Your SaaS management dashboard is beautiful. Every app in your stack. Renewal dates. Usage percentages. A neat red flag next to the tools nobody opened last quarter.
And none of it tells you why Sarah from engineering still has admin access to your production Figma files three months after she moved to a different team.
That's the gap. And it's costing organizations more than most IT leaders realize.
According to Zylo's 2026 SaaS Management Index, the average enterprise still wastes nearly $19.8 million annually on unused SaaS licenses - even after years of investment in spend visibility tools. The insight is there. The action isn't.
This post draws a clear, honest line between what SaaS management tools do well, where they stop, and why identity governance is the enforcement layer that makes the rest of it actually work.
What SaaS Management Tools Are Actually Built For
Let's be direct: tools like Zylo1Zylo, Productiv2Productiv, and Zluri's SaaS management side are genuinely useful. They solve a real problem - and they solve it well.
Their core value is visibility:
- App discovery: Finding every SaaS tool in your environment, including shadow IT that Finance never approved and IT never heard of
- Spend tracking: Centralizing contract metadata, renewal dates, and cost-per-seat data so procurement and IT work from the same numbers
- License utilization reporting: Flagging which users haven't logged in, which tools are underused, and where you're paying for seats nobody needs
- Vendor and renewal management: Helping procurement teams negotiate renewals with actual usage data instead of gut feel
Zylo, for example, positions itself as a finance-first platform that brings IT, Finance, and Procurement together around a single SaaS system of record. Productiv goes deeper on feature-level usage analytics - so you know not just whether someone logged in to Slack, but whether they're using workflows and automations or just basic chat. These are useful signals for right-sizing contracts.
Discovery is genuinely hard. A modern mid-market company can run hundreds of SaaS applications3hundreds of SaaS applications, many purchased by individual teams without IT's involvement. Knowing what's out there is a legitimate prerequisite for governing it.
What they don't do
Here's where it gets uncomfortable.
SaaS management tools are observability tools, not enforcement tools. They show you the problem. They don't fix it.
- They can flag that a license is unused. They can't automatically revoke it from the application.
- They can show you an offboarded employee still appears in a usage report. They can't deprovision that account.
- They can identify that Notion is in your stack but outside SSO. They can't enforce access policy inside Notion.
- They can surface spend data. They can't answer "who approved this access, and should it still exist?"
As one analysis of Productiv put it, the platform can handle "some of the basics, like provisioning new apps or cleaning up unused licenses" - but don't expect it to "run a complete employee offboarding process." It's strong on the "what are we paying for" side, but weaker on IT actionability4"what are we paying for" side of the equation, but weaker when it comes to IT actionability and granular operational control.
The gap between knowing and doing is exactly where SaaS waste compounds and security risk accumulates.
The Enforcement Problem: Why Visibility Isn't Enough
Here's a scenario that plays out in hundreds of mid-market IT teams every quarter.
A SaaS management tool flags 47 unused licenses across six tools. The IT manager exports the report. Sends it to the team leads for each tool. Three respond. Two say they'll look into it. One ignores it.
Industry research suggests that companies typically reclaim just 5 to 15 percent of identified SaaS waste. Not because they lack visibility. Because action requires ownership, clear processes, and someone with the authority and tooling to actually revoke those accounts - in every application, not just the ones connected via SCIM.
That's the structural problem: most SaaS management tools rely on vendor APIs and SCIM to take action. Apps like Figma, Adobe, and Notion often lock SCIM provisioning behind expensive enterprise plan upgrades - what's commonly called the "SCIM tax." So even when a SaaS management tool wants to automate deprovisioning, it hits a wall on 60-80% of your actual app stack.
The result? You know about the waste. You just can't systematically eliminate it.
What Identity Governance Is Actually Built For
Identity governance starts from a different question. Not "what licenses do we have?" but "who should have access to what, and is that actually the case right now?"
This distinction matters more than it sounds. License visibility is a financial question. Access governance is a security and compliance question - with direct financial consequences when it goes wrong.
