GUIDES

A fairly realistic approach to estimate the real cost of deprovisioning

Jun 24, 2025
5 min read
Contents
Text Link

Spoiler: it’s 6 figures /year for a business with 500 to 5000 employees. You can stop reading 😂

Let’s be serious. Here is our reasoning so that you can evaluate it for your organisation.

First, we consider that managing the identity lifecycle for each employee within an organization significantly increases the workload of the IT team. 

Because it includes drafting and updating security guidelines, implementing dedicated access management tools, and conducting regular access reviews to ensure compliance.

And as the number of applications in use gradually grows, the complexity and disorganization can go unnoticed until it becomes a substantial issue. 

In this context, the true cost of deprovisioning is often underestimated (just around six figures per year)

Joiner-Mover-Leaver (JML) processes under scrutiny: insights from advanced analysis

Cost of deprovisioning-related tasks: 50-100k per year.

To find out, we have built this simple yet meaningful table to directly tackle the numbers. It’s straightforward: 

Consider an organization with 1,000 employees, each using an average of 30 applications. 

With a standard turnover and hiring rate of 15%, and internal mobility at 10%, the organization faces over 10,000 tasks related to identity provisioning, reassignment, or deprovisioning annually.

Even if each access control action takes only a few minutes, the cumulative effort equates to the workload of two full-time employees dedicated solely to this critical yet tedious task.

Curious about the details behind these advanced calculations? (sarcastic tone)



Delve into our comprehensive analysis below and see how it applies to your organization (Serious tone now)

Overcoming technical barriers in deprovisioning: A dream within reach?

The cost of the SSO tax: 10-30k per year per app

There shouldn’t be any technical limitations to deprovisioning... 

You wish! 

Too bad: it’s not the case yet. But at Zygon, we are actively working on it.

SCIM compatibility is just an option (unfortunately)

SCIM is an API-based integration standard designed for cloud applications. It offers a consistent method for identity providers such as Okta, Google, and Entra to interact with applications, facilitating the automatic deprovisioning of users.

Unfortunately, most apps don’t support SCIM, and those that do offer provisioning APIs rarely support deprovisioning. Hard truth.

Good news is: Zygon tackles this issue with its SCIM-less approach. 

Screenshot of Zygon IGA platform showing a filter to point accounts to close

Familiar with the SSO Tax?

Additionally, vendors frequently charge for these SCIM options, which can deter organisations from enabling it for more than a bunch of 30 to 50 critical applications.

For example, a company with 200 employees might face a cost of US$22,700 just to implement SSO via SAML and enable automatic user provisioning for the Slack application (Cybermagazine). Multiply this figure by the number of applications you aim to automate deprovisioning for, and you'll begin to grasp the scale of the SSO tax!

There's a fantastic open-source project that has compiled the availability of SCIM and SSO for a vast array of applications. This resource can help you quickly determine if your company's tech stack is covered. You're also welcome to contribute to it!

Be sure to explore the (de)provisioning atlas.

The costs of failing to deprovision users: wasted spend on software licenses

Unmanaged licences: 3k per employee per year.

For seven years, Zylo has been releasing its SaaS management index report. There is one number that says it all: organizations spend on average $4,830 per employee per year for software licenses.

This very same report indicates that only half (49%) of provisioned licences are effectively being used. 

Quick math for 1,000 employees organization: 

49% x $4,830 x 1,000 = $2,367,000 per year

Of course some licences aren’t used but still necessary like… <insert your excuse here>.

But even if 10% of this budget can be saved, it still accounts for around $200k /year. 

How to save these 10%?

Spot and flush orphan accounts

In short, just because a user's identity is deactivated in your Identity Provider (IdP), it doesn't mean their associated licenses are automatically removed from all the applications they were using.

How to proceed? As they say, a picture is worth a thousand words. Discover how straightforward it is with Zygon's advanced filter:

Question Un(der)utilized apps automatically

App usage tracking is a swear word for many of us. It can be perceived as spying on end-users and is generally unwelcome for this reason. 

