TL;DR
You bought Okta. What didn't disappear was the manual work.
We analyzed 12 companies running Okta. On average: 422 identity gaps per organization. Not because Okta failed - because Okta only governs what's connected.
The surprising finding:
- A 100-person company spent $267K
- An 8,000-person company spent $849K
Headcount doesn't predict cost. Which apps are disconnected does. Stitchflow extends Okta's reach into the 98.8% of apps that don't support SCIM or hide it behind enterprise pricing.
The last-mile problem
You bought Okta.
You centralized identity. You standardized the login. You invested in lifecycle management because you wanted fewer gaps, cleaner offboarding, and audits that didn't turn into emergencies.
That part worked. What didn't disappear was the manual work.
We analyzed data from real companies running Okta. On average, they still had 422 identity and access gaps per organization.
This isn't because Okta failed. Okta only governs what's actually connected to it. Everything else is manual. This is the identity automation gap - and it affects every IdP customer.
What Okta does exceptionally well
Let's be clear: Okta does exactly what it's designed to do. When an app has SCIM enabled and is properly integrated, Okta is excellent at:
- Joins, moves, and leaves: Automated user lifecycle management
- Group management: Clean, consistent access policies
- Audit logs: Reliable, defensible records
- SSO: Seamless authentication across your stack
Where access gaps begin
The problem is that a meaningful portion of the SaaS stack can't receive those lifecycle signals.
If an app doesn't support SCIM - or hides it behind an enterprise plan - Okta can authenticate users but it can't clean up the account. At that point, the work falls back to tickets, spreadsheets, and human follow-through.
Having Okta is necessary. It's just not sufficient on its own.
What we found: Real Okta environments
This analysis focuses specifically on 12 Stitchflow customers using Okta, anonymized.
The dataset
- Company size: 100 to 8,000 employees
- Apps outside SCIM: 3 to 43 per organization
- Okta status: Fully deployed and actively used for authentication and access control
We didn't score "maturity" or model hypothetical risk. We counted real things: accounts that weren't deprovisioned, licenses that stayed assigned, access that had to be explained during audits.
Key findings
- 422 gaps per organization on average—all in apps outside Okta's automated reach
- Headcount doesn't predict cost. 100-person companies sometimes spent more than 8,000-person companies.
- App portfolio matters more than org size. Which apps are disconnected determines the cost.
- The worst-case environment: $1.34M in total impact with 43 apps outside Okta.
For the full methodology and cost breakdown, see The 2026 SCIM Gap Report.
Variance across Okta customers
| Org Type | Employees | Apps Outside Okta | Total Impact |
|---|---|---|---|
| Smallest | 100 | 8 | $267K |
| Average | 1,000 | 16 | $341K |
| Largest | 8,000 | 12 | $849K |
| Worst | 1,000 | 43 | $1.34M |
A 100-person Okta customer spent almost as much managing access as companies ten times their size. A 1,000-employee Okta customer cost more to operate than one with 8,000 employees.
Case studies: The Okta environments that broke worst
The outliers make this concrete. Different companies, same failure mode.
Company A: Small Team, Big Impact
| Metric | Value |
|---|---|
| Employees | 100 |
| Okta Status | Fully deployed |
| Apps Outside Okta | 8 |
| Total Impact | $267K |
What happened: Nearly every core app lacked automated provisioning. Okta handled authentication. Humans handled everything else.
Company B: Scale Amplifies Everything
| Metric | Value |
|---|---|
| Employees | 8,000 |
| Okta Status | Fully deployed |
| Apps Outside Okta | 12 |
| Total Gaps | 1,806 |
What happened: Even with a relatively small app footprint, scale amplified every missed deprovisioning.
Company C: Strong Foundation, Weak Long Tail
| Metric | Value |
|---|---|
| Employees | 350 |
| Okta Status | Fully deployed |
| Apps Outside Okta | 21 |
| Total Gaps / Unused Licenses | 927 / 1,078 |
What happened: Strong IdP foundation. No automation in the long tail.
Company D: The Worst Case
| Metric | Value |
|---|---|
| Employees | 1,000 |
| Okta Status | Fully deployed |
| Apps Outside Okta | 43 |
| Total Impact | $1.34M |
What happened: Too many disconnected tools. Too much manual work. Okta couldn't compensate.
Why apps fall outside Okta's reach
Okta sends the signal. But most apps can't receive it.
We analyzed 721 SaaS apps: 57% have no SCIM at any price, 42% lock it behind enterprise pricing. Only 9 apps (1.2%) include SCIM on their base tier. That's 98.8% of the app ecosystem where the signal stops. Here's why:
The SCIM Tax
Many apps support SCIM—they just hide it behind enterprise pricing. Vendors call it an "enterprise feature." We call it Ransom Economics.
| App | Standard Plan | SCIM Plan | Multiplier |
|---|---|---|---|
| Figma | Pro: $16 | Org: $55 | 3.4x |
| Slack | Pro: $8.75 | Business+: $15 | 1.7x |
| Monday.com | Pro: $19 | Enterprise: $52 | 2.7x |
No API at all
Legacy tools, internal dashboards, and niche vertical apps often have no API. They were built before SCIM was a standard, or they're homegrown tools that never needed one.
Integration never happened
Some apps technically support SCIM, but it was never integrated because the effort or cost wasn't justified at the time. Now the app is embedded in workflows and the gap remains.
The common thread: None of this is Okta's fault. It's a gap in the SaaS ecosystem that vendors have little incentive to close.
How to extend Okta's reach
If you're running Okta and still managing access manually in dozens of apps, your identity strategy isn't wrong. It's incomplete.
Your IdP gives you leverage. Disconnected apps take it away. Until every app in your environment can receive lifecycle automation, your "single source of truth" only applies to part of your stack.
For a deeper look at the cost of this gap, see what manual provisioning actually costs.
How Stitchflow closes the gap
Stitchflow exists to close that last mile. We extend Okta's lifecycle signals into apps that don't support SCIM or hide it behind enterprise pricing.
How it works
- Okta remains your source of truth. No migration, no replacement.
- Stitchflow receives lifecycle signals from Okta. When a user is added to a group or terminated, we get the event.
- We execute the action in disconnected apps. Using resilient browser automation, we provision or deprovision users in apps that lack SCIM.
- 24/7 human-in-the-loop reliability. If an app UI changes or MFA triggers, our engineering team intervenes to keep automation running.
The result
- Okta stays your IdP. No change to your identity architecture.
- Every app listens. Even the ones that refused to build SCIM.
- Less than $5K per app. Fraction of the cost of enterprise upgrades.
- 99.5% uptime SLA. Guaranteed automation resilience.
Enterprise-grade automation without the enterprise plan.
What this means for Okta customers
You made the right decision buying Okta. Identity centralization is the foundation of modern security.
But the foundation is only as strong as its reach. Every app outside Okta's automated lifecycle management is a gap waiting to become an audit finding, a security incident, or a budget leak.
The industry treats buying an IdP as the finish line. In reality, it just exposes how many apps still require manual work.
Stitchflow closes that gap.
Frequently asked questions
Okta only automates what's connected to it. 98.8% of SaaS apps either don't support SCIM or paywall it behind enterprise plans. Apps outside Okta's automated reach still require manual provisioning and deprovisioning - creating an average of 422 identity gaps per organization even with Okta fully deployed.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
