TL;DR
AI coding tools exploded. Every single one paywalls SCIM.
Anthropic hit $1B run-rate in six months. Cursor became the fastest-growing SaaS app ever. Over the holidays, engineers discovered what these tools could do and got hooked.
Now IT is catching up - and discovering:
- 100% of AI coding tools require Enterprise for SCIM
- These tools see your source code, architecture, API keys
- Manual provisioning across a typical AI stack exceeds $63K/year
When engineers leave, you can't automatically revoke access without paying enterprise prices. Stitchflow provides automation without the upgrade, for <$5K/app.
The adoption happened. The governance didn't.
If you run IT at an engineering-heavy company, you already know what happened in 2025. AI coding assistants went from "interesting experiment" to "can't live without it" seemingly overnight.
The numbers are staggering. Anthropic hit $1 billion in run-rate revenue just six months after its public launch. Cursor became the fastest-growing SaaS product in history. GitHub Copilot is embedded in virtually every IDE. Over the Christmas holidays, Claude Code went viral - developers discovered what it could actually do and got hooked. The adoption wasn't driven by marketing. It was word of mouth, tweets, engineers showing colleagues.
This adoption happened bottom-up. Engineers found tools that made them dramatically faster, expensed them on corporate cards or got manager approval, and started using them. By the time IT noticed, these tools were embedded in daily workflows.
Now you're trying to govern them. And you're discovering that the tools powering your engineering org have the worst identity management story in your entire stack.
The SCIM status of every major AI coding tool
We analyzed the identity management capabilities of the major AI coding assistants. The pattern is consistent: every single one paywalls SCIM behind Enterprise.
| Tool | SCIM Support | What It Takes | Annual Cost of Manual Mgmt |
|---|---|---|---|
| Claude Code | Enterprise only | Custom pricing, requires sales | Over $12K/app/500 employees |
| Cursor | Enterprise only | Custom pricing, requires sales + SSO first | Over $12K/app/500 employees |
| GitHub Copilot | Enterprise only | $39/user/month + requires EMU | ~$5.4K (tighter GitHub integration) |
| Windsurf | Enterprise only | Custom pricing, Standard is $30-40/user | Over $12K/app/500 employees |
| Replit | Enterprise only | Custom pricing, sales-gated | Over $12K/app/500 employees |
| Sourcegraph | Enterprise only | Custom pricing, known Okta/Entra issues | Over $12K/app/500 employees |
| JetBrains AI | Enterprise only | Separate SCIM config per product | Over $12K/app/500 employees |
The pattern: Every AI coding tool requires an Enterprise upgrade for automated provisioning. No exceptions.
This is consistent with what we see across the SaaS ecosystem. We analyzed 721 apps: 42% lock SCIM behind enterprise pricing, 57% have no SCIM at any price. Only 9 apps (1.2%) include SCIM on their base tier. AI coding tools landed squarely in the "paywall it" camp.
For a company using three or four of these tools, the annual cost of manual provisioning exceeds $63,000 - before you even consider the Enterprise upgrade costs.
Why this matters more than other apps
AI coding tools aren't like your average SaaS app. They have access to something far more sensitive than customer data or financial records.
They see your source code.
What AI coding assistants can access
- Every file in your repositories
- Your architecture patterns and system design
- API keys and secrets that end up in comments or config files
- Proprietary algorithms and business logic
- Security implementations and authentication flows
- Infrastructure configurations
When an engineer uses Cursor or Copilot, the tool needs context to provide useful suggestions. That context is your codebase. Your intellectual property. The thing that differentiates your product from competitors.
The offboarding problem
When an engineer leaves, you revoke their GitHub access, their AWS credentials, their Slack. But if you can't automatically deprovision their AI coding tools, they may retain access to tools that have cached context about your systems. At minimum, you're paying for unused licenses. At worst, you have a security exposure you can't easily audit.
Why "just upgrade to Enterprise" doesn't work
The obvious answer is to upgrade every AI coding tool to Enterprise tier for SCIM support. Here's why that math doesn't work:
Claude Code: Enterprise tier required for SCIM. Custom pricing means negotiating contracts for a tool your team just discovered over the holidays.
