If our IT team is being asked to justify SaaS spend, we already know the ritual. Finance wants a number. Department heads want their tools left alone. Procurement wants renewal dates. Security wants fewer ghosts in the machine. Marketing wants its team to have access to the full Adobe suite. Somewhere in the middle, we’re expected to explain why we’re still paying for software that half the estate barely touches.
Unused licenses are, most often, not primarily a software asset management problem. They are an identity visibility problem.
That’s why “we need to save on SaaS” can be a more technical conversation than it first appears. If we can see who has access, how they got it, whether they still need it, and (possibly most importantly) whether they’ve used it recently, unused licenses begin to surface as a by-product of doing proper identity tracking and cloud-entitlement management.
Imagine saving enough on SaaS expenditure to actually pay for your cloud risk, zero-standing-privilege, just-in-time access, and an over-privileged identity-first access solution—securing AI access and human identities, and sailing through SOC 2 compliance with a budget that’s currently wasted on unused licenses. This is how to win friends with our CFO.
Waste isn’t trivial. Especially in the current economic climate. Zylo’s 2026 SaaS Management Index says the average organization uses only 54% of its provisioned licenses, leaving 46% unused or underused. Its 2025 index puts average annual waste from unused SaaS licenses at $21 million.
So yes, this is about cost. But it is also about stale access, poor deprovisioning, and muddled ownership. In other words, classic IT/security housekeeping.
Licenses usually sit downstream of entitlements. A seat exists because a user was assigned an app directly, inherited it from a group, was provisioned through SCIM, federated through SSO, or never cleaned up after changing roles in the joiner/mover/leaver lifecycle. If we improve visibility at the access layer, we gain a better way to save on SaaS without starting from a procurement spreadsheet and hours of investigation.
This is where an identity-first access platform becomes interesting. If you can see which IAM groups are assigned to users, along with whether they have been active in the past 90 days, and if someone still has access but has not been active, we’ve probably found a reclaim candidate. Time to take this knowledge forward and renegotiate those license packages.
First, we discover entitlements across SaaS and cloud systems. Then we correlate the assignment with the activity. Microsoft Entra’s sign-in activity data, for example, includes both interactive and non-interactive sign-in timestamps, which matters because many “inactive” accounts are still making quiet background calls through clients or automations. Microsoft itself recommends using the last sign-in time to identify inactive accounts. So now you are not just asking, “Who has a license?” You are asking, “Who has a license, a role, or a group-derived entitlement, but no meaningful signs of life?”
Instead of broad quarterly reviews where managers click “Approve” like a woodpecker on autopilot, we can surface a narrower set of high-signal candidates: users inactive for 90 days, leavers with residual access, contractors with vendor access whose “temporary” permissions slipped through the gaps, or people who changed teams but kept old app assignments. The power lies in the automated detection of dormant and orphaned accounts, continuous reviews, and revoking unused privileges.
This helps our IT team reduce the manual chase across IdP records, admin consoles, renewal docs, and cost-center arguments. It gives us a cleaner story for renewals because we can point to specific entitlements and activity history instead of waving vaguely at “adoption”. It also lets security and IT operations solve two problems at once: reclaim waste and reduce attack surface. A dormant licensed account is not just a cost problem; it’s a control failure with a subscription attached.
That wider governance angle matters more now because SaaS buying has become messy. Business units now control 81% of SaaS spend, while IT directly manages only 15%. CIS Control 2, meanwhile, is passionate about the need to inventory, track, and control software assets so that unmanaged software is found and handled. The organization may have decentralized purchasing, but IT still gets asked to explain the inevitable sprawl. A splendid arrangement, if we enjoy mop duty after other people’s parties.
Vendors meter differently. Some sell named-user seats, some sell active-user tiers, some bundle features in seemingly random ways designed by committee. But for many mainstream SaaS estates, access state is still one of the best signals we have for where to sensibly save on SaaS.
It’s not that an access platform suddenly becomes a finance tool. It’s once we gain clean visibility into entitlements, activity, and lifecycle drift that unused software licenses become obvious. And when they stop hiding, IT can prove where the waste is, why it happened, and what can be pruned in a time where every penny counts.
If you want to save on SaaS without running another painful audit, start by fixing visibility. In around 30 minutes, you can map every entitlement across users, agents, and SaaS apps, spot inactive access, and shine a light on those licenses that no longer earn their keep, with our free trial. From there, remove standing privilege, enforce time-bound, policy-driven access, and let lifecycle control quietly clean up the rest. The result: lower SaaS spend as a by-product of tighter identity hygiene, with clear evidence to back every decision.
