"We have danielle@acmefintech.com and danielle.johnson@acquisicorp.net. They're the same person, but they're showing up as two different users across multiple tools. We've got domains from two acquisitions, a few personal logins, and zero centralized visibility into it."
This isn't rare. It's the new reality of modern IT environments.
Companies rebrand, merge, scale across geos, or bring on contractors fast. And every time, identity gets split. What should be one clean user record becomes five fragmented ones—living in disconnected apps, under different domains, and often bypassing your IDP altogether.
In this guide, we'll unpack:
- Why domain and identity sprawl is inevitable
- What it quietly costs your team in risk, waste, and time
- Why SCIM, SSO, and IDPs don't catch the whole picture
- How to resolve identity across every tool using a cross-app identity graph
- A step-by-step playbook for auditing and cleaning it up
The modern IT truth: disconnected apps and domain sprawl are normal
IT teams don't choose complexity. But it shows up anyway:
- One team still uses legacy email addresses after an acquisition
- Sales operates out of HubSpot with Gmail logins, while the rest of the org is in Entra ID
- Finance uses tools that only support local login, not SSO
- External contractors get invited manually using personal domains
Here's what it looks like:
| App | User Login | Method |
|---|---|---|
| Slack | danielle@acmefintech.com | SSO (Okta) |
| Notion | danielle.j@personalmail.com | Manual Invite |
| Asana | danielle.johnson@acquisicorp.net | SSO (Google) |
| Metabase | danielle@acmefintech.com | Local Account |
Same person. Four identities. Four provisioning flows. No single source of truth.
The hidden costs of fragmented identity
IT teams often feel these problems—but don't always see the cost until it adds up. These IT visibility gaps compound quickly in complex environments.
1. License Waste
Duplicate accounts are billed multiple times. If a user shows up under three different emails, you're paying for all three. This is especially common in multi-domain SaaS environments where users have identities across different business units.
Real Impact: One mid-market org removed 300 licenses after discovering 170 duplicate users across three domains.
2. Audit Gaps and Noncompliance
SOX, ISO 27001, HIPAA—they all require user-level access reviews. But if your IDP only "sees" half of someone's access, your audit trails are incomplete.
One team told us: "We thought offboarding was complete until legal flagged an active CRM account three months later."
3. Operational Friction
Even basic offboarding becomes a game of whack-a-mole. IT teams have to chase down every app admin, dig through spreadsheets, and pray the invite history is accurate.
Why your existing stack can't solve this alone
Many teams assume SCIM or SSO solves identity sprawl. But those tools only work when everything is perfectly integrated—which isn't reality for most modern IT environments. These tools only work when:
✅ The app supports deep integration
✅ Users actually use the IDP to log in
✅ Emails match across systems
✅ No one bypasses with a personal or alternate domain
Most tools today don't check all those boxes.
Common myths:
❌ "Everything's federated, so we're fine."
❌ "We only use approved apps."
❌ "The HRIS triggers offboarding automatically."
Reality: Tools like Miro, Notion, Calendly, and newer AI SaaS tools often get connected without SCIM. Many don't expose APIs at all. Identity data is locked in visual UIs or email invites.
The missing piece: building a cross-app identity graph
Instead of hoping for perfect sync, you need a system that can look across every app and say:
"These four accounts all belong to the same person."
That's what a cross-app identity graph does.
How it works:
It analyzes users across tools, regardless of how they were provisioned, and finds overlaps using:
- Email similarity
- Name pattern recognition
- Login and activity metadata
- Known IDP relationships
- Fuzzy matching with admin override
This graph becomes your unified lens into "who has access to what," even when domains, IDPs, or login methods don't align. This approach to SaaS user management resolves the fundamental problem of fragmented identity.
How Stitchflow maps identities across your stack
With Stitchflow, IT teams don't have to wrangle exports or reconcile rows by hand.
The process:
- Connect apps: via SSO, CSV upload, or browser extension
- Identity resolution kicks in: Stitchflow runs matches across usernames, emails, logins, aliases, and SCIM profiles
- The graph is built: Each unique person is assigned a stitched profile, with confidence levels and app-level matches
- Gaps are flagged:
- Orphaned accounts (no known identity)
- Duplicate licenses (same person, multiple logins)
- Untracked logins (personal or external domains)
- Bulk actions:
- Clean up duplicates
- Export for audit
- Trigger revokes or license adjustments via native workflows
Because this happens continuously, you're not chasing issues reactively every quarter.
