Here's a number that should bother every IT leader and finance stakeholder: according to the 2025 SaaS Management Index12025 SaaS Management Index, organizations waste an average of $21 million annually on unused SaaS licenses - a 14.2% increase year-over-year. That's not large-enterprise theater. For a 500-person company, the math is proportionally just as ugly.
These aren't licenses nobody signed up for. They're seats purchased for real employees - employees who left, changed roles, or simply stopped using the tool. And in most companies, those seats keep billing. Month after month. Quietly.
The reason this keeps happening isn't a spreadsheet problem or a process problem, even though it shows up that way. It's a coverage problem. Your SSO only sees what's connected to it. Most of your SaaS stack isn't.
The Uncomfortable Math of Zombie Licenses
According to Zylo's 2025 SaaS Management Index, 52.7% of purchased SaaS licenses go unused, with overall SaaS utilization rates declining to 47.3%. Read that again: fewer than half the licenses your company pays for are actively used.
SaaS spend now averages $4,830 per employee annually, a 21.9% increase year-over-year - making the unused-license problem more expensive with every renewal cycle. For a company with 500 employees, that's $2.4 million in annual SaaS spend, with over $1.2 million potentially sitting idle.
The causes aren't mysterious:
- Departed employees whose accounts were never closed across every app they touched
- Role changes that triggered new access but didn't remove old access
- Growth seats purchased ahead of headcount that never materialized
- Shadow IT - tools adopted by teams without central IT involvement
More than one-third of a company's applications are shadow IT, according to Zylo's 2024 report, with 67% of IT leaders citing rogue software purchases as a top SaaS challenge.
But here's the part that rarely makes it into vendor demos: most identity management tools can only see - and act on - a fraction of your stack.
Why SSO Can't See the Zombie Licenses That Cost You Most
Single Sign-On is genuinely useful. It centralizes authentication, reduces password sprawl, and creates a single point for access control. But it has a structural blind spot nobody likes to talk about in vendor pitch decks.
SSO controls the front door. It doesn't control anything behind it.
When an employee is deprovisioned in your identity provider (Okta, Microsoft Entra, Google Workspace), that event triggers a signal to revoke access - but only to apps connected via SCIM or a compatible API. Every other app your employee used? The account stays open. If the app stores credentials directly, the user can still log in without touching SSO at all.
The SCIM blind spot in one sentence: When an employee leaves, your SSO/IdP fires a deprovisioning signal - but it only reaches apps that are connected via SCIM or API. Every other app your employee used? Still has an active, billable account. That's where zombie licenses are born.
The scale of this gap is larger than most teams realize. Industry analysis consistently puts 20-40% of enterprise app accounts outside SSO or SCIM coverage, and SCIM typically reaches only 15-25% of a company's full app stack - meaning the majority of your tools are governed manually, or not at all. Manual deprovisioning requests fail 40-60% of the time due to delays or neglect, leaving access open indefinitely.
This creates a two-tier offboarding reality:
- Tier 1 (SCIM-connected apps): Okta fires, access is revoked automatically. Clean.
- Tier 2 (everything else): Someone sends a ticket. Maybe it gets actioned. Maybe the app owner is on vacation. Maybe the tool was bought by a team that's since been reorganized, and nobody knows who owns it anymore.
Tier 2 is where zombie licenses are born.
The SCIM Tax Makes the Problem Worse
Here's where it gets more expensive. Many apps your teams use daily - Notion, Figma, Linear, Slack at certain tiers, and dozens of others - do technically support SCIM. But they bundle it with enterprise-tier pricing that costs 3-10x the base plan.
SCIM provisioning typically requires upgrading to plans that cost 2-4x the base price, pricing that makes SCIM economically viable for only a small subset of your stack.
This is the SCIM tax: paying a premium not for features you need, but for a protocol you need to automate access management. The result is a painful choice - pay the enterprise uplift to automate a handful of critical apps, or stay on a lower tier and keep managing access manually.
Most companies do both: they pay the SCIM tax on five or ten high-priority tools and accept that the rest stays manual. Which means the rest of the stack generates zombie licenses on autopilot.
