprawl shows up as wasted licences, duplicate tools, unmanaged renewals and FX/VAT leakage. SaaS spend management differs from general IT cost cutting because it focuses on per-app usage, licence tiers and contract optimisation, not blunt budget freezes.

Top financial impacts for CIOs, CFOs and FinOps teams include:

Wasted or inactive licences

Duplicate or overlapping SaaS applications

Renewals on autopilot with no usage review

FX markups and unmanaged VAT in Europe

Poor negotiation leverage with fragmented contracts

Direct SaaS spend, unused licences and overlapping tools

Global benchmarks suggest many enterprises spend $1,000–$3,500 per employee per year on SaaS tools, with 20–30% of that easily reclaimable through optimisation.

Typical findings in a SaaS spend optimisation exercise:

20–40% of licences unused in the last 90 days

Multiple tools solving the same problem (project management, surveys, BI)

Premium tiers purchased where basic plans are enough

Mak It Solutions often sees SaaS waste surface during broader IT cost optimisation work, where cloud and SaaS are among the biggest quick-win categories. (Mak it Solutions)

Note
All figures are indicative benchmarks, not guarantees. This is not financial advice; always review your own data and constraints.

FX fees, VAT, shadow contracts and renewals on autopilot

Beyond headline licence spend, sprawl hides extra cost:

FX fees and poor exchange rates on USD-billed tools used by UK and EU teams

VAT not reclaimed because invoices sit outside AP workflows

Auto-renewals on corporate cards or PayPal with no central approval

“Shadow contracts” signed locally in Dublin, Amsterdam or Paris that contradict group-wide standards

Connecting SaaS data from AP, corporate cards, expense tools and SSO logs is usually the fastest way to surface this hidden spend.

How finance and FinOps teams reduce SaaS subscription costs

Finance and FinOps teams can materially reduce SaaS costs in the first year by:

Running a SaaS subscription audit combining SSO, AP and card data

Tagging apps by owner, department, region and business criticality

Building a renewal calendar at least 90–120 days ahead of term dates

Negotiating consolidations (one global contract) and right-sizing licences

Setting policy so new SaaS is routed through IT/FinOps for review

This aligns naturally with wider FinOps governance on cloud spend that Mak It Solutions implements in data platforms and multi-cloud architectures. (Mak it Solutions)

Governance, Security and Compliance Risks of SaaS Sprawl

SaaS sprawl doesn’t just waste money it fragments identity, increases data exposure and makes it harder to prove compliance with GDPR/DSGVO, UK-GDPR, HIPAA, PCI DSS and SOC 2. Regulators like BaFin, the FCA and NHS bodies increasingly expect documented SaaS governance for critical services, not just infrastructure security.

Shadow IT, shadow AI and SaaS access risks

When anyone can adopt SaaS, you quickly get.

Orphaned accounts for employees who left months ago

Over-privileged roles in CRM, ERP and marketing systems

Sensitive data copied into unvetted tools (files, PHI, card data)

Shadow AI tools trained on internal or regulated datasets

A modern enterprise SaaS governance framework needs tight integration with identity platforms (SSO, HRIS) so that joiners, movers and leavers are automatically synced across all apps, not just a core set.

Mak It Solutions’ work on shadow IT shows that unmanaged SaaS and AI tools are now one of the highest-risk categories for both cyber and compliance teams. (Mak it Solutions)

Compliance lens: GDPR/DSGVO, UK-GDPR, HIPAA, PCI DSS and SOC 2

Key compliance angles for US, UK and EU enterprises.

GDPR/DSGVO & UK-GDPR
Controllers must know where personal data lives, on what legal basis it’s processed and how to fulfil access/erasure rights, which is difficult if you don’t know half your SaaS apps.

HIPAA
US healthcare organisations must protect PHI across all electronic systems; proposed updates to the Security Rule emphasise robust asset inventories, risk assessment and vendor oversight, which sprawl undermines.

PCI DSS
Cardholder data flowing into SaaS tools (support platforms, spreadsheets, ticketing) may drag those apps into PCI scope. (PCI Security Standards Council)

SOC 2
Trust Services Criteria expect clear change control, access governance and vendor management  hard to evidence with unmanaged SaaS.

For BaFin-supervised banks in Frankfurt or FCA-regulated firms in London, regulators already expect robust outsourcing and third-party risk management, which increasingly covers SaaS and AI tools, not just big cloud contracts.

Designing an enterprise SaaS governance framework

A practical governance framework usually includes:

SaaS inventory & classification critical, important, low-risk

Access governance role-based access, SSO enforcement, periodic reviews

Data governance  which data types (PII, PHI, card data) can be stored where

Regional controls data residency (US vs UK vs EU regions), AI usage policies

Monitoring & reporting  dashboards for risk, usage and compliance coverage

Mak It Solutions often integrates SaaS governance with wider data and cloud governance initiatives, such as lakehouse architectures and cloud cost optimisation. (Mak it Solutions)

First 90 Days to Get SaaS Visibility

CIOs should spend the first 90 days building an accurate, shared view of all SaaS subscriptions, then establish a simple operating model across IT, finance and security. That way you tackle risk and cost quickly, without placing a blanket freeze on innovation.

