Industry research shows companies with 250 employees waste ~$26K/yr on unused SaaS licenses. Here's what causes it, how to audit it, and how to reclaim it.
TL;DR
- Industry research estimates mid-market companies with ~250 employees waste approximately $26,000 per year on unused SaaS licenses. This is an industry benchmark, not a KINT-measured outcome.
- Waste accumulates from three sources: ghost accounts (seats left active after someone leaves), over-provisioning, and shadow IT the team never tracked.
- You can reclaim licenses without disrupting anyone who is actively working — the key is cross-referencing your HR system against your app roster.
- KINT automates this continuously: it flags dormant accounts, routes them for human approval, then runs the deprovisioning in ~47 seconds across multiple apps simultaneously.
- No card. 14-day free trial. Book a 15-minute walkthrough to see it against your actual stack.
Introduction
You are probably paying for software that nobody is using.
That is not a guess. Industry research tracking SaaS spend across mid-market companies estimates that a company with around 250 employees wastes approximately $26,000 per year on unused or underused SaaS licenses. (Industry research figure — not a KINT customer outcome.)
That number is not dramatic rounding. It compounds from a handful of boring, structural problems: the employee who left eight months ago whose Salesforce seat is still active. The Zoom Pro plan that got bought for a project that shipped in Q1. The 80-person design team where 60 people have a Figma seat they open twice a year. None of it feels urgent in the moment. All of it adds up.
This article is about where that waste actually comes from, how to find it in your own environment, and how to reclaim it — without accidentally revoking access to something someone still needs.
KINT (by Kingsley Integrators) is an HR-driven identity lifecycle platform for companies with 100–500 employees. License reclaim is one of the three things it does. This article is honest about what it can and cannot automate today.
What is SaaS license waste?
SaaS license waste is the money you pay for software seats that are not being actively used.
It is not about buying the wrong tools. It is about what happens to the right tools over time. Every quarter, people leave. Roles change. Projects end. Apps get superseded. And if the process for updating access is manual — or if it simply doesn't exist — those seats stay paid and stay idle.
There are three categories:
Ghost accounts. A former employee's seat in Slack, GitHub, HubSpot, Zendesk, or Dropbox. Still active, still billing, because nobody ran a complete offboarding when they left. In companies without automated offboarding, industry data puts the median time-to-deprovisioning at 11 days — and some apps simply never get touched at all.
Over-provisioned tiers. The whole team got an Enterprise seat for an app where only three people needed it. Or a department bought a team plan that includes 20 seats, and eight people actually use it.
Shadow IT. Apps that individual contributors or teams bought with a company card — sometimes expensed, sometimes through a central budget — that IT never tracked. If you don't know it exists, you can't audit it. If you can't audit it, you can't reclaim it.
All three accumulate quietly. There is no alert for "this seat has been idle for 90 days." Most SaaS vendors have no incentive to tell you.
How much does SaaS license waste cost a mid-market company?
The $26,000-per-year figure for a 250-employee company (industry research) is a useful benchmark. But the actual number at any given company depends on three variables: how many apps are in the stack, what the average per-seat price is, and how rigorous the offboarding process is.
Here is how it scales by company size, using industry research estimates:
| Company size | Typical SaaS apps in stack | Estimated annual license waste | Monthly waste |
|---|---|---|---|
| 100 employees | 40–60 apps | ~$10,000–$14,000 | ~$850–$1,200 |
| 250 employees | 80–120 apps | ~$24,000–$28,000 | ~$2,000–$2,300 |
| 500 employees | 150–200 apps | ~$50,000–$60,000 | ~$4,200–$5,000 |
Figures are industry research estimates based on published SaaS spend analysis. They are benchmarks, not guaranteed outcomes. Actual waste at any individual company will vary.
Two things make mid-market companies especially exposed:
-
The SaaS stack grows faster than the team. When a company scales from 50 to 250 people, the number of apps often triples. The IT function doesn't. One or two IT operators are managing a stack that, at a larger company, would have a dedicated SaaS ops team.
-
Manual offboarding skips apps. When someone leaves, the priority is revoking email and the IdP. Everything downstream — Salesforce, Dropbox, 1Password, Notion — depends on the IT operator having a comprehensive checklist and time to work through it. At 4pm on a Friday, that checklist gets short.
The waste is not a budgeting failure. It is a workflow failure.
What causes SaaS license waste in companies with 100–500 employees?
The root cause is almost always the same: there is no continuous, automated link between your HR system (who works here, in what role) and your SaaS estate (who has access to what).
Here is what that looks like in practice:
| Cause | How it shows up | Typical apps affected |
|---|---|---|
| Incomplete offboarding | Departed employee's seat stays active | Slack, GitHub, Salesforce, Zoom, HubSpot, Zendesk |
| Role change not reflected | Employee moved to a different team; old app access not removed | Jira, Salesforce, internal admin tools |
| Project-based provisioning | App bought for a project; license not cancelled after go-live | Figma, Notion, specialist SaaS |
| Over-provisioned plan | Team plan with more seats than active users | Most per-seat SaaS |
| Shadow IT | App bought outside IT's visibility | Varies — typically productivity and design tools |
| Contractor expiry | Contractor access not revoked at contract end | GitHub, Google Workspace, Dropbox |
The pattern across all six: access gets added deliberately, and removed accidentally — if at all.
What makes this structural rather than a one-time audit problem: people join, leave, and change roles continuously. A one-time cleanup reduces waste this month. Without an ongoing process tied to the HR source of truth, the waste rebuilds within a quarter.
How do you find unused SaaS licenses?
The most reliable method: cross-reference your HR system against each app's user list.
Your HR system — whether that's BambooHR, Workday, Rippling, Gusto, Darwinbox, or a spreadsheet — knows exactly who is employed today, in what role, and when they joined or left. That is the ground truth. Every app that has a user who is no longer in your HR system is a candidate for reclaim.
Here is a practical three-step process:
Step 1: Export your HR roster. Get a clean list of every active employee — name, email, role, start date, department. If you have contractors, include them with their end dates.
Step 2: Pull the user list from each SaaS app. For apps with good admin consoles (Google Workspace, Microsoft 365, Slack, GitHub, Salesforce), this is a CSV export. For apps without APIs, it's a manual login to the admin panel. Note the last-login date where available — an account that hasn't logged in for 60+ days is a signal, not a certainty.
Step 3: Cross-reference. Any user in an app who doesn't appear in your active HR roster is a ghost account. Any user with no login in 90+ days is a dormant account — worth flagging for a quick "is this still needed?" check before revoking.
The bottleneck in this process is step 2 at scale. If you have 80 apps in your stack, pulling user lists manually is a full-day project. And because people leave continuously, doing it quarterly still leaves a 90-day gap where you're paying for ghost accounts.
The automated version of this workflow is what KINT handles. It connects to your HR system as the source of truth, and when someone's status changes — offboarded, role change, contract end — it identifies which apps they have access to and revokes what should be revoked. The SaaS Access Intelligence surface also runs continuously to flag dormant accounts between lifecycle events.
A standalone waste calculator is also coming — it will let you estimate your exposure before connecting anything. It's not live yet, but it's on the roadmap.
What's the real cost of unused SaaS licenses — beyond the dollar amount?
The $26,000 figure is real, and it matters. But the license spend is the part that's easy to see. There are two harder-to-quantify costs that often matter more.
Security exposure from ghost accounts.
An inactive account is not just wasted spend. It is an attack surface. A former employee's GitHub access — still active