How much does manual SaaS provisioning cost?

Based on data from 500 app deployments across 27 organizations, manual SaaS provisioning costs an average of $12,000 per app per year per 500 employees. This includes $3,925 in license waste, $6,088 in IT labor, and $1,741 in compliance remediation.

Why do organizations still have access gaps with Okta?

Okta only governs apps connected to it. 98.8% of SaaS apps either don't support SCIM or paywall it behind enterprise plans. The average Okta customer still has 422 identity gaps from apps outside their IdP's reach.

How was the $12K per app cost calculated?

We measured actual costs across 500 app deployments: $3,925 in license waste (orphaned users and unused seats), $6,088 in IT labor (101 hours at $60/hour for provisioning, deprovisioning, audits), and $1,741 in compliance remediation (7 access gaps requiring 4 hours each to investigate). All figures are normalized to 500 employees for consistent comparison.

Which apps cost the most to manage manually?

Based on our data, the most expensive apps to manage without automation are Freshservice, Salesforce, ClickUp, Gainsight, and Miro - each generating significant costs across license waste, IT labor, and compliance cleanup.

2026 SCIM Gap Report: The $12K Hidden Cost of Manual Provisioning

TL;DR

The worst case: $1.34M in hidden costs for a 970-employee company with 43 unautomated apps.

This isn't carelessness. It's vendors treating automation as a premium feature.

We analyzed 500 app deployments across 150+ unique SaaS apps:

$12K per app per year in license waste, IT labor, and compliance costs
101 hours of IT labor per app per year
422 identity gaps per organization, even with Okta deployed
98.8% of apps either don't have SCIM or paywall it

We call this the SCIM Tax - and this report quantifies what it actually costs.

It wasn't the headcount. It was the 43 apps nobody could automate.

Executive summary

Each SaaS application managed without automation costs mid-market organizations an average of $12,000 per year per 500 employees - excluding license fees. These costs come entirely from cleanup work required because automated provisioning wasn't available.

For a typical 1,000-employee organization, that translates to $24,000 per app per year in hidden operational overhead.

We analyzed 500 app deployments across 150+ unique SaaS applications to understand where these costs originate, how they compound, and which apps create the most damage when automation is missing.

Key findings

$12,000 per app per year (normalized to 500 employees) in combined license waste, IT labor, and compliance remediation
101 hours of IT labor per app per year spent on manual provisioning, deprovisioning, access reviews, and audits
422 identity and access gaps per organization, on average, even with Okta fully deployed
16 apps outside automation for the average mid-market organization, creating $192K-$341K in annual hidden costs
$1.34M in total annual impact for the worst-case organization in our dataset

These costs aren't the result of careless IT teams. They are the outcome of a structural decision made across the SaaS industry: treating automation as a premium feature gated behind enterprise plans.

We call this the SCIM Tax: the hidden price organizations pay just to achieve basic security hygiene.

Methodology

This report is based on operational data, not theoretical models. We measured what actually happened across real organizations managing SaaS applications without automated provisioning.

Data sources

500 app deployments across Stitchflow's customer base
150+ unique SaaS applications analyzed
27 organizations ranging from 100 to 8,000 employees
Average organization: ~1,000 employees with 16 apps lacking SCIM automation

What we measured

Licenses that remained assigned after employees departed or became inactive
Hours logged by IT teams for provisioning, deprovisioning, audits, and reactive cleanup
Compliance gaps discovered during audits and the work required to remediate them

Normalization approach

All figures in this report are normalized to 500 employees for apples-to-apples comparison. For a 1,000-employee organization, costs approximately double.

Conservative cost assumptions

IT labor: $60/hour fully loaded
Compliance remediation: 4 hours per access gap for investigation and evidence collection
License costs: Actual contract pricing from customer data

The three-cost framework

Manual SaaS management creates the same three cost categories almost everywhere. These costs don't appear on invoices, but they compound across licenses, IT labor, and compliance work.

Cost Category	What It Includes	Annual Cost*
License Waste	Orphaned users, unused seats, licenses forgotten during offboarding	$3,925
IT Labor	Provisioning, deprovisioning, access reviews, audits, and firefighting	$6,088
Compliance Gaps	Audit findings, investigations, remediation, and evidence gathering	$1,741
TOTAL	Per app, per 500 employees, per year	$11,754

*Rounded to ~$12,000 per app per year

Benchmark data points

On average, per 500 employees, each manually managed app generated:

12 unused licenses at an average cost of $327 per license
101 hours of IT labor over the course of the year
7 access gaps per audit requiring investigation and cleanup

The 101 hours of manual IT time is the most damaging cost. It doesn't improve security posture or business velocity. It simply compensates for missing automation - turning skilled IT teams into manual bridges between HR systems and SaaS tools that were never designed to integrate.

