Not all apps fail the same way.
Some hemorrhage unused licenses and expensive seats, leaving them idle for months.Some devour IT hours through endless provisioning tickets.Some generate compliance findings that auditors flag every quarter.
We analyzed 500 app deployments across 150+ unique apps in our customer base. Beyond license costs, the average app costs $12K per year to manage manually. But averages hide the outliers.
To surface the real problem apps, we filtered for tools with at least three real-world instances and ranked them across three failure modes.
How many of these are in your stack?
How we measured the cost of apps without SCIM
For each app, we calculated three metrics normalized to 500 employees per year:
- Total financial impact: License waste + IT labor + compliance remediation
- Wasted licenses: Seats assigned to departed or inactive users
- Compliance cleanup: Hours spent investigating and fixing access gaps
The top 10 in each category represent the apps most likely to hurt you in that specific way.
Top 10 apps to manage without SCIM by total financial impact
These apps hurt you from every angle: licenses, labor, and compliance cleanup.
| Rank | App | Why it's here |
|---|---|---|
| 1 | Freshservice | ITSM touches every employee; complex agent/requester/admin licensing creates provisioning chaos |
| 2 | Salesforce | $150+ seats, sales team turnover, territory changes - every mistake is expensive |
| 3 | ClickUp | Viral adoption, easy to invite users, no clear owner for offboarding |
| 4 | Gainsight | Complex customer success role structures, sensitive data slow manual changes |
| 5 | Miro | "Give everyone access" culture; project-based collaboration rarely gets cleaned up |
| 6 | Zendesk | Support agent churn, expensive seats, 24/7 roster changes |
| 7 | Shopify | Contractor and agency access lingers after projects and seasons end |
| 8 | Adobe | Creative Cloud seats are expensive and invisible - easy to forget during offboarding |
| 9 | Gong | Revenue intelligence = pricey seats + sales turnover |
| 10 | Monday.com | Company-wide adoption means constant adds and removes with no automation |
Why this matters (short bridge):These apps hurt from every angle: licenses, labor, and compliance cleanup.
Freshservice topping the list surprises people. ITSM tools touch every employee, involve multiple permission levels, and have complex licensing tiers. IT teams assume they’re managing this correctly. They often aren’t.
Salesforce at #2 is predictable. When a single seat costs hundreds per month, even a short delay in offboarding burns real money. Sales churn and territory changes make this worse.
Top 10 apps without SCIM driving wasted licenses
These apps are “silent spend.” The bill keeps coming long after the user is gone.
| Rank | App | Why it's here |
|---|---|---|
| 1 | Freshservice | Agent licenses are over-provisioned "just in case," and rarely cleaned up |
| 2 | Salesforce | Managers hoard licenses to avoid procurement requests; departed reps stay assigned |
| 3 | ClickUp | Easy to add users, no one tracks actual usage |
| 4 | Miro | Collaboration seats provisioned for one workshop, never reclaimed |
| 5 | Shopify | Store staff and contractor accounts persist after seasonal work ends |
| 6 | Atlassian JSM | Service desk seats outlive the agents who used them |
| 7 | Zendesk | Support agent churn + expensive seats = compounding waste |
| 8 | Adobe | Creative Cloud for "occasional use" becomes no use |
| 9 | Figma | Designer seats stay assigned through role changes; Editor seats are assigned when viewer seats are enough |
| 10 | Gong | Expensive seats + sales turnover; even a few orphaned licenses add up fast |
These apps represent silent spend. The bill keeps coming long after the user is gone.
The pattern is consistent: expensive seats plus poor offboarding hygiene.At $300 per seat per month, even a 30-day delay costs $300. Multiply that by the twelve orphaned licenses the average app carries.
This list is dominated by product-led growth tools and service desks—high-churn environments where spreadsheets can’t keep up.
Top 10 apps without SCIM creating compliance cleanup
These are the apps that generate the most after-the-fact investigation and remediation work.
| Rank | App | Why it's here |
|---|---|---|
| 1 | Freshservice | IT system access = audit scrutiny; terminated agents with access is a critical finding |
| 2 | DocuSign | Legal signatures and contract access—always in SOC 2 scope |
| 3 | Salesforce | Customer PII and revenue data; every auditor asks about it |
| 4 | Atlassian | Code repos and infrastructure access; permission sprawl across products |
| 5 | Gainsight | Customer health data and revenue intelligence exposed |
| 6 | ChatGPT | Newest tool, least governed; auditors are now asking questions about AI access |
| 7 | Miro | Boards contain strategy docs, product roadmaps, and screenshots of everything sensitive |
| 8 | Zoom | Recording access and external meeting permissions linger |
| 9 | Microsoft 365 | Email, documents, SharePoint—broadest data access footprint |
| 10 | Slack | DMs, private channels, retention, and export questions |
Compliance gaps cluster around sensitive data and audit visibility.
DocuSign holds legal documents and signatures, always in scope.Salesforce holds customer PII.Atlassian touches code and infrastructure.
ChatGPT appearing here is the signal to watch. It’s the tool auditors didn’t ask about last year, but are asking about now. Most companies provisioned it ad hoc, without governance.
Apps that appear on multiple “most expensive” lists
| App | Appears on |
|---|---|
| Freshservice | All three lists |
| Salesforce | All three lists |
| Miro | All three lists |
| Gainsight | Financial impact + Compliance |
| Zendesk | Financial impact + Licenses |
| Clickup | Financial impact + Licenses |
| Adobe | Financial impact + Licenses |
| Atlassian / JSM | Licenses + Compliance |
Freshservice, Salesforce, and Miro are triple threats - they drain budget, waste licenses, and generate compliance findings. If these are in your unautomated stack, they should be prioritized for remediation.
Why are these apps expensive to manage without SCIM
Why these specific apps? The common thread: no automated deprovisioning
It's not because the software is bad. It's because almost all of them gate automated provisioning behind enterprise pricing.
Salesforce has SCIM. Adobe has SCIM. Figma, Miro, Monday.com, Slack, and Zoom all support SCIM in their enterprise plans.
If you're not on the enterprise tier, you get a browser admin console. Log in, click buttons, hope you don't miss anything.
This is the SCIM Tax. Vendors have the automation. They just paywall it. And the cost of not having it in wasted licenses, burned IT hours, and compliance gaps often exceeds what you'd save by staying on a lower tier.
The apps aren't broken. The way automation is priced is.
What this means for your stack
Count how many apps from these lists you're managing without automated provisioning.
If Freshservice and Salesforce are both manual, you're likely burning $50K+/year between them. Add Miro, Adobe, and Monday.com, and you're approaching six figures.
And remember: this is the top 10 in each category. We analyzed 150+ apps. The average cost to manage manually is $12K/year. The apps that didn't make these lists still cost you, just not as dramatically.
How to get off the list
Stitchflow automates provisioning and deprovisioning for apps that don't offer SCIM or hide it behind enterprise pricing. Less than $5K per app. Works with your existing IdP—no enterprise upgrades required.
The apps on these lists cost tens of thousands each to manage manually. Stitchflow costs less than $5K.
That's not a software decision. It's arithmetic.
How many apps in your stack are on this list?
Each one costs an average of $12K per year to manage manually. Talk to us, and we’ll help you see which apps should be automated first.
Frequently asked questions
Apps without SCIM either don’t support automated provisioning or limit it to expensive enterprise plans, forcing IT teams to manage access manually.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
