Tool sprawl and mixed fleets are flattening IT productivity

At a glance

What this is: JumpCloud’s research says IT productivity drops sharply as organisations add complexity, especially across mixed device fleets and split identity providers.

Why it matters: For IAM practitioners, the message is that scale now breaks identity operations first, so human, NHI, and autonomous access governance must be designed for fragmentation rather than assuming linear growth.

By the numbers:

• JumpCloud analyzed global product usage data from over 5,000 organizations.
• 16.59%.
• 100 to 200 user tier, er tier, the device management Productivity Factor plummets to an astounding -19.96%.
• Running Microsoft Entra and Google Workspace simultaneously spikes from just 8.81% in small companies to 58.97% at the upper commercial scale.

👉 Read JumpCloud's research on how scaling breaks IT first and security next

Context

Tool sprawl is the accumulation of too many overlapping systems, admin paths, and policy surfaces for the same operational outcome. In identity programmes, that usually shows up as split directories, duplicated controls, and device fleets that no longer behave consistently enough for clean governance. This is a primary IAM scaling problem, not just an IT staffing issue.

JumpCloud’s report frames a familiar pattern for many security teams: as environments grow, the operational burden of identity and device administration rises faster than headcount can absorb. That affects human users first, but the same fragmentation also complicates NHI governance and any future autonomous access model that depends on reliable policy enforcement across multiple systems.

Key questions

Q: What happens when identity and device management scale faster than IT headcount?

A: Productivity usually flattens because each new admin spends more time reconciling tools, exceptions, and fragmented policy surfaces. At that point, adding people increases coordination overhead faster than it adds control. The practical response is to simplify the operating model first, then automate the repeatable work that remains. A good starting point is the identity blast radius across directories and device stacks.

Q: Why do mixed device fleets make IAM governance harder?

A: Mixed fleets create different enforcement paths for policy, posture, patching, and remediation. That means access decisions are no longer evaluated against one consistent device baseline, which weakens trust in the outcome. Security teams should standardise the minimum control set across platforms and define where exceptions are allowed, rather than letting each OS become its own governance model.

Q: How do organisations know their IAM operating model is no longer scaling?

A: The warning signs are duplicate policy work, rising exception handling, slow access reviews, and admin teams spending more time reconciling systems than improving controls. If productivity gains fall as headcount rises, the model is saturating. Teams should treat that as a signal to reduce fragmentation, not as proof that more hiring will fix the issue.

Q: How should security teams respond when identity sprawl starts driving negative productivity?

A: They should stop treating sprawl as a staffing problem and start treating it as an architecture problem. First, identify which directories, device tools, and policy engines duplicate each other. Then collapse the highest-value overlaps, because negative productivity means the environment is consuming governance capacity faster than the team can replenish it.

Technical breakdown

Why mixed device fleets create a negative productivity curve

A mixed fleet is not just a support problem. Windows, macOS, and Linux usually require different endpoint controls, policy exceptions, update cadences, and admin workflows, so each added platform creates more branching decisions for the same team. Once those paths diverge, the cost is not only time spent troubleshooting. It is also weaker assurance that identity, device posture, and access policy still line up across the estate. That is why the report’s productivity factor can turn negative in mid-sized environments: complexity begins consuming the capacity that headcount was meant to add.

Practical implication: standardise device governance controls before adding more admins or endpoint tooling.

How split identity providers multiply IAM overhead

Running Microsoft Entra and Google Workspace side by side creates parallel identity planes. That means duplicated joiner, mover, and leaver handling, separate access models, duplicate policy logic, and more places where exceptions accumulate. The operational issue is not merely that two directories exist. It is that every identity decision now has to be reconciled twice, which raises both administrative load and the chance of inconsistent enforcement. In practice, duplicated identity sources make it harder to prove who has access, why they have it, and whether that access still matches policy.

Practical implication: consolidate identity policy control points before you attempt to scale access reviews across multiple directories.

What productivity factor really measures in identity operations

The Productivity Factor described in the report is an operational signal, not a vanity metric. It reflects how much useful work an additional administrator actually adds after tool duplication, environment variance, and exception handling are accounted for. When the factor falls, the team is spending more time maintaining the system than enabling the business. That is the point at which scale stops behaving like capacity expansion and starts behaving like friction amplification. For security leaders, this is the clearest sign that governance has become structurally harder to execute than it appears on paper.

Practical implication: use productivity decline as a trigger to redesign identity operating models, not just to hire more staff.

Breaches seen in the wild

• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Tool sprawl creates an identity governance ceiling, not just an operations burden. When every extra platform adds another policy surface, teams stop scaling control and start scaling exception handling. The result is a governance model that looks larger but becomes less consistent, especially when device, directory, and access decisions are split across multiple systems. Practitioners should treat sprawl as a structural identity risk, not a tooling preference.