The labor problem: 101 hours per app

How much time does your IT team spend manually managing one app? Not the strategic work - the clicking. Logging into admin consoles. Adding users. Removing users. Chasing access requests. Explaining gaps to auditors.

We measured it: 101 hours per app, per year. That's the equivalent of 2.5 weeks of full-time work per app, every year.

For organizations with 16 non-SCIM apps - the average in our dataset - that adds up to 1,616 hours annually. Nearly a full FTE spent clicking buttons in browser windows.

Where the hours go

Provisioning new users: Every hire, role change, and contractor onboarding requires manual account creation and permission assignment.
Deprovisioning departures: Every termination, transfer, and contractor roll-off requires someone to remember which apps the user touched - and clean them up one by one.
Access reviews and audits: Quarterly reviews, SOC 2 preparation, and recertifications require pulling reports from each app and reconciling them manually.
Firefighting: Password resets, access emergencies, and last-minute requests interrupt planned work.
Error correction: Fixing mistakes from all of the above - over-provisioning, missed removals, and incorrect permissions.

Labor-intensive outliers

App	Hours/Year	Why So High
Gainsight	242	Complex role structures
Freshservice	233	Broad IT access, complex permissioning
ClickUp	217	Company-wide adoption, constant team changes
Monday.com	190	Organization-wide use, frequent adds/removes

The portfolio math

Per app: 101 hours × $60/hr = $6,088/year
Per portfolio: 1,616 hours ÷ 2,080 = 0.78 FTEs

You're paying nearly a full IT engineer's salary just to keep SaaS access from drifting out of control.

The worst offenders: Apps by failure mode

Not all apps fail the same way. Some hemorrhage unused licenses. Some consume disproportionate IT time. Others generate recurring compliance findings.

Apps appearing on multiple lists

Freshservice, Salesforce, Miro (all three)
Gainsight (financial + compliance)
Zendesk, ClickUp, Adobe (financial + licenses)

If these apps are unmanaged in your stack, they should be first in line for remediation.

The IdP gap: Why even Okta customers still have hundreds of gaps

You bought Okta. You centralized identity. You invested in lifecycle management to eliminate access gaps and simplify audits.

Centralization worked. What didn't disappear was the manual work.

Across real Okta-enabled organizations, we observed an average of 422 identity and access gaps per organization. Not because Okta failed - but because Okta only governs what's connected to it.

Org Type	Employees	Apps	Total Impact
Smallest	100	8	$267K
Average	1,000	16	$341K
Largest	8,000	12	$849K
Worst	1,000	43	$1.34M

Headcount didn't explain the difference. App mix did.

The last-mile problem

Okta sends the signal. But most apps can't receive it.

We analyzed 721 SaaS apps across the market: 57% have no SCIM at any price, 42% lock it behind enterprise pricing. Only 9 apps (1.2%) include SCIM on their base tier. That's 98.8% of the app ecosystem where the signal stops.

This isn't an IdP failure. It's an identity automation gap.

The SCIM Tax explained

There's a persistent myth that SaaS identity is messy because automation isn't mature. That's outdated.

Most modern SaaS platforms support SCIM. They simply restrict it to enterprise tiers.

App	Basic Plan	SCIM Plan	Multiplier
Figma	$16	$55	3.4x
GitHub	$4	$21	5.25x
Slack	$8.75	$15	1.7x
Monday.com	$19	$52	2.7x

Vendors aren't ignoring the problem. They've found a way to monetize it.

Automation has become ransom. This is the industry-wide SCIM Tax - and it's why we built Stitchflow.

Recommendations

Pull up your app portfolio. Count the apps without automated provisioning.

Multiply that number by $12,000 per year per 500 employees. That's your annual cost of manual SaaS management - not your SaaS spend, but your management overhead.

The three paths

Pay the SCIM Tax: Upgrade apps to enterprise tiers. Works for a few critical tools. Doesn't scale.
Stay manual: Absorb the cost. Acceptable only for low-risk, low-usage tools.
Automate at scale: Get SCIM-level automation without enterprise upgrades. This is the only path that scales.

Book a Demo →

The 2026 SCIM Gap Report: The True Cost of Manual SaaS Management