A purpose-built IGA platform like Iden is designed to:
- Automate the full identity lifecycle - onboarding, role changes, and offboarding - across every app in your stack, not just the SCIM-enabled ones
- Enforce access policy continuously - not just during a quarterly review, but as a live, real-time control that tracks every entitlement change
- Provide fine-grained control - not just "has access to GitHub" but which repos, which environments, which permission levels
- Produce immutable audit trails - structured evidence that answers "who had access to what, from when to when, and who approved it" without a week of manual reconstruction
- Govern non-human identities - service accounts, API keys, bots, and AI agents that SaaS management tools don't touch at all
And critically: IGA is the layer that makes license reclamation automatic, not aspirational. When an employee is offboarded, Iden doesn't just remove them from Okta. It deprovisions their account in every connected application - including the ones that don't support SCIM - and reclaims the license. No ticket. No checklist. No zombie account billing quietly in the background.
Side-by-Side: Where Each Tool Wins, Where It Stops
| Capability | SaaS Management Tools (Zylo, Productiv, Zluri) | Identity Governance (Iden) |
|---|---|---|
| App discovery & inventory | ✅ Core strength - finds every app in your stack | ✅ Full stack coverage, including non-SCIM & legacy apps |
| Spend visibility & contract tracking | ✅ Renewal alerts, contract metadata, spend benchmarks | ⚠️ Focused on access cost, not contract management |
| License usage reporting | ✅ Usage metrics, underutilization flags | ✅ Continuous access monitoring + automated reclamation |
| Shadow IT detection | ✅ Discovery via SSO, finance, browser agents | ✅ Surfaces ungoverned accounts & orphaned identities |
| Automated provisioning (SCIM apps) | ⚠️ Limited - varies by platform | ✅ Full automated provisioning across all apps |
| Automated provisioning (non-SCIM apps) | ❌ Not supported - relies on vendor APIs | ✅ Universal connectors - SCIM, API, or neither |
| Automated deprovisioning (full stack) | ❌ Partial at best - SSO-dependent offboarding only | ✅ Complete, policy-driven offboarding across every app |
| Access policy enforcement | ❌ Reports gaps, doesn't enforce access rules | ✅ Policy-driven, continuous enforcement |
| Fine-grained entitlements (channel/repo/project) | ❌ Group-level visibility only | ✅ Channel-, repo-, and project-level permissions |
| Access reviews & certifications | ⚠️ Basic, often manual | ✅ Automated, continuous access reviews |
| Audit trail for who had access when | ❌ Limited - usage data, not governance evidence | ✅ Immutable audit logs, audit-ready at all times |
| SOC 2 / ISO 27001 compliance evidence | ❌ Not purpose-built for compliance evidence | ✅ Built-in, structured compliance evidence |
| Joiner-Mover-Leaver automation | ⚠️ Basic triggers, not full lifecycle | ✅ Complete hire-to-retire lifecycle automation |
| Non-human identity governance (bots, AI agents) | ❌ Not covered | ✅ Full NHI coverage |
| SCIM tax avoidance | ❌ Still requires enterprise plans for SCIM apps | ✅ No SCIM tax - automates standard plan apps |
The table above makes one thing clear: these tools aren't competitors in the way you might think. They operate at different layers of the problem. SaaS management tools operate at the inventory and spend layer. Identity governance operates at the access and enforcement layer.
The challenge is that most teams treat them as interchangeable - or assume one covers what the other doesn't.
The enforcement gap in one sentence: SaaS management tools tell you that someone has an unused license. Identity governance tells you who shouldn't have it, automatically removes it, and produces an audit trail proving it was removed - across every app in your stack, not just the SCIM-enabled ones.
The Zombie License Problem: Who's Really Responsible?
Let's talk about the specific failure mode that costs the most.
An employee leaves. IT removes their Okta account. Done - right?
Not even close. When employees are removed from an SSO provider like Okta or Microsoft Entra, they may still retain direct login access to individual applications via email and password combinations that were never tied to SSO. Apps set up outside of SSO, apps only partially integrated with your IdP, apps that support SCIM but only on an enterprise tier you didn't purchase - all of these become orphaned account factories.
