TL;DR: Unused SaaS licenses are framed as both budget waste and access risk in 1Password’s analysis, which argues that decentralised app buying, black-box usage data, and manual renewal checks leave IT unable to validate who still needs access. The real issue is that license governance and deprovisioning are now the same control problem, not separate finance and security tasks.
NHIMG editorial — based on content published by 1Password: unused SaaS licenses are a budget drain and a security risk
Questions worth separating out
Q: How should security teams handle unused SaaS licenses without losing access control?
A: Treat unused SaaS licenses as an identity governance issue, not only a cost line item.
Q: Why do unused SaaS accounts create security risk?
A: Unused SaaS accounts are risky because they often remain tied to valid entitlements even after the business has stopped using them.
Q: How can teams know whether a SaaS license is actually needed?
A: Teams should compare current login activity, last-use timestamps, and business ownership against the paid entitlement.
Practitioner guidance
- Map SaaS entitlements to identity events Connect joiner, mover, and leaver signals from your identity provider to license assignment, downgrade, and reclaim workflows so unused seats are removed when access changes, not at the next spreadsheet review.
- Correlate usage data with contract records Pull login activity, last-use timestamps, and contract entitlements into one review surface so finance and IAM teams are deciding from the same evidence rather than separate reports.
- Treat inactive access as latent exposure Review accounts tied to former employees, dormant apps, and underused business tools as access risk, then remove or downgrade them before renewal and true-up cycles.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How 1Password SaaS Manager connects to identity providers, finance tools, and 350+ apps for license visibility
- The specific workflows used to identify unused licenses, reclaim seats, and remove or downgrade access
- How renewal and true-up preparation changes when usage evidence is available in one system
- The article's guidance on reducing duplicate tools across teams without adding manual admin work
👉 Read 1Password's analysis of unused SaaS licenses, access risk, and renewal blind spots →
SaaS license waste and access risk: what IAM teams miss?
Explore further
License waste is an identity governance failure, not a procurement nuisance. Unused SaaS seats often survive because the organisation never built a reliable link between identity, entitlement, and actual application use. That means the same blind spot that wastes budget also leaves dormant accounts in place, which is why spend optimisation and access governance should be treated as one control domain. The practitioner conclusion is simple: if usage cannot be evidenced, access cannot be trusted.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
A question worth separating out:
Q: What is the difference between license reclamation and deprovisioning?
A: Deprovisioning removes or reduces a user’s access to an application, while license reclamation removes the paid seat from active use or makes it available for reassignment. Both need to be linked. If they are handled separately, organisations can still pay for access that no longer has a business need.
👉 Read our full editorial: SaaS license waste exposes unmanaged access and renewal blind spots