GitHub Copilot: Enterprise is $39/user/month vs $19 for Business. For 100 engineers, that's an extra $24,000/year just to get SCIM. And you only get SCIM if you're also on GitHub Enterprise Cloud with Enterprise Managed Users (EMU) - which means you can't retrofit existing GitHub organizations.
Cursor: Enterprise tier with custom pricing required. SSO must be configured before SCIM can be enabled, adding implementation complexity.
Windsurf, Replit, Sourcegraph: Enterprise pricing isn't published. You need to talk to sales, negotiate contracts, and commit to annual agreements. For tools that engineers adopted last month, that's a lot of procurement overhead.
JetBrains: Even with Enterprise, you need separate SCIM configurations for each product (Hub, YouTrack, etc.). There's a known Okta URL loop issue requiring workarounds, plus risk of unwanted license allocation when provisioning users.
The total cost of upgrading your entire AI coding stack to Enterprise tiers can easily exceed $100,000/year for a mid-sized engineering org. For tools that might get replaced next quarter when something better comes along.
What IT teams are actually doing (and why it's not working)
Without automated provisioning, IT teams fall back to manual processes:
Onboarding: Engineer joins - IT creates account in each AI tool manually - assigns correct seat type - adds to correct team/workspace - engineer waits for access
Offboarding: Engineer leaves - IT remembers to revoke each AI tool manually - hopefully doesn't miss one - no audit trail of when access was actually removed
License management: Monthly review of who's using what - cross-reference against HR data - manually remove inactive users - hope the spreadsheet is accurate
This worked when you had one or two AI tools with a handful of users. It doesn't work when you have five tools, 200 engineers, and 10% monthly churn in your contractor pool.
The real risk
The tools that are hardest to govern are the ones with the most sensitive access. An orphaned Cursor account is more dangerous than an orphaned Calendly account. But Calendly probably has better SCIM support at lower tiers.
The shadow AI problem in engineering
Here's what makes this worse: you probably don't even know all the AI coding tools in use.
Developers are experimenters. When a new AI assistant launches, engineers try it. They sign up with work email. They connect it to their local codebase. If it's useful, they keep using it. If not, they move on - but the account remains.
Tools that might be in your environment
- Claude Code (Anthropic's CLI)
- Cursor (standalone editor)
- GitHub Copilot (IDE extension)
- Windsurf (Codeium's editor)
- Replit (browser-based + Ghostwriter AI)
- Sourcegraph Cody (code intelligence)
- Amazon Q Developer (AWS-integrated)
- Tabnine (IDE extension)
- Codeium (free tier = no visibility)
- JetBrains AI Assistant (bundled with IDE)
Some of these have free tiers that don't require IT involvement at all. Engineers can use them indefinitely without ever appearing in your SaaS inventory. Your IdP can't see them. Your SaaS management platform can't see them. They're shadow IT, and they have access to source code.
What we actually do
Stitchflow provides automated provisioning for AI coding tools without requiring Enterprise upgrades.
For tools with paywalled SCIM (all of them): We deliver provisioning automation on your current plan. No Enterprise upgrade required. Users and groups sync from Okta automatically. Offboarding happens when it should, not when someone remembers.
How it works: You configure it in Okta just like any other SCIM app. Assign users and groups. We handle the rest - including the 2am problems when something breaks, the UI changes when vendors update their admin consoles, and the CAPTCHAs that block automation.
Less than $5K/year per app. For the entire AI coding stack, you're looking at a fraction of what the Enterprise upgrades would cost - and you get consistent provisioning across tools that have wildly inconsistent native support.
The bottom line
Your engineers adopted AI coding tools because they're productive. That adoption isn't reversing. The question isn't whether to govern these tools - it's how.
You can upgrade every tool to Enterprise tier, negotiate seven separate contracts, and manage seven different SCIM configurations with seven different quirks and workarounds.
Or you can let us handle it.
Frequently asked questions
Only on the Enterprise tier, which requires custom pricing and a sales conversation. The Team plan includes SSO but deliberately excludes SCIM. For teams that just adopted Claude Code during the viral holiday moment, that's a significant procurement hurdle. Stitchflow provides automated provisioning for Claude Code without requiring the Enterprise upgrade.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
