We built a visibility tool to find IT gaps. Customers forced us to close them, here’s how:
When we started Stitchflow nearly three years ago, our thesis was simple: IT teams can’t fix what they can’t see.
We built the "Stitchflow IT Graph," a sophisticated visibility engine that stitched together data across every tool in a company’s stack. It worked. Customers used it daily to eliminate spreadsheet work and uncover problems they didn’t know existed. But we quickly realized something crucial was missing.
We were handing them a bucket to bail out the water, but we weren't helping them plug the holes in their boat.
This is the same pattern that ultimately exposes the consequences of the SCIM Tax, a commercial barrier that prevents true, end-to-end automation.
The pattern: The gaps keep coming back, and the SCIM Tax makes them worse
Every time we flagged a critical security or spending gap (offboarded users still active, contractors with lingering access, or "zombie" licenses) it traced back to the same root cause.
To understand why your identity stack fails here, the Identity Automation Gap explains how 30% of your apps break your automated workflows.
Customers couldn't automate provisioning for a significant portion of their critical apps, and had to default to manual user management.
- This wasn't because the apps lacked APIs.
- This wasn't because IT didn't know how to script.
- It was because the vendor had locked the necessary SCIM automation behind a prohibitive paywall.
We saw this with high-value applications like Figma, Adobe, Slack, and Monday.com. The security and automation capabilities existed, but they were held hostage on the "Enterprise Tier" – bundled with features our customers didn't need.
We named it: The SCIM Tax.
Ransom economics: Why the SCIM Tax exists in the first place
The SCIM tax isn’t a technical constraint; it’s a deliberate revenue strategy by app vendors we call Ransom Economics. Vendors bet on your fear of security incidents and compliance gaps to force you into a huge price hike.
- Because companies couldn’t justify paying $80,000+ extra just to automate offboarding, they stayed on "Pro" plans.
- This left IT teams stuck manually logging into browser admins to delete users – bailing water every single day just to stay afloat.
- Manual mistakes lead to compliance gaps and wasted licenses.
- Security holes widen – not because of IT negligence, but because of bad vendor pricing.
The pivot: Visibility without action wasn’t enough
Our turning point came during a call with a customer who looked at our data and said the quiet part out loud:
"Visibility is great, but the gaps keep coming back. How can you help me automate it so it doesn’t happen again?"
That single question reframed our roadmap.
They weren’t asking for better visibility. They were asking us to close the loop.
This is the same realization behind our thinking in: Stop buying RPA tools, buy an outcome and secure provisioning automation that never breaks.
IT teams don’t need another dashboard. They need a machine that fixes the problems.
Solving the SCIM tax with Resilient Browser Automation
So, we pivoted. We stopped building solely for "visibility" and started building for "action".
We built secure headless browsers that execute the same provisioning and deprovisioning actions that a human admin would. But with the resilience of an API, and the safety and guardrails of a SCIM integration.
The automation follows a deterministic, pre-validated flow. If anything looks off – a UI change, wrong modal, unexpected state – it stops immediately.
And to solve the hardest part of browser automation – resilience – we added a 24/7 human-in-the-loop team. Whenever there’s an MFA prompt, CAPTCHA, or unpredictable UI change, the automation pauses, and a human steps in inside a secure, recorded environment. That’s how we give you the flexibility of browser automation with the reliability of an API.
As one customer put it: "That’s crazy... but also pretty elegant".
The first time it automatically created and removed accounts in a non-SCIM app with SCIM-level consistency, we knew we’d unlocked Enterprise automation for a Pro-plan price.
Where we are now: Defeating the SCIM tax
Today, Stitchflow isn't just reporting on the mess. We are cleaning it up.
We function as a managed SCIM bridge. Whether an app has an API, no API, or hides SCIM behind a paywall, we treat it the same. Your Identity Provider (Okta, Entra, OneLogin) sends a signal, and Stitchflow executes the change.
As long as vendors use security as a leverage point for upsells, Stitchflow will be the infrastructure that lets you say "No".
We set out to defeat the SCIM Tax – and that’s exactly what the market desperately needed.
Ready to eliminate the SCIM Tax?
The SCIM Tax doesn’t have to dictate your automation strategy. Stitchflow gives you full-stack provisioning for every app, without enterprise-plan pricing.
Book a demo to see how Stitchflow eliminates the SCIM Tax in your environment.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