Mixed fleets expose a control mismatch between device administration and access assurance. The negative productivity curve matters because endpoint heterogeneity weakens the assumption that one admin model can govern all devices uniformly. Different operating systems require different enforcement paths, so policy drift becomes more likely exactly when the organisation believes it is gaining scale. The practical conclusion is that device diversity must be governed as an access-risk variable, not only as a support variable.

Split IdPs widen the identity blast radius. A dual-provider environment such as Microsoft Entra and Google Workspace forces organisations to duplicate controls and reconcile identity state in more than one place. That increases the chance of stale access, inconsistent recertification, and policy exceptions that no one fully owns. The named concept here is identity blast radius: the way each additional identity plane expands the number of systems that must agree before access can be trusted. Teams should measure that blast radius before adding yet another identity boundary.

This scaling problem also matters for NHI and autonomous access governance. If human identity operations cannot remain consistent under fragmentation, the same environment will struggle even more with service accounts, tokens, and AI-driven actors that depend on deterministic policy enforcement. The field implication is that identity architecture must stop assuming linear administrative capacity. Practitioners should design for non-linear governance load across all identity types.

Agentic-era claims about automation do not erase operational complexity. The report’s framing is a reminder that automation only helps when the underlying control plane is coherent. If identity, device, and access data are fragmented, automation simply accelerates the same inconsistency. The implication for the market is clear: unified governance is becoming a prerequisite for secure scaling, not an optional optimisation.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• Read our Ultimate Guide to NHIs , Key Research and Survey Results for the broader identity scale and governance context.

What this signals

Identity governance is becoming a capacity model, not just a control model. When productivity drops as complexity rises, the programme has crossed from administration into architecture. That means leaders should measure how much governance work each additional system creates, not just how many users or endpoints they add. The next scaling constraint is likely to be policy coherence, not headcount.

With 69% of security leaders saying identity management must fundamentally shift for agentic AI, the operating model question is already on the table. A fragmented IAM stack will struggle even more once AI systems, service accounts, and human users all compete for the same control plane. The practical signal is to tighten identity source-of-truth discipline now, before autonomous access starts inheriting today’s inconsistencies.

Mixed fleets and split IdPs should be treated as governance debt. The longer an organisation runs duplicate policy paths, the more reconciliation work accumulates in the background. Teams that pair endpoint standardisation with clear directory ownership will be better positioned to absorb NHI and agentic workloads later, because they will already have a cleaner trust foundation.

For practitioners

• Map your identity blast radius before adding staff Count how many directories, device managers, and access policy engines must agree before a user or workload is fully governed. If the answer is more than one, document where policy duplication and stale state can occur, then remove the highest-friction boundary first.
• Standardise the device policy baseline across operating systems Define a minimum set of controls that must be enforced identically across Windows, macOS, and Linux. Focus on enrolment, posture checks, access gating, and remediation ownership so mixed fleets do not create separate governance tracks.
• Consolidate recertification around a single source of access truth Avoid running parallel access review processes across multiple identity providers. Choose one authoritative record for entitlement ownership, then reconcile exceptions and orphaned accounts back into that record before the next review cycle.
• Treat automation as capacity protection, not complexity compensation Use automation to absorb repetitive identity and device tasks only after the control model is coherent. If the workflow depends on duplicate policies or manual reconciliation, automation will preserve the problem instead of reducing it.

Key takeaways

• The report shows that scaling IT by adding people can flatten productivity once tool sprawl and mixed fleets expand the coordination burden.
• The most severe operational drag appears where mixed operating systems and split identity providers force duplicate policy enforcement and reconciliation.
• Practitioners should reduce identity and device fragmentation before they rely on more headcount or automation to absorb it.

Key terms

• Tool Sprawl: Tool sprawl is the accumulation of overlapping systems that each solve part of the same identity or operations problem. In practice, it creates duplicate workflows, inconsistent policy enforcement, and more manual reconciliation, which weakens confidence in access decisions and slows down secure scaling.
• Identity Blast Radius: Identity blast radius is the amount of governance surface that must stay aligned for an access decision to remain trustworthy. As directories, device tools, and policy engines multiply, the number of places where state can drift increases, making stale or inconsistent access more likely.
• Productivity Factor: Productivity Factor describes the net useful work an additional administrator actually contributes after tool duplication, exceptions, and coordination overhead are counted. A falling factor means the operating model is absorbing capacity instead of creating it, which is a sign that architecture, not headcount, is the bottleneck.
• Mixed Device Fleet: A mixed device fleet includes multiple operating systems managed under one programme, such as Windows, macOS, and Linux. The governance challenge is that each platform can require different controls, exception paths, and remediation steps, which makes consistent identity and posture enforcement harder to maintain.

Deepen your knowledge

Tool sprawl, mixed device fleets, and identity fragmentation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment is reaching the point where governance work is scaling faster than headcount, it is worth exploring.

This post draws on content published by JumpCloud: How Scaling Breaks IT First, Then Security. Read the original.