Procurement Hasn't Been the Source of Truth for SaaS Since 2018

Here's a fun exercise. Ask your procurement team for the list of SaaS applications your company uses. They'll send you a spreadsheet. It will be impressively organized. It will list vendor contacts, renewal dates, contract terms, and annual spend. It will look like exactly what an inventory of your SaaS estate should look like.

Now go ask a sales rep what tools they use. The set of vendors they list will overlap with the procurement spreadsheet by maybe 40%.

Procurement was a choke point. Then it wasn't.

There was a time when procurement worked. It worked because buying software was hard. You had to negotiate. You had to sign a contract. You had to wait for accounts payable to cut a check. The slow, painful process of acquiring software meant that every piece of software in the building had passed through someone in procurement at some point. The system of record matched reality.

Then the cloud happened. Then credit cards. Then free tiers. Then OAuth. By about 2018, the gap between "what procurement knows about" and "what people use" had become structural rather than incidental. A salesperson who wants to try a new tool clicks "Sign up with Google" and is using it in 30 seconds. There's no PO, no contract, no procurement record. The tool processes customer data anyway.

The polite fiction

The reason this matters is that downstream of "what procurement knows about" is basically everything else. Your security risk register starts there. Your audit evidence package starts there. Your vendor management program starts there. Your data privacy impact assessments start there. Your AI governance registry starts there.

If the procurement list is missing 60% of the SaaS you actually use, every downstream artifact inherits the gap. Your SaaS and AI inventory is fiction — that's not a clever way of saying it. It's literally accurate in most organizations.

The corporate card is the new procurement

So why hasn't the gap closed? Because closing it would require a procurement function that operates at the speed of "Sign up with Google." That's not what procurement is for. Procurement exists to negotiate prices, manage risk on big contracts, and ensure regulatory diligence. Asking it to also be a real-time inventory feed is a category error.

The actual source of truth in 2026 is the combination of three things: the corporate identity provider, the OAuth grant tables in your workspaces, and the email metadata that shows new signups. That's where SaaS adoption actually happens. The marketing and sales analysis walks through what this looks like in one specific function.

What this means for your security program

Stop building your security program on the procurement list. Start building it on the identity-anchored discovery surface. The Cloud Security Alliance has been making this point in its SaaS governance research for a few years. The NIST Cybersecurity Framework 2.0 asset management functions assume a live inventory, not a quarterly export from accounts payable. The AICPA SOC 2 examination increasingly asks for evidence that the inventory is complete, not just current.

None of that works if procurement is your source of truth. Sprawl eats budgets for the same reason — you can't optimize what you can't see, and procurement was never going to see it.

Discovery is the alternative source of truth. Waldo Security's SaaS Discovery produces an identity-anchored, continuously updated picture of the SaaS estate — including the 60% that procurement was never going to find. The procurement system stays useful for what it was always good at. The inventory stops being a polite fiction.

Want to see your real SaaS footprint, not the procurement-flavored one? Set up a demo. We'll send the side-by-side comparison.