How should teams stop renewing software based on stale user counts?

Why This Matters for Security Teams

Procurement renewals fail when finance and security rely on stale headcounts instead of live identity and device telemetry. That creates two problems at once: overspending on software that is no longer needed, and blind spots where dormant or misclassified accounts still justify renewal volume. NHI Management Group’s Ultimate Guide to NHIs shows that only 5.7% of organisations have full visibility into their service accounts, which is a useful warning sign for any team trying to reconcile entitlement data with purchasing decisions. The same visibility gap that affects NHIs often shows up in user licensing, especially where SaaS, device enrollment, and offboarding are tracked in different systems. The result is renewal approval based on the last spreadsheet, not the current operating reality. Industry guidance from the OWASP Non-Human Identity Top 10 reinforces that identity data must be treated as a live control surface, not an administrative record. In practice, many security teams encounter unnecessary renewals only after audit season or a vendor true-up has already forced the issue, rather than through intentional lifecycle review.

How It Works in Practice

The control is straightforward in concept but demanding in execution: replace static user lists with decision-time evidence. Procurement should not approve renewals until the identity team, endpoint team, and application owner can each confirm current usage from authoritative sources. That usually means tying renewal review to HR status, directory activity, device telemetry, and application access logs, then reconciling those records before the contract date. A workable process often includes:

• flagging all accounts that have not authenticated, synced, or checked in within a defined window;
• separating named users from shared, service, contractor, and guest accounts;
• requiring owners to attest to active use, not just assigned seats;
• cross-checking deployed software against purchased licenses and current device inventory;
• escalating exceptions when the data sources disagree, rather than defaulting to renewal.

This is where lifecycle governance matters. NHIMG’s NHI Lifecycle Management Guide and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both point to the same operational lesson: visibility, ownership, and offboarding must be continuous, not periodic. For teams that want a broader inventory discipline, the Guide to the Secret Sprawl Challenge is a useful reminder that stale records and hidden usage often coexist. Current best practice is to treat renewal review as a control gate with evidence attached, not as a procurement courtesy. These controls tend to break down in federated SaaS environments where each department owns its own tenant and no single source of truth exists.

Common Variations and Edge Cases

Tighter renewal controls often increase process overhead, requiring organisations to balance savings and risk reduction against administrative friction. That tradeoff becomes more visible in environments with contractors, seasonal workers, M&A integration, or shared devices, where “active use” is not the same as “active employment.” Current guidance suggests the policy should distinguish between named-user licensing, concurrent-use licensing, and machine-bound licenses, because each has different telemetry requirements and different renewal logic. There is no universal standard for this yet, but several patterns are emerging. Some teams use a 30, 60, or 90-day inactivity threshold, while others require a second factor such as recent device check-in or application transaction history before a seat counts as active. For privileged tools, the renewal decision should be even stricter, because a dormant account can still justify both cost and exposure. The same discipline is consistent with the visibility and lifecycle themes in Top 10 NHI Issues and with the credential hygiene concerns highlighted by the Ultimate Guide to NHIs — Static vs Dynamic Secrets. The practical exception is regulated or air-gapped environments, where telemetry may be delayed or incomplete; in those cases, renewal decisions need an explicit evidence standard and a documented exception path, because missing data should never default to automatic spend.

Related resources from NHI Mgmt Group

• How should teams operationalize policy-based authorization at scale?
• What should IAM teams get right before adopting policy-based authorization?
• How should security teams structure a user access management policy?
• How do teams decide whether browser-based app integration is good enough?