A SaaS management tool will eventually flag these accounts as inactive. But flagging is not revoking. The license keeps billing. The account keeps accumulating stale permissions. The security risk persists.
According to data from Zylo's SaaS Management Index, between 30 and 40 percent of enterprise SaaS licenses typically remain unused at any given time. A significant share of that waste traces back to incomplete offboarding - accounts nobody cleaned up because the SaaS management tool alerted a shared inbox and nobody acted.
Identity governance closes this loop automatically, at the point of the HR event that triggered the offboarding - not weeks later when the quarterly usage report runs.
Calculate your own exposure
Use the widget below to estimate how much your organization is wasting on zombie licenses and unused seats - and what automated IGA could save you.
The SCIM Wall: Why Most Tools Can't Actually Automate Your Full Stack
This is the piece of the conversation SaaS management vendors tend to gloss over.
Most automation in both SaaS management tools and "modern IGA" platforms depends on SCIM - the protocol that lets apps sync user accounts automatically with your identity provider. SCIM is powerful when it's available. The problem is that it usually isn't - or it's locked behind a pricing wall.
Many popular SaaS tools only offer SCIM support on their highest-tier enterprise plans. So if you're running Notion, Figma, Linear, or dozens of other tools on standard plans, you have two options: pay significantly more for the enterprise tier just to get SCIM (the SCIM tax), or manage those apps manually.
Automation typically covers only 20-40% of apps in the average organization; the remaining 60-80% - including legacy systems, niche SaaS, and tools without APIs - are still managed manually via spreadsheets and tickets.
This means even the best SaaS management tool in the world is working with an incomplete picture when it comes to enforcement. It can see that a user has an account in Notion. It cannot deprovision that account unless the app cooperates via API or SCIM - which, on a standard plan, it won't.
Iden's universal connector architecture is built specifically for this problem. It connects to apps with SCIM, apps with APIs but no SCIM, and apps with neither - without requiring enterprise plan upgrades. That's the difference between governance that covers 30% of your stack and governance that covers all of it.
If this resonates, it's worth reading how {{link:stop-force-fitting-your-sso-tool-to-do-governance}} SSO tools face the same fundamental limitation - the coverage wall isn't unique to SaaS management tools.
When to Use Each Tool (and When to Use Both)
Being honest means giving you a decision framework, not a sales pitch.
A SaaS management tool makes sense if:
- You're a large enterprise with dedicated procurement and finance stakeholders who need contract-level visibility
- Vendor negotiations and renewal management are a primary pain point
- You want spend benchmarking and app rationalization analytics across a complex portfolio
- You already have strong IGA in place and want a separate, procurement-focused system of record
Identity governance is the right primary layer if:
- Your core problem is access control, lifecycle automation, or compliance (SOC 2, ISO 27001, DORA, HIPAA)
- You run a lean IT team that needs to automate provisioning and deprovisioning without manual intervention
- You have apps outside of SCIM or SSO that need to be governed
- You're trying to eliminate zombie licenses, orphaned accounts, and access sprawl - not just flag them
- You need an audit trail for who had access to what, not just a usage report
For most fast-growing, SaaS-heavy companies in the 50-2,000 employee range: a complete IGA platform does the heavy lifting on license reclamation, lifecycle automation, and compliance - making a separate SaaS management tool largely redundant for the governance use case. You don't need two tools to solve one problem.
And if your concern is the {{link:step-by-step-guide-to-your-first-iso-27001-2022}} audit evidence burden for frameworks like ISO 27001:2022, identity governance is the layer that produces the structured, immutable evidence you need - SaaS management tools won't get you there.
What "Complete" Actually Looks Like in Practice
A 300-person company runs 15-20 apps per employee on average. On a standard day, four people are onboarded and two are offboarded. Three more change roles. A contractor's project ends.