Discover and inventory every SaaS app

Your first 30 days should focus on discovery

Aggregate data sources SSO logs, expense reports, AP vendor lists, browser extensions and network logs for both US and EU offices.

Tag and normalise apps group by vendor (e.g. multiple regional instances of Salesforce or Atlassian), region, department and data criticality.

Identify “unknown” tools anything not on your official app list goes into a review queue, especially AI and data-heavy tools.

Mak It Solutions often combines this with findings from broader shadow IT assessments, so you don’t treat SaaS in isolation. (Mak it Solutions)

SaaS subscription audit checklist for US, UK and EU CIOs

Over the next 30–45 days, run a structured SaaS subscription audit.

Check usage vs licences per app (logins, seats, feature use).

Map invoices to contracts; capture renewal dates and notice periods.

Flag apps with cross-border data transfers (US ↔ EU, UK ↔ EU).

Highlight tools in regulated domains (healthcare, payments, banking, public sector like NHS trusts).

Prioritise 10–20 highest-value or highest-risk vendors for immediate negotiation or remediation.

This is where many CIOs uncover quick wins: consolidating regional instances, switching off unused tiers and aligning contracts for future competitive bidding.

 How IT, finance and security teams collaborate

The final 15–30 days should lock in a lightweight operating model.

IT owns the SaaS catalogue, standards and integration patterns.

Finance/FinOps own spend analytics, forecasts and renewal playbooks.

Security/compliance define guardrails (e.g. no PHI in unsanctioned tools; only GDPR-compliant vendors for EU personal data).

To avoid slowing innovation:

Define fast lanes for low-risk SaaS with pre-approved patterns.

Create intake forms for new tools, with clear SLAs for review.

Offer curated “preferred tools” lists for common needs (project management, BI, surveys) based on your enterprise SaaS governance framework.

Mak It Solutions frequently helps CIOs set up this 90-day programme alongside wider cloud and data modernisation work in US, UK and European enterprises. (Mak it Solutions)

How SaaS Spend & Subscription Management Platforms Help

Modern SaaS management platforms go beyond spreadsheets and generic finance tools by automatically discovering apps, tracking spend, optimising licences and enforcing governance policies. Vendors like Zylo, BetterCloud, Torii, Productiv, Spendflo, Cledara, Vertice and Zluri sit in this category, often integrating with SSO, HRIS, cards and AP.

What a modern SaaS management platform actually does

At a minimum, a SaaS management platform will.

Discover apps automatically via SSO, CASB, network and finance data

Build a unified SaaS catalogue with ownership, risk and usage metadata

Surface spend analytics across currencies, cost centres and regions

Support access governance and automated deprovisioning

Provide playbooks for renewals and app rationalisation

Compared with a spreadsheet plus your ERP, the key difference is continuous, automated discovery and an operational workflow layer.

SaaS spend management, licence optimisation and workflows

Must-have capabilities include.

SaaS spend management multi-currency support (USD, GBP, EUR), FX insights, VAT handling and spend by department.

SaaS licence optimisation  usage-based right-sizing, inactive user detection, seat reclamation.

Policy-driven workflows approvals for new SaaS, automatic routing of requests, joiner/mover/leaver automation across apps.

Security & compliance risk scoring, evidence collection for audits (GDPR, UK-GDPR, HIPAA, PCI DSS, SOC 2). (EUR-Lex)

US, UK and EU buying checklist

When evaluating vendors in San Francisco, London or Munich, add:

Data residency options US, UK and EU (e.g. Dublin, Frankfurt, Amsterdam regions on AWS/Azure/GCP). (Mak it Solutions)

Support for multi-currency billing and local tax/VAT requirements.

Compliance posture aligned with your sector (e.g., NHS data, BaFin expectations, Open Banking or PCI DSS scope).

Integration depth with your identity providers, HR, finance stack and ticketing (ServiceNow, Jira, ITSM platforms).

Checklist for Choosing the Right SaaS Management Platform

A structured checklist helps you compare SaaS management platforms objectively and build a business case for a pilot. The goal is not just a new tool, but a durable operating model and a path to embed SaaS governance into BAU.

Evaluation criteria for large enterprises and Fortune-1000-style stacks

For complex, global stacks, look at.

Discovery coverage  how many data sources (SSO, CASB, cards, AP, browser) are supported?

Scale & performance proven deployments in Fortune 1000 or comparable enterprises.

Security & compliance  certifications (SOC 2), data residency choices, encryption standards.

Workflow & automation ability to drive real changes (offboarding, approvals), not just dashboards.

Reporting views for CIO, CFO, security and local business leaders across the US, UK, Germany and wider EU.

