Contributing authors: Kristine Briggs, Vinay Patel and Jocel Siglos
The OIC SaaS Governance Maturity Model (SGMM) defines four distinct stages of maturity:
Level 1: Chaotic – No oversight, resulting in shadow IT and unmanaged costs
Level 2: Emerging – Initial awareness, with inconsistent controls and visibility
Level 3: Managed – Structured policies and tools are in place, but governance is still largely manual
Level 4: Optimized – Governance is automated, strategic, and aligned with business objectives
This article focuses on the critical transition between Levels 2 and 3, helping organizations move into a state of Managed SaaS governance.
Once an organization reaches the "Emerging" level in SaaS governance, it has already acknowledged the risks and inefficiencies of uncontrolled SaaS usage. There may be a basic application inventory, early-stage cost controls, and some initial security practices in place. However, governance is still reactive and inconsistent. To truly realize the benefits of SaaS across the business—such as reduced waste, increased visibility, and lower risk, teams must advance to the "Managed" stage. This transition involves institutionalizing SaaS governance through formalized policies, automation, ownership, and cross-functional collaboration.
In this article, we explore the critical steps to take your SaaS program from Emerging to Managed, turning loosely governed efforts into structured, repeatable, and scalable practices.
At the Managed level, SaaS governance is no longer dependent on individual discretion or informal conversations. Organizations should create standardized workflows for evaluating, approving, and procuring new SaaS tools. This includes:
Centralizing intake via a formal request process
Establishing evaluation criteria for security, compliance, and business fit
Routing approvals through IT, Procurement, Finance, and Legal, as appropriate
Workflows should be documented, visible, consistent, and well-communicated. This step helps reduce redundant purchases, enforces accountability, and prevents non-compliant software from entering the environment.
Policies at this stage must be formalized and communicated across the organization. These policies might include:
Acceptable use standards
Application evaluation and renewal cycles
License assignment and optimization protocols
Minimum requirements for data security and compliance
Layered on top of these policies should be role-based access controls (RBAC), ensuring users are only granted access to tools and features appropriate for their function. RBAC not only strengthens the organization's security posture, it also enables automation of onboarding and offboarding workflows.
To scale effectively, manual governance needs to evolve into automated workflows and integrated tools. This includes implementing solutions that:
Continuously discover and inventory SaaS applications
Track license utilization and spend
Automate user provisioning and deprovisioning
Monitor compliance and flag policy violations
Investing in a SaaS Management Platform (SMP) or ITAM/SAM tools at this stage helps operationalize governance. These platforms create a single source of truth and allow governance practices to be embedded in daily workflows.
SaaS is not just an IT issue. In the Managed stage, governance becomes a shared responsibility across IT, Finance, Legal, Procurement, and Business Units. A governance committee or working group should meet regularly to:
Review application usage and renewals
Approve or deny incoming requests
Evaluate compliance posture
Refine governance policies and tooling
This approach ensures decisions are not made in silos and that governance aligns with broader business priorities.
Governance should not be static. Organizations need processes in place for regular reporting and continuous optimization. KPIs at this stage may include:
Percentage of applications with assigned owners
Percentage of licenses actively in use
Percentage of renewals reviewed before auto-renewal
Percentage of security and compliance issues flagged
These insights should drive quarterly reviews that refine policies, rationalize spend, and promote a culture of accountability.
Moving from Emerging to Managed is about moving from informal to intentional. It’s where SaaS governance transforms from a series of reactive actions to a reliable, structured function that supports scale, security, savings, and business needs.
By implementing formal workflows, policies, automation, and cross-functional accountability, organizations create the operational discipline needed to manage SaaS efficiently at scale.
Ready to assess your maturity and plan your next move? Take our free SaaS Governance Assessment to benchmark your current stage and receive personalized recommendations: 👉 https://scorecard.oicadvisors.com/saas-management-assessment