TL;DR
Not all apps fail the same way.
Some hemorrhage licenses. Some devour IT hours. Some generate compliance findings every quarter. We analyzed 500 app deployments across 150+ unique apps.
Three apps appear on every "worst offender" list:
- Freshservice - ITSM touches every employee, complex licensing
- Salesforce - $150+ seats, sales turnover, every mistake is expensive
- Miro - "Give everyone access" culture, rarely cleaned up
If these are in your unautomated stack, they should be first in line. Not automating costs $12K per app per year in IT labor, orphaned licenses, and compliance gaps.
How we measured the cost of apps without SCIM
For each app, we calculated three metrics normalized to 500 employees per year:
- Total financial impact: License waste + IT labor + compliance remediation
- Wasted licenses: Seats assigned to departed or inactive users
- Compliance cleanup: Hours spent investigating and fixing access gaps
The top 10 in each category represent the apps most likely to hurt you in that specific way.
Top 10 by total financial impact
These apps hurt you from every angle: licenses, labor, and compliance cleanup.
| Rank | App | Why it's here |
|---|---|---|
| 1 | Freshservice | ITSM touches every employee; complex agent/requester/admin licensing creates provisioning chaos |
| 2 | Salesforce | $150+ seats, sales team turnover, territory changes - every mistake is expensive |
| 3 | ClickUp | Viral adoption, easy to invite users, no clear owner for offboarding |
| 4 | Gainsight | Complex customer success role structures, sensitive data slows manual changes |
| 5 | Miro | "Give everyone access" culture; project-based collaboration rarely gets cleaned up |
| 6 | Zendesk | Support agent churn, expensive seats, 24/7 roster changes |
| 7 | Shopify | Contractor and agency access lingers after projects and seasons end |
| 8 | Adobe | Creative Cloud seats are expensive and invisible - easy to forget during offboarding |
| 9 | Gong | Revenue intelligence = pricey seats + sales turnover |
| 10 | Monday.com | Company-wide adoption means constant adds and removes with no automation |
Freshservice topping the list surprises people. ITSM tools touch every employee, involve multiple permission levels, and have complex licensing tiers. IT teams assume they're managing this correctly. They often aren't.
Salesforce at #2 is predictable. When a single seat costs hundreds per month, even a short delay in offboarding burns real money. Sales churn and territory changes make this worse.
Top 10 by wasted licenses
These apps are "silent spend." The bill keeps coming long after the user is gone.
| Rank | App | Why it's here |
|---|---|---|
| 1 | Freshservice | Agent licenses are over-provisioned "just in case," and rarely cleaned up |
| 2 | Salesforce | Managers hoard licenses to avoid procurement requests; departed reps stay assigned |
| 3 | ClickUp | Easy to add users, no one tracks actual usage |
| 4 | Miro | Collaboration seats provisioned for one workshop, never reclaimed |
| 5 | Shopify | Store staff and contractor accounts persist after seasonal work ends |
| 6 | Atlassian JSM | Service desk seats outlive the agents who used them |
| 7 | Zendesk | Support agent churn + expensive seats = compounding waste |
| 8 | Adobe | Creative Cloud for "occasional use" becomes no use |
| 9 | Figma | Designer seats stay assigned through role changes; Editor seats are assigned when viewer seats are enough |
| 10 | Gong | Expensive seats + sales turnover; even a few orphaned licenses add up fast |
The pattern is consistent: expensive seats plus poor offboarding hygiene.
At $300 per seat per month, even a 30-day delay costs $300. Multiply that by the twelve orphaned licenses the average app carries.
This list is dominated by product-led growth tools and service desks - high-churn environments where spreadsheets can't keep up.
Top 10 by compliance cleanup
These are the apps that generate the most after-the-fact investigation and remediation work.
| Rank | App | Why it's here |
|---|---|---|
| 1 | Freshservice | IT system access = audit scrutiny; terminated agents with access is a critical finding |
| 2 | DocuSign | Legal signatures and contract access - always in SOC 2 scope |
| 3 | Salesforce | Customer PII and revenue data; every auditor asks about it |
| 4 | Atlassian | Code repos and infrastructure access; permission sprawl across products |
| 5 | Gainsight | Customer health data and revenue intelligence exposed |
| 6 | ChatGPT | Newest tool, least governed; auditors are now asking questions about AI access |
| 7 | Miro | Boards contain strategy docs, product roadmaps, and screenshots of everything sensitive |
| 8 | Zoom | Recording access and external meeting permissions linger |
| 9 | Microsoft 365 | Email, documents, SharePoint - broadest data access footprint |
| 10 | Slack | DMs, private channels, retention, and export questions |
Compliance gaps cluster around sensitive data and audit visibility.
ChatGPT appearing here is the signal to watch. It's the tool auditors didn't ask about last year, but are asking about now. Most companies provisioned it ad hoc, without governance.
Apps that appear on multiple lists
| App | Appears on |
|---|---|
| Freshservice | All three lists |
| Salesforce | All three lists |
| Miro | All three lists |
| Gainsight | Financial impact + Compliance |
| Zendesk | Financial impact + Licenses |
| ClickUp | Financial impact + Licenses |
| Adobe | Financial impact + Licenses |
| Atlassian / JSM | Licenses + Compliance |
Freshservice, Salesforce, and Miro are triple threats - they drain budget, waste licenses, and generate compliance findings. If these are in your unautomated stack, they should be prioritized for remediation.
Why these apps are expensive to manage
It's not because the software is bad. It's because almost all of them gate automated provisioning behind enterprise pricing.
Salesforce has SCIM. Adobe has SCIM. Figma, Miro, Monday.com, Slack, and Zoom all support SCIM in their enterprise plans.
If you're not on the enterprise tier, you get a browser admin console. Log in, click buttons, hope you don't miss anything.
This is the SCIM Tax. Vendors have the automation. They just paywall it. And the cost of not having it in wasted licenses, burned IT hours, and compliance gaps often exceeds what you'd save by staying on a lower tier.
How pervasive is it? We analyzed 721 SaaS apps. 42% lock SCIM behind enterprise pricing - that's the SCIM Tax. Another 57% have no SCIM at any price - not a ransom, just a gap they never built. Only 9 apps (1.2%) include SCIM on their base tier. Either way, you're stuck with manual work.
The apps aren't broken. The way automation is priced is.
What this means for your stack
Count how many apps from these lists you're managing without automated provisioning.
If Freshservice and Salesforce are both manual, you're likely burning $50K+/year between them. Add Miro, Adobe, and Monday.com, and you're approaching six figures.
And remember: this is the top 10 in each category. We analyzed 150+ apps. The average cost to manage manually is $12K/year. The apps that didn't make these lists still cost you, just not as dramatically.
How to get off the list
Stitchflow automates provisioning and deprovisioning for apps that don't offer SCIM or hide it behind enterprise pricing. Less than $5K per app. Works with your existing IdP - no enterprise upgrades required.
The apps on these lists cost tens of thousands each to manage manually. Stitchflow costs less than $5K.
That's not a software decision. It's arithmetic.
Frequently asked questions
Apps without SCIM either don't support automated provisioning or limit it to expensive enterprise plans, forcing IT teams to manage access manually. This includes both apps that never built SCIM (57%) and apps that paywall it (42%).
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