And even if you pay the SCIM tax across the board, SCIM itself has limits. It handles basic account creation and deletion - but it has no concept of fine-grained permissions, role-level access, or channel- and repository-level controls. A deprovisioned account might be closed while an orphaned service account or API key remains active, with no one the wiser.
What Does the Full Cost Look Like? Run Your Numbers
The real cost of zombie licenses isn't just idle seat fees - it's the combination of unused licenses, SCIM tax spend, manual IT overhead, and security exposure from orphaned accounts that remain active attack surfaces.
Use this calculator to estimate what your current coverage gap is costing you:
The numbers tend to surprise people. A 500-person company paying $4,830 per employee in annual SaaS spend - in line with the Zylo 2025 benchmark12025 SaaS Management Index - is sitting on roughly $1.27M in potentially recoverable license waste, before accounting for the SCIM tax.
The SaaS Management vs. Identity Governance Distinction (It Matters Here)
There's a category confusion that lets this problem persist. SaaS management tools discover what apps you have and track spend. Identity governance controls who has access to what - and automates the lifecycle from hire to exit.
Zombie license reclamation lives at the intersection. You need to know the app exists (SaaS discovery), know who has an account in it (identity visibility), and actually revoke or reclaim that access when someone leaves or changes roles (lifecycle automation). Most tools only do part of this.
SaaS management platforms tell you you're spending $12,000/year on Notion licenses. They don't automatically deprovision the 23 accounts belonging to people who left last year. Identity governance - done right - does both.
The gap exists because:
- SaaS management tools have visibility into spend but no mechanism to act on identities
- SSO/SCIM tools can action what's connected but are blind to the 60-80% of apps that aren't
- Legacy IGA vendors (SailPoint, Saviynt) can technically cover more ground, but take 6-18 months to implement and require a dedicated IAM team to run - not practical for a 500-person company with a lean IT team
The result: a little bit of governance for the SCIM-connected apps, and a sprawling identity blindspot everywhere else.
How to Find and Reclaim Zombie Licenses: A Practical Playbook
If you're running a manual audit today, here's the sequence that finds the most waste fastest:
Pull a list of every SaaS tool your teams actually use, from your IdP, HRIS, expense reports, and browser extension data. You'll almost certainly find 30-60% of apps your SSO has never touched. These are the blind spots where zombie licenses live.
Cross-reference your HR offboarding records against active accounts in each app. In non-SCIM tools, this means manual exports or admin panel checks. Flag every account that exists for a user who left - these are your confirmed zombie licenses, active and billing.
For employees still with the company, pull last-login data where available. Licenses unused for 60+ days with no activity are prime candidates for downgrade or reclamation. In apps without usage APIs, you're relying on admin exports or doing this by hand.
Multiply zombie and inactive account counts by per-seat license cost. Sort by total waste, not just account count. Start with your most expensive tools: Salesforce, GitHub, Figma, Notion, Jira. That's where reclamation pays fastest.
One-time audits go stale immediately. The only way to prevent zombie license accumulation is continuous, automated deprovisioning across your full stack - triggered the moment someone exits your HRIS or changes roles. That requires universal coverage, not just SCIM.
The honest caveat: a manual audit is a point-in-time snapshot. Your first one will surface genuine savings - Deloitte research shows enterprises waste up to 27% of their cloud and SaaS spend on idle resources, and most companies confirm this when they audit for the first time. But within three months of a manual cleanup, zombie licenses start accumulating again. New hires get access. People leave. Roles change. The only sustainable fix is automated, continuous deprovisioning across your full stack.
What Complete Coverage Actually Looks Like
The vendor promise of "complete" identity governance usually means complete for apps with SCIM. That's maybe 20-35% of your stack. Complete coverage means reaching every app - whether it supports SCIM, has an API, or neither.