You can work around this by limiting the recorded information to just the action of logging into an app for example. Most SSO solutions’ API provide the endpoint for this record. This information can be completed with a dedicated browser extension.

Here is another filter highlighting users who haven't logged into an app for six weeks. The next step involves triggering an automated workflow to prompt these users to review this information, whether through email, the helpdesk, or directly via platforms like Slack, Teams, or Google Chat. As a next step, users can notify the app manager whether their license should be revoked.

Improve deprovisioning velocity

For all SCIM-compatible applications managed by an identity provider, accounts can be automatically deleted. This process is typically initiated through direct integration with the HR Information System (HRIS). A useful tip is to monitor SCIM-compatible applications that are not connected to the identity provider and evaluate the feasibility of integration, while being mindful of the potential SSO tax.

The next step is to review each account associated with non-SCIM applications for recently departed employees. And ensure with the application owner that these accounts have been properly deleted.

Once again, Zygon's versatile workflow can help automate this straightforward process, ensuring that budget isn't wasted on unnecessary license costs for offboarded employees. See an example in the following screenshot:

Continuous Shadow IT check

Not all apps are in check; that's a fact. Instead of resisting this reality, let's explore ways to manage it effectively. 

Continuous monitoring of new identities can assist IT and security teams in preventing payments for redundant accounts, especially when an application is already in use within your company. 

It also helps in identifying free trials that convert into paid licenses without proper approval. 

Ultimately, conducting regular and thorough shadow IT checks with new screening sources can uncover hidden identities, such as non-human identities (NHIs) or agentic AI.

Zygon offers comprehensive identity screening through multiple sources, including:

  •     Native Identity Provider (IdP) integrations
  •     In-depth email screening
  •     Command Line Interface (CLI) for on-premises applications

This provides the most comprehensive overview of all identities in use within a company, accessible from a single pane of glass. It enables swift action to be taken within minutes instead of months. 

Potential savings are combined with improved security. Isn’t that the best of both worlds?

Conclusion

Cost of deprovisioning-related tasks: 50-100k per year.

The cost of the SSO tax: 10-30k per year per app

Unmanaged licences: 3k per employee per year.

We told you in the first sentence that the potential savings could amount to a minimum of six figures. It’s up to you to apply this approach based on the size of your company and its software budget to determine which number leads the rest (!)

There's an additional factor that can make these amounts even more daunting: we haven't yet discussed or assessed the risk of identity compromise. It's reasonable to suggest that this risk could add a seventh figure.

Let's explore this further in a dedicated post!

Kevin Smouts
CPO and cofounder of Zygon
Need an access management security check up ?
Get your audit now

FAQ

All the questions you can have

What are joiner-mover-leaver (JML) related tasks?

In the context of Identity and Access Management (IAM), joiner-mover-leaver tasks refer to the processes and workflows associated with managing user identities and their access rights as they transition through different stages within an organization.

Joiner Tasks include:

  • User Provisioning: Creating a new user identity in the system when a new employee, contractor, or vendor joins the organization.
  • Access Assignment: Granting appropriate access rights and permissions based on the user's role, department, and job requirements.
  • Onboarding: Ensuring the user has access to necessary resources, applications, and data to perform their job functions effectively.

Mover Tasks:

  • Access Reviews and Updates: Regularly reviewing and updating user access rights when they change roles, departments, or responsibilities within the organization.
  • Role Changes: Modifying access permissions to reflect the user's new role or responsibilities.
  • Transfer of Access: Ensuring that access to relevant resources is transferred or updated as the user moves to a different position or team.

Leaver Tasks:

  • User Deprovisioning: Disabling or removing a user's access to all systems, applications, and data when they leave the organization.
  • Access Revocation: Ensuring that all access rights and permissions are revoked promptly to prevent unauthorized access.
  • Final Access Review: Performing a final review to confirm that all access has been revoked and that no residual access remains.

These tasks are crucial for maintaining the security and integrity of an organization's information systems. Effective management of joiner-mover-leaver processes helps prevent unauthorized access, reduces the risk of data breaches, and ensures compliance with regulatory requirements.