Questions to ask vendors on pricing, roadmap, integrations and support

In RFPs or demos, ask.

How is pricing structured (by employee, managed app, spend)?

What’s on the roadmap for shadow AI and data-level risk detection?

Which integrations are native vs custom build, and what’s typical implementation time?

How do you support complex org structures and M&A scenarios?

Can you share before/after savings examples from similar enterprises?

Next steps: pilot, rollout and embedding SaaS governance into BAU

A pragmatic next step is to:

Pilot with 3–5 business units in different regions (e.g., London, Berlin, New York).

Target quick wins in year one (e.g., 10–20% SaaS savings and closure of top 10 risk items).

Roll out standardised SaaS governance policies, steering committees and KPIs.

Mak It Solutions often acts as an implementation and advisory partner here, aligning SaaS management with cloud cost optimisation, data governance and broader IT cost optimisation strategies for 2025 CIOs. (Mak it Solutions)

Key Takeaways

SaaS sprawl is structural, not accidental driven by self-service tools, decentralised budgets and hybrid work across US, UK and EU teams.

Cost impact is real and measurable many enterprises can reclaim 20–30% of SaaS spend in year one through licence optimisation and contract consolidation.

Governance is now a compliance issue GDPR/DSGVO, UK-GDPR, HIPAA, PCI DSS and SOC 2 all assume you know where data lives and who can access it.

First 90 days are about visibility, not blame build a shared inventory, run a structured SaaS audit and agree an operating model between IT, finance and security.

SaaS management platforms are enablers, not silver bullets they work best when embedded into your FinOps, cloud and data governance frameworks, not bolted on in isolation.

If SaaS invoices, security questionnaires and renewal emails already feel unmanageable, you’re not alone most enterprises only discover the true extent of their SaaS sprawl when they finally pull the data together.

Mak It Solutions can help you run a 90-day SaaS visibility and optimisation sprint, align it with your cloud/FinOps roadmap and design an enterprise SaaS governance framework that works across the US, UK and EU.

Ready to see where the waste and risk really sit? Book a working session with Mak It Solutions to review your current SaaS landscape and sketch a practical, board-ready action plan.( Click Here’s )

FAQs

Q : How much SaaS spend should enterprises expect to save in year one of a SaaS sprawl programme?

A : Most large enterprises see 10–30% reduction in addressable SaaS spend in the first 12 months of a structured programme, depending on how fragmented things are to begin with. [VERIFY LIVE] Savings usually come from reclaiming unused licences, consolidating duplicate tools, renegotiating contracts and eliminating “nice-to-have” apps that don’t drive outcomes. In strongly regulated sectors (financial services, healthcare, public sector), the headline savings may be slightly lower but are offset by big risk reductions and fewer audit findings.

Q : What internal data sources give the best view of hidden SaaS apps?

A : The richest view of hidden SaaS typically comes from combining SSO logs, corporate card feeds, expense reports and AP/vendor master data. SSO reveals which browser-based tools employees actually log into; expense systems and card data surface subscriptions that never went through procurement; AP systems show contracts paid via invoices. Some enterprises also use secure browser extensions or CASB tools to spot unusual SaaS usage, but you should discuss this with works councils or HR in countries like Germany to address monitoring and privacy concerns.

Q : How can fast-growing scale-ups control SaaS sprawl without adding heavy procurement bureaucracy?

A : Fast-growing scale-ups in London, Berlin or Amsterdam can keep SaaS sprawl in check by introducing lightweight guardrails instead of heavy gates. That usually means having an approved-tool list for common needs, fast-lane reviews for low-risk tools, simple intake forms routed to IT/FinOps and a central SaaS catalogue everyone can search. Automating account provisioning and offboarding through SSO is crucial, as is a quarterly review of top spend categories. The aim is to preserve speed while avoiding a future where every squad has its own CRM, BI tool and AI assistant.

Q : What’s the difference between a SaaS management platform and an ITSM or ERP tool for managing applications?

A : An ITSM tool (like ServiceNow) focuses on incidents, changes and service requests, while an ERP focuses on finance and procurement workflows. A SaaS management platform is specialised: it discovers browser-based apps automatically, tracks licences and usage, optimises spend, and orchestrates access governance across tools. ITSM and ERP systems remain important sources of truth, but they don’t usually provide continuous discovery of shadow SaaS, detailed licence analytics or automated deprovisioning workflows across hundreds of cloud apps.

Q : How should US, UK and EU companies structure SaaS ownership to keep sprawl under control?

A : A simple but effective pattern is to define three roles per SaaS app: an app owner (usually in the business), a data owner (responsible for what data goes in and out) and a budget owner (accountable for cost and ROI). For critical tools, security and compliance representatives also sign off. In US organisations this often sits under a central technology governance board; in the UK and EU, especially in Germany, you should also consider input from data protection officers and works councils. Clear ownership makes it easier to decide which tools to keep, consolidate or retire during periodic SaaS reviews.