Real impact: what IT teams gain
- 30–50% faster offboarding: because every access point is tied to a true user entity
- Thousands saved in reclaimed licenses: even before full app cleanup
- Better audit prep: now you can confidently say "This user is accounted for across every system"
For organizations looking to implement best practices for software license management, this unified approach provides the foundation for sustainable governance.
Success Story: "We used to have three people spend a week reconciling app access. Stitchflow made it a 2-hour review." — IT Manager
How to fix identity sprawl in your environment
Want to take control of fragmented identities across your stack? Follow this step-by-step playbook, grounded in real-world IT workflows and proven results.
Step 1: Inventory your domains
Start with a comprehensive list of all email domains in use:
- Your primary corporate domains
- Domains from past mergers or acquisitions
- Known contractor or personal domains (e.g., gmail.com, outlook.com)
This list forms the baseline for cross-domain identity matching.
Step 2: Map your IDPs and login methods
Audit how users authenticate across tools:
- Which apps use Okta, Entra ID, or Google Workspace
- Which rely on local login, email invites, or CSV uploads
- Where lifecycle automation via SCIM or SSO is missing
This highlights the areas where identity management is weakest.
Step 3: Identify apps that allow non-SSO access
Non-SSO tools are often unmanaged—and high risk. Focus on:
- Productivity and collaboration tools adopted outside IT
- SaaS platforms where SSO is a paid add-on (the "SSO tax")
- Apps that allow manual invites or personal email logins
These are typically the root of duplicate and orphaned accounts.
Step 4: Export user lists across key tools
Pull full user rosters from your highest-risk or highest-cost tools:
- Finance platforms like NetSuite or Expensify
- Sales systems like Salesforce or HubSpot
- AI or Shadow IT tools like Notion, ChatGPT, or Canva
Capture emails, usernames, roles, and last activity for each user.
Step 5: Use a graph-based tool (like Stitchflow) to resolve identities
Manual reconciliation isn't scalable. Let automation do the work:
- Stitchflow maps identities using email similarity, login behavior, aliases, and admin overrides
- Flags duplicates, orphans, and cross-domain mismatches
- Builds a unified identity graph to answer: "Who really has access to what?"
No more guesswork. Just clean, consolidated user visibility.
Step 6: Build a deduplication policy
Establish rules to govern cleanup and remediation:
- Which domain wins in a match (e.g., corporate over personal)
- How to handle shared logins or departmental accounts
- When to revoke access or notify app owners for review
This prevents ad-hoc decisions and ensures consistency.
Step 7: Review quarterly
Sprawl doesn't stop—it creeps in with every new hire, reorg, or tool adoption. Understanding how to reduce IT tool sprawl is crucial for maintaining long-term control.
Set a cadence to:
- Run identity audits every quarter
- Re-check for new domains or unsanctioned tools
- Reclaim licenses and close gaps proactively
With continuous auditing from Stitchflow, you don't have to wait for audits or renewals to catch issues.
Final thought: visibility doesn't mean control—until it's unified
Modern IT teams have visibility scattered across systems:
- Your IDP shows who authenticates
- Your apps reveal who's active
- Your HRIS tracks who's employed
But none of them give you the full picture of a user's access—especially across domains, provisioning methods, or shadow tools.
And that's where the gaps form:
- Orphaned accounts with no offboarding path
- Duplicate identities consuming extra licenses
- Personal logins quietly flying under the radar
- Audit failures from missing access evidence
You can't govern what you can't connect.
You don't need to rebuild your stack or wait for every app to support SCIM.
You need a system that stitches your ecosystem into a unified, continuously updated identity view.
That's what Stitchflow was built to do. Unlike traditional software license management tools that only provide visibility, Stitchflow automates the cleanup and governance your team needs.
See how it works—book a quick demo and get your identity graph in motion.
Frequently asked questions
Orphaned accounts are user accounts that remain active after an employee, contractor, or vendor has left the organization. They often go unnoticed—especially in disconnected or non-SSO apps—and can be exploited for unauthorized access, causing serious security and compliance risks.
Aishwarya is a product builder who enjoys the intersection of product thinking, design, and creative storytelling. She’s currently building tools for IT teams to simplify SaaS user management, formerly having built and scaled SaaS products from ground-up.
