SaaS license waste exposes unmanaged access and renewal blind spots

At a glance

What this is: This is a 1Password analysis of SaaS license waste that links unused seats to security risk, renewal blind spots, and weak deprovisioning visibility.

Why it matters: It matters because SaaS license sprawl sits inside IAM, NHI, and human access governance at the same time, so teams that cannot see usage cannot reliably right-size access or remove dormant exposure.

👉 Read 1Password's analysis of unused SaaS licenses, access risk, and renewal blind spots

Context

SaaS license waste is not only a procurement problem. It is a visibility and access governance problem, because unused accounts, orphaned entitlements, and stale application access can persist long after the business has stopped using the tool. For identity teams, the question is not only how many licenses are paid for, but whether access tied to those licenses is still controlled.

The article focuses on a common operating gap: decentralised app purchasing, fragmented usage data, and manual validation across IT, finance, and security. That pattern is typical in SaaS-heavy environments, which makes it a useful example of how access governance breaks down when ownership and usage evidence live in different systems.

Key questions

Q: How should security teams handle unused SaaS licenses without losing access control?

A: Treat unused SaaS licenses as an identity governance issue, not only a cost line item. Teams should tie license reviews to identity lifecycle events, confirm last-use data against contract entitlements, and reclaim or downgrade access when a user no longer needs the tool. That approach reduces wasted spend and closes dormant access paths at the same time.

Q: Why do unused SaaS accounts create security risk?

A: Unused SaaS accounts are risky because they often remain tied to valid entitlements even after the business has stopped using them. If offboarding, role change, and access review processes are weak, those accounts can persist as dormant access paths that are still reachable if credentials or session tokens are abused.

Q: How can teams know whether a SaaS license is actually needed?

A: Teams should compare current login activity, last-use timestamps, and business ownership against the paid entitlement. If the app is not used, the owner cannot justify the seat, or the entitlement survives a mover or leaver event, the license is not defensible and should be reclaimed or downgraded.

Q: What is the difference between license reclamation and deprovisioning?

A: Deprovisioning removes or reduces a user’s access to an application, while license reclamation removes the paid seat from active use or makes it available for reassignment. Both need to be linked. If they are handled separately, organisations can still pay for access that no longer has a business need.

Technical breakdown

Why SaaS usage becomes a black box

SaaS usage becomes hard to govern when app ownership is decentralised and the system of record is split across identity providers, finance tools, and the apps themselves. In that model, login activity does not automatically prove active business use, and contract data does not prove current entitlement need. Teams are left inferring state from incomplete signals, which is why renewals, true-ups, and offboarding checks become slow and error-prone. The core technical issue is not counting seats, but correlating identity, usage, and entitlement data well enough to make a defensible decision.

Practical implication: build a single entitlement-to-usage mapping before renewal and offboarding decisions are made.

How deprovisioning and license reclamation connect

Deprovisioning removes or reduces access when an employee no longer needs a tool, while license reclamation frees the paid seat for reuse or removal from the contract baseline. Those are related but not identical actions. A user can be deprovisioned from an app and the license can still remain assigned, or a license can be reclaimed without the underlying access process being tied back to identity lifecycle controls. In practice, SaaS governance fails when these steps are treated as separate workstreams instead of one workflow anchored in joiner-mover-leaver logic.

Practical implication: automate license reclamation from offboarding and role-change events, not from quarterly cleanup.

Why finance, IT, and IAM need the same evidence

SaaS governance breaks when finance tracks contracts, IT tracks access, and IAM tracks identities without a shared evidence layer. Each team sees a different truth, so the business cannot confidently answer whether a license is active, necessary, or safe to keep. This is an identity governance problem disguised as spend optimisation. When renewal decisions depend on surveys or manual reports, organisations lose both accuracy and speed, and stale access can survive simply because no one can prove it is unused.

Practical implication: align identity, usage, and contract evidence before renewals and access recertification cycles.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

License waste is an identity governance failure, not a procurement nuisance. Unused SaaS seats often survive because the organisation never built a reliable link between identity, entitlement, and actual application use. That means the same blind spot that wastes budget also leaves dormant accounts in place, which is why spend optimisation and access governance should be treated as one control domain. The practitioner conclusion is simple: if usage cannot be evidenced, access cannot be trusted.

