TL;DR
Okta works. What doesn't disappear is the manual work.
We analyzed 12 Stitchflow customers running Okta. On average: 422 identity and access gaps per organization. Not because Okta failed - because Okta only governs what's connected to it.
| Org Size | Apps Outside Okta | Total Impact |
|---|---|---|
| 100 employees | 8 apps | $267K |
| 1,000 employees | 43 apps | $1.34M |
Headcount doesn't predict cost. Which apps are disconnected does.
How we measured Okta access gaps in real environments
This analysis focuses specifically on 12 Stitchflow customers using Okta, anonymized.
They ranged from 100 to 8,000 employees. Each organization had between 3 and 43 SaaS apps without automated SCIM provisioning. All of them had Okta fully deployed and actively used for authentication and access control.
We didn't score "maturity" or model hypothetical risk. We counted real things: accounts that weren't deprovisioned, licenses that stayed assigned, access that had to be explained during audits.
This is what Okta customers are actually carrying. It also exposes why the idea of a single source of truth breaks down once access lives outside automated systems.
What Okta solves and where access gaps begin
Okta does exactly what it's designed to do.
When an app has SCIM enabled and is properly integrated, Okta is excellent at joins, moves, and leaves. Groups stay clean. Logs are reliable. Audits are defensible.
The problem isn't Okta.
The problem is that a meaningful portion of the SaaS stack can't receive those lifecycle signals.
In our Okta dataset, customers averaged 422 gaps per organization, and those gaps overwhelmingly lived in apps outside Okta's automated reach.
If an app doesn't support SCIM or hides it behind an enterprise plan, Okta can authenticate users, but it can't clean up the account. At that point, the work falls back to tickets, spreadsheets, and human follow-through.
Having Okta is necessary. It's just not sufficient on its own.
Why fixing Okta access gaps isn't about headcount
Here's what that variance looks like across Okta customers:
| Org Type | Employees | Apps | Total Impact |
|---|---|---|---|
| Smallest | 100 | 8 | $267K |
| Average | 1,000 | 16 | $341K |
| Largest | 8,000 | 12 | $849K |
| Worst | 1,000 | 43 | $1.34M |
A 100-person Okta customer spent almost as much managing access as companies ten times their size.
A 1,000-employee Okta customer costs more to operate than one with 8,000 employees.
Headcount didn't explain the difference. Okta adoption didn't explain it either. What mattered was which apps were disconnected and how manual the cleanup process was for each one.
The Okta environments that broke worst
The outliers make this concrete.
Company A:
- 100 employees. Okta deployed. 8 apps outside Okta.
- $267K total impact.
- Nearly every core app lacked automated provisioning. Okta handled authentication. Humans handled everything else.
Company B:
- 8,000 employees. Okta deployed. 12 apps outside Okta.
- 1,806 gaps.
- Even with a relatively small app footprint, scale amplified every missed deprovisioning.
Company C:
- 350 employees. Okta deployed. 21 apps outside Okta.
- 927 gaps and 1,078 unused licenses.
- Strong IdP foundation. No automation in the long tail.
Company D:
- 1,000 employees. Okta deployed. 43 apps outside Okta.
- $1.34M total impact.
- Too many disconnected tools. Too much manual work. Okta couldn't compensate.
Different companies. Same failure mode.
This is the last-mile identity problem
Okta sends the signal. But most of your apps can't receive it.
We analyzed 721 SaaS apps: 57% have no SCIM at any price, 42% lock it behind enterprise pricing. Only 9 apps (1.2%) include SCIM on their base tier. That's 98.8% of the app ecosystem where the signal stops.
This isn't a failure of Okta. It's a gap in the SaaS ecosystem.
The industry treats buying an IdP as the finish line. In reality, it just exposes how many apps were designed around ransom economics - SCIM exists, but only if you pay for it.
What this means for Okta customers
If you're running Okta and still managing access manually in dozens of apps, your identity strategy isn't wrong.
It's incomplete. Your IdP gives you leverage. Disconnected apps take it away.
Until every app in your environment can be automated through the lifecycle, your "single source of truth" applies only to part of your stack. And partial control creates full-time cleanup work.
How Stitchflow helps fix Okta access gaps
Stitchflow exists to close that last mile.
We extend Okta's lifecycle signals into apps that don't support SCIM or hide it behind enterprise pricing, using resilient browser automation. All for less than $5K per app. Okta remains the source of truth. We make sure every app actually listens.
No IdP replacement. No app upgrades. Just lifecycle automation, where it otherwise stops.
Enterprise-grade automation, without the enterprise plan.
Frequently asked questions
Okta access gaps occur when apps don't support SCIM, hide access behind enterprise plans, or were never fully integrated. Okta can only automate lifecycle actions for apps that support SCIM on your current pricing tier - the rest require manual cleanup.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
