TL;DR: Install counts alone are masking software spend waste, because leadership cannot tell whether users actually open Microsoft 365 or Adobe apps before renewal decisions, according to JumpCloud. App-level discovery and foreground usage tracking shift license management from guesswork to measurable governance, and that matters wherever SaaS cost control depends on real adoption.
At a glance
What this is: This is a SaaS management and device-visibility post showing that installation data alone is not enough to govern Microsoft 365 and Adobe licensing.
Why it matters: IAM and IT teams need usage evidence to right-size expensive suites, reclaim unused licenses, and separate real adoption from background presence across managed endpoints.
👉 Read JumpCloud's guide to app-level Microsoft 365 and Adobe usage tracking
Context
Software spend governance breaks when teams treat installation as proof of value. In practice, a suite can be present on every endpoint while only a subset of apps is ever opened, which makes renewal and allocation decisions unreliable.
This is an identity governance problem as much as a cost problem. For human users, license assignment, entitlement review, and access rationalisation should be based on observed use, not on whether software is merely installed on Windows, macOS, or Linux devices.
Key questions
Q: How should teams decide whether an expensive software licence is still justified?
A: Teams should base licence renewal on actual application use, not on whether the software is installed. The strongest signal is foreground activity over a meaningful review period, because it shows whether the user is interacting with the tool rather than leaving it running. That gives finance and IAM a defensible basis for downgrade, reclaim, or renewal.
Q: Why do installed apps create poor evidence for software spend decisions?
A: Installed apps create poor evidence because many suites are deployed broadly, auto-launch at startup, or remain idle in the background. Presence on a device does not prove value, so licence governance based only on inventory will overstate demand. Organisations need usage telemetry to distinguish real adoption from leftover entitlement.
Q: What breaks when teams treat a software suite as a single entitlement?
A: What breaks is precision. A bundled suite hides which component is actually needed, so administrators cannot tell whether the user requires the full package or only one app. That leads to over-licensing, weak recertification, and slower budget recovery because the right-sizing decision is obscured by the bundle.
Q: Who should own app usage-based licence governance in an organisation?
A: Ownership should be shared across IAM, endpoint management, and finance, with one team accountable for the policy and another for the usage data. The programme works best when entitlement reviews, cost controls, and device telemetry are aligned instead of managed as separate processes.
Technical breakdown
Why installation data fails as a licensing signal
Installed software is a weak proxy for actual work because many enterprise suites are bundled, preloaded, or left idle after rollout. A user may have Microsoft 365 or Adobe Creative Cloud present on a device while relying on a subset of apps, web versions, or external tools. That makes raw inventory data useful for asset management but poor for licence governance. The technical problem is that install state does not encode engagement, frequency, or business value. Without app-level telemetry, organisations over-assign high-cost suites and under-detect licence drift.
Practical implication: treat installation as an inventory control, then validate renewal decisions with app-level usage evidence.
Foreground tracking versus background execution
Foreground tracking distinguishes active use from a process that merely runs in the background. Many desktop applications auto-launch at startup, remain resident, and generate no meaningful user value during most of their uptime. A foreground-only model counts activity when the app is the primary window in use, which is a better proxy for engagement than uptime or process presence. This approach reduces false positives, because background services, open-but-unused apps, and idle sessions no longer look like productive adoption. It also creates a more defensible dataset for licence decisions.
Practical implication: build licence governance on foreground activity, not process presence or login events.
Breaking suites into individual app entitlements
Suite-level visibility hides the difference between broad entitlement and actual utility. When Microsoft 365 or Adobe Creative Cloud are treated as opaque bundles, security and IT teams cannot tell whether the user needs the full suite or only one or two components. App-level discovery decomposes that bundle into discrete tools such as Word, Excel, Outlook, Photoshop, or Acrobat Pro. That creates a governance signal that is much closer to entitlement right-sizing. It also helps troubleshoot software ownership questions, because the administrator can see which component is in use rather than guessing at suite behaviour.
Practical implication: recertify suite entitlements at the app level before renewing premium bundle licences.