Decentralised app buying creates entitlement sprawl that outpaces manual oversight. When teams procure tools independently, IT inherits a fragmented application estate with no consistent lifecycle ownership. The result is not just duplicate software, but unclear accountability for who should revoke, reclaim, or downgrade access. This is the same pattern that makes identity recertification brittle across SaaS estates. Practitioners should treat decentralised purchasing as an access-risk trigger, not only a cost-management issue.

Orphaned SaaS access is a standing privilege problem in disguise. Former employees, inactive users, and long-unused licenses can all retain residual access if offboarding and reclamation are not linked. That residual access extends the attack surface even when the business believes the seat is “unused.” The named concept here is license-to-access drift: the gap between what finance thinks is paid for and what IAM still allows. The practitioner implication is that unused seats must be governed as latent access, not as harmless waste.

Manual renewal review is too slow to serve as a control. If usage validation depends on ad hoc reports or surveys, the organisation is making access decisions after the fact, not at the point of change. That leaves too much room for stale entitlements to persist through renewals, mergers, and team reshuffles. This is where IAM and finance alignment matters most. Practitioners should assume that every manual seat check is already behind the actual identity state.

Lifecycle governance is the control plane that makes SaaS rational. The article points toward a broader operating model where identity lifecycle events, contract entitlements, and usage signals move together. Without that linkage, teams can neither scale offboarding nor prove least-necessary access. The right conclusion is not more spreadsheets, but a governance model that treats every SaaS seat as an access decision with a business owner. Practitioners should build the process once and enforce it continuously.

From our research:

• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
• The NHI Lifecycle Management Guide shows how lifecycle controls turn scattered access decisions into a governed process.

What this signals

License-to-access drift: SaaS programmes increasingly fail when finance records, identity records, and usage data do not converge on the same entitlement decision. That drift looks harmless until renewal time, when teams discover they have been paying for access that no one can prove is needed.

With 72% of organisations reporting or suspecting a non-human identity breach in the 2024 ESG Report: Managing Non-Human Identities, dormant access cannot be treated as low-priority housekeeping. The broader governance lesson is that stale credentials and stale subscriptions are different forms of the same control failure: access that outlives justification.

Teams that already use the Top 10 NHI Issues as a baseline should extend the same discipline to SaaS entitlement reviews, because unused access often persists for the same reason unmanaged NHI access does: no owner, no lifecycle trigger, and no enforced removal path.

For practitioners

• Map SaaS entitlements to identity events Connect joiner, mover, and leaver signals from your identity provider to license assignment, downgrade, and reclaim workflows so unused seats are removed when access changes, not at the next spreadsheet review.
• Correlate usage data with contract records Pull login activity, last-use timestamps, and contract entitlements into one review surface so finance and IAM teams are deciding from the same evidence rather than separate reports.
• Treat inactive access as latent exposure Review accounts tied to former employees, dormant apps, and underused business tools as access risk, then remove or downgrade them before renewal and true-up cycles.
• Automate reclamation on offboarding Trigger license reclamation when an employee leaves or changes role, and verify that the application access removal and seat release both completed successfully.
• Use recertification for high-cost or high-risk apps Prioritise SaaS tools with sensitive data, privileged integrations, or expensive per-seat pricing for access recertification so dormant access is challenged before the next renewal.

Key takeaways

• Unused SaaS licenses are a governance problem because they often mask dormant access, not just wasted spend.
• The evidence shows that manual usage checks and decentralised ownership are enough to keep entitlement sprawl alive through renewals and offboarding.
• The practical fix is to connect identity lifecycle, usage data, and contract records so reclamation happens as part of access governance.

Key terms

• SaaS License Reclamation: SaaS license reclamation is the process of removing an assigned paid seat when the user no longer needs access. It is an identity governance action, not just a finance task, because the goal is to reduce spend while also eliminating residual access that can persist after offboarding or role change.
• License-to-Access Drift: License-to-access drift is the gap between what an organisation pays for and what its identity systems still allow. It appears when entitlement records, usage data, and offboarding workflows are not aligned, leaving dormant seats or accounts in place long after business need has ended.
• SaaS Usage Visibility: SaaS usage visibility is the ability to see who is actively using which applications, when they last used them, and whether the entitlement still matches the business case. In mature programmes, this evidence feeds access reviews, renewal decisions, and automated reclamation.

Deepen your knowledge

SaaS license lifecycle governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to connect offboarding, entitlement review, and access removal in a SaaS-heavy environment, it is worth exploring.

This post draws on content published by 1Password: unused SaaS licenses are a budget drain and a security risk. Read the original.