In a SaaS management-only world: the tool detects the license changes over the next few weeks. The IT team gets a report. Someone manually works through the deprovisioning list - for the apps that have admin consoles they can access, on the plan tiers that allow it.
In an IGA-governed world: the HR system triggers the lifecycle event. Iden's agentic workflows (AI-driven, autonomous workflows) execute provisioning or deprovisioning across every connected app - SCIM or not, API or not - in seconds. Licenses are reclaimed automatically. An immutable audit log is written. No ticket. No checklist. No zombie accounts.
That's the enforcement layer. It's what makes the visibility from SaaS management tools actionable at scale.
For teams ready to take access governance further - including governing AI agents and non-human identities that neither SaaS management tools nor traditional IGA platforms cover - it's worth reviewing {{link:how-to-build-an-agentic-identity-governance}} how agentic identity governance frameworks work in practice.
Key Takeaways
- SaaS management tools (Zylo, Productiv, Zluri) are genuinely strong at spend visibility, app discovery, contract tracking, and renewal management. Use them for what they're built for.
- They are not enforcement tools. They don't automate full-stack provisioning and deprovisioning, don't produce compliance-grade audit trails, and can't govern apps without SCIM or API support.
- Identity governance is the enforcement layer that makes SaaS spend data actionable - automatically revoking access, reclaiming licenses, and running continuous policy across your entire app stack.
- The SCIM tax is the hidden bottleneck that prevents most tools from governing more than 20-40% of your stack. Universal connector architecture eliminates this.
- Zombie licenses aren't a visibility problem - they're an enforcement problem. You know they exist. The question is whether you have the tooling to eliminate them automatically, at scale, across every app.
- For lean IT teams, a complete IGA platform with automated license reclamation handles enough of the spend optimization problem that a separate SaaS management layer often isn't needed.
Can a SaaS management tool replace identity governance?
No. SaaS management tools excel at spend visibility, contract tracking, and app discovery - but they don't enforce access policy, automate full lifecycle provisioning/deprovisioning, or produce the governance evidence required for audits. They surface the problem; IGA fixes it automatically.
Do I need both a SaaS management tool and an IGA platform?
Many fast-growing teams find that a complete IGA platform - particularly one with automated license reclamation - covers enough of the visibility-to-action gap that a separate SaaS management tool becomes redundant or optional. If contract management and procurement-side renewal tracking are priorities, running both in parallel makes sense. But if you're choosing one tool to actually act on license waste and access risk, IGA is the enforcement layer you need.
What is the SCIM tax and how does it drive SaaS waste?
The SCIM tax is the premium organizations pay to unlock automated provisioning in SaaS apps - typically by upgrading to an enterprise plan 5-10x more expensive than the standard tier. Most SaaS management tools can't automate provisioning for apps without SCIM support, so teams either pay the upgrade or continue managing those apps manually. Iden eliminates this by connecting to any app regardless of whether it supports SCIM, APIs, or neither.
How does identity governance automate license reclamation?
An IGA platform like Iden continuously monitors access across all apps. When an employee is inactive, changes roles, or leaves, automated workflows immediately deprovision their access and reclaim the license - across every connected app, not just SSO-linked ones. This means no zombie licenses sitting idle for months, no manual offboarding checklists, and no accounts forgotten behind a paywall.
What's the difference between 'identifying' unused licenses and 'reclaiming' them?
SaaS management platforms are strong at identification - flagging licenses that show low or no usage. But reclaiming requires action: revoking access in the actual application, updating the user's entitlement record, and logging the change for audit purposes. Without automated deprovisioning connected to your full app stack (including non-SCIM apps), identified waste stays waste. Identity governance closes that loop automatically.
Can SaaS management tools handle non-human identities?
Generally no. Tools like Zylo, Productiv, and Zluri focus on human user licenses and spend data. Non-human identities - service accounts, bots, API keys, AI agents - are typically invisible to SaaS management tools. These are exactly the identities that accumulate unchecked access and become serious security risks. A purpose-built IGA platform governs all identity types, human and non-human, in a single view.