NHI Mgmt Group analysis
Software spend governance fails when installation is mistaken for entitlement value. The article exposes a familiar control weakness: organisations renew expensive suites because they can see the software, not because they can prove the software is used. That is not a tooling gap alone, it is a governance gap in how value is measured. Practitioners should treat app usage evidence as part of entitlement validation, not as a nice-to-have telemetry feed.
Foreground activity is a better licensing control than uptime or presence. Desktop apps often stay running long after the user has stopped interacting with them, which makes process presence a poor indicator of business use. A foreground model gives IT and finance a more defensible basis for downgrade or reclaim decisions. For identity programmes, the lesson is that governance should follow observed use, not just assigned access.
App-level decomposition creates a more accurate lifecycle model for expensive suites. When a bundle is split into its component apps, renewal, recertification, and tiering decisions become far more precise. This is especially relevant where a user only needs one premium tool but has been funded for an entire suite. The practitioner conclusion is simple: recertify the app, not the bundle.
Cross-functional budget control is becoming part of identity governance. License waste is now a policy issue that sits between IAM, endpoint management, and finance. If identity teams cannot evidence which sanctioned apps are actually used, they will be forced to defend spend with incomplete data. The programme implication is that access governance and software cost governance are converging.
From our research:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- For a broader governance lens, read Top 10 NHI Issues to see how visibility gaps become control gaps across machine and human identity programmes.
What this signals
App usage telemetry is becoming a governance input, not just an IT optimisation metric. When teams can separate foreground use from passive installation, they can stop renewing licences on assumption and start reallocating spend on evidence. That pattern matters beyond Microsoft 365 and Adobe, because the same logic applies whenever entitlement value and observed use diverge.
The broader signal is that identity programmes are moving closer to financial governance. If a user does not actively use a paid app, the entitlement is no longer an abstract access decision, it is a budget liability that should be reviewed like any other standing privilege.
Software spend leak: this is the practical name for the gap between assigned suites and actual app use. Once that gap is visible, teams can align recertification, procurement, and endpoint telemetry around the same operational truth.
For practitioners
- Build renewal decisions on observed app use Require app-level usage evidence before renewing Microsoft 365 or Adobe top-tier licences. Compare installed apps with foreground activity over a defined review cycle, then downgrade users who only rely on web access or a single desktop app.
- Separate inventory from engagement reporting Report installed software and active software as different governance metrics. Installation tells you what is present on the endpoint, while foreground activity shows what is actually contributing to work.
- Use component-level recertification for bundled suites Review Microsoft 365 and Adobe at the individual application level instead of treating each suite as one entitlement. That allows you to reclaim users who only need Outlook, Acrobat Pro, or another narrow toolset.
- Reclaim budget from idle premium licences Move users with no meaningful desktop activity to web-only or single-app plans, then redirect the reclaimed budget to security controls or deferred infrastructure work.
Key takeaways
- Installation data alone cannot prove that expensive software licences are delivering value.
- Foreground app use gives IT and finance a stronger signal for recertifying, downgrading, or reclaiming premium entitlements.
- License governance works best when IAM, endpoint telemetry, and budget ownership are tied to the same usage evidence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access rights should reflect actual use, not just installed software presence. |
| NIST Zero Trust (SP 800-207) | Zero trust governance depends on continuous verification of need and use. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Visibility over identities and their usage is foundational for machine and human entitlement governance. |
Map entitlement reviews to PR.AC-4 and reclaim licences when usage evidence no longer supports access.
Key terms
- Foreground tracking: A usage measurement method that records whether an application is actively in focus while the user is working. It is more useful for governance than process presence because it separates real interaction from software that launches and then sits idle in the background.
- Licence right-sizing: The process of matching a software entitlement to the level of access and functionality a user actually needs. In practice, it means downgrading, reallocating, or reclaiming expensive subscriptions when observed use does not justify the assigned tier.
- Application-level discovery: A visibility capability that identifies individual applications inside a broader software suite rather than treating the suite as one opaque block. It gives governance teams the detail needed to understand which components are used, unused, or over-assigned.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by JumpCloud: Microsoft 365 and Adobe desktop discovery with app usage tracking. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
