What breaks is both spend accuracy and access governance. Former employees left in renewal counts inflate license totals, hide unused capacity, and signal that offboarding is not fully closing access paths. The right response is to reconcile leaver records with active subscriptions before contracts roll over, so stale access does not become another year of avoidable cost.
Why This Matters for Security Teams
Former employees left inside SaaS renewal counts create two problems at once: procurement overpays for seats that no longer support the business, and identity teams lose a clean signal that offboarding is complete. That is not just a finance issue. Renewal data often becomes the de facto inventory for access entitlement reviews, vendor true-ups, and audit evidence, so stale counts can mask dormant access paths for months.
This is especially important in environments that already struggle with identity sprawl. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which is a useful reminder that incomplete inventory is a recurring governance problem. The same pattern shows up in SaaS renewals when HR, IT, and procurement each maintain partial records and no single team owns reconciliation. In practice, many security teams encounter stale users in renewals only after a vendor true-up, audit, or breach review has already exposed the gap.
How It Works in Practice
The operational fix is to treat leaver reconciliation as a renewal control, not a one-time HR cleanup. Before a SaaS contract rolls over, teams should compare HR termination records, SSO directories, app admin consoles, and seat utilization exports. The goal is to identify users who are inactive in the business but still counted in the commercial contract, then verify whether they also retain access through direct login, shared accounts, or secondary roles.
A practical workflow usually includes:
- Pull the current renewal baseline from procurement and the vendor admin console.
- Reconcile against HR leaver feeds and identity provider status.
- Validate whether the account is truly inactive or still tied to a delegated function.
- Remove, downgrade, or repurpose licenses before the renewal date.
- Confirm offboarding actions include session revocation, token revocation, and MFA reset where applicable.
This is where broader identity hygiene matters. The NHI Lifecycle Management Guide and the Top 10 NHI Issues both reinforce the same pattern: lifecycle control fails when ownership is fragmented and revocation is not tied to a closure event. OWASP also frames identity sprawl and weak lifecycle enforcement as a security issue in the OWASP Non-Human Identity Top 10, which maps cleanly to the way stale SaaS seats often persist after employee exit.
For teams managing this at scale, the best practice is to add a renewal checkpoint to offboarding governance: no contract renewal should proceed until leaver counts, active access, and assigned licenses are reconciled. These controls tend to break down in decentralised SaaS estates where business units buy apps directly and no central system owns account closure.
Common Variations and Edge Cases
Tighter renewal controls often increase administrative overhead, requiring organisations to balance cost recovery against the effort of reconciling multiple systems. That tradeoff becomes sharper when apps do not integrate cleanly with the identity provider or when vendors allow pooled licenses, guest access, or perpetual admin seats that do not map neatly to named employees.
There is no universal standard for this yet, but current guidance suggests treating the following cases separately:
- Contracted seats versus active logins, because one user may hold multiple licensed roles.
- Guest users and contractors, because they are often omitted from HR leaver feeds.
- Shared admin accounts, because removing one person does not necessarily remove access.
- Auto-renew clauses, because finance may approve the contract before identity review completes.
Another common gap is that offboarding may close the primary SaaS account but leave connected tokens, API keys, or delegated mailbox access in place. That is why renewal review should be paired with access review, not run as a separate procurement exercise. The Guide to the Secret Sprawl Challenge is relevant here because stale SaaS entitlements often coexist with undocumented secrets and unused access paths. The right exception handling is to document why a former employee is still counted, time-box any residual access, and remove the license unless there is a clearly approved business dependency.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Stale SaaS seats often reflect poor NHI inventory and lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | Access review and entitlement cleanup are core identity governance activities. |
| NIST AI RMF | GOVERN | Ownership and accountability are needed to prevent renewal data drift. |
Reconcile SaaS seats against live identities before renewal and remove inactive access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