Here's how that distinction plays out in practice:
| Capability | SSO / SCIM-only tools | Iden (Universal IGA) |
|---|---|---|
| App coverage | 20-40% of your stack (SCIM-enabled only) | 100% - SCIM, API, or neither |
| Zombie license detection | ❌ Invisible in non-SCIM apps | ✅ Detected and reclaimed automatically |
| Offboarding completeness | ⚠️ Partial - manual follow-up required for non-SCIM apps | ✅ Full lifecycle automation across all apps |
| SCIM tax required? | ❌ Yes - enterprise plan upgrades to automate key apps | ✅ No - connects to any app on standard plans |
| License reclamation | ❌ Manual audit required | ✅ Automated, continuous, policy-driven |
| Fine-grained control | ⚠️ Group/role level only | ✅ Channel, repo, and project-level permissions |
| Time to deploy | ⚠️ 6-18 months for legacy IGA | ✅ Live in ~24 hours |
| SaaS spend reduction | ❌ No automated reclamation | ✅ Up to 30% SaaS cost reduction |
Iden's universal connector technology reaches every app in your stack - Notion, Figma, Linear, GitHub, Slack, Jira, and 170+ others - including apps with no SCIM support and no enterprise-tier requirement. When someone exits your HRIS or SSO, Iden fires automated deprovisioning across all connected apps simultaneously. Not just the SCIM ones.
The result isn't just license savings - it's identity hygiene at scale. No orphaned accounts for auditors to find. No ex-employee with an active Notion login six months after their last day. No SCIM tax on apps you could have automated for free.
For teams chasing SOC 2, ISO 27001, or HIPAA, this is also the foundation of audit-ready access governance - the kind where the answer to "who had access to what, and when?" doesn't require three weeks of spreadsheet archaeology.
And unlike legacy IGA deployments that take 6-18 months to stand up, Iden goes live in roughly 24 hours - connected to your existing SSO and HRIS as sources of truth, zero integration engineering required.
The Bottom Line for IT Leaders and Finance Stakeholders
Zombie licenses aren't a budgeting curiosity. They're a predictable, quantifiable outcome of running identity governance on a tool (SSO) that was never designed to govern the full stack.
The math is straightforward:
- 52.7% of purchased SaaS licenses go unused, equating to $21M in wasted spending annually per organization on average
- 60-80% of your app stack sits outside SCIM reach - zombies accumulate automatically whenever anyone leaves or changes roles
- The SCIM tax inflates costs further for every app you try to automate through enterprise-tier upgrades
- Manual audits surface the problem but don't fix it - only continuous, automated deprovisioning across your full stack does
If you're a lean IT team managing identity for a 200-2,000 person company, you don't need a behemoth IGA platform with an 18-month implementation timeline. You need universal coverage, automated lifecycle management, and license reclamation that runs without you thinking about it.
That's what complete identity governance looks like. Not "complete for apps with SCIM." Complete.
Frequently Asked Questions
What exactly is a zombie SaaS license?
A zombie license is a paid SaaS seat that remains active and billable for a user who no longer needs it - most commonly a departed employee whose account was never deprovisioned in a specific app. They're called "zombies" because the person is gone but the license keeps consuming budget.
Why can't my SSO just handle this?
SSO controls the front door - it manages authentication (who can log in). But it only governs apps that are connected to it via SCIM or API. For every other app in your stack, SSO sends no signal when a user is offboarded. The account stays open. If the app has a stored password, the user - or anyone with those credentials - can still log in directly.
What is the SCIM tax?
The SCIM tax is the premium you pay to unlock automated provisioning in apps that bundle SCIM support with their enterprise pricing tier. Tools like Notion, Figma, Linear, and others charge 3-10x the base price for plans that include SCIM. You're not paying for features - you're paying for a protocol. Iden eliminates the SCIM tax by connecting to any app without requiring enterprise-tier upgrades.
How many apps in a typical 500-person company are outside SSO/SCIM reach?
Research consistently puts the figure at 60-80% of the full app stack. A company using 80 SaaS tools may only have 20-30 connected to SSO via SCIM. The rest are governed manually - or not at all. That's where the bulk of zombie licenses accumulate.
What's the difference between SaaS management and identity governance?
SaaS management tools track spend and discover what apps you have. Identity governance controls who has access to what - and automates the full lifecycle from onboarding to offboarding. Zombie license reclamation lives at the intersection of both: you need to know the apps exist (SaaS management) and then actually remove or reclaim access in them (identity governance). Iden does both.
How quickly can Iden start reclaiming licenses?
Iden can be live in approximately 24 hours. Unlike legacy IGA platforms that require months of implementation, Iden connects to your existing SSO and HRIS as sources of truth, then begins discovering accounts and flagging unused licenses across your full stack - including apps without SCIM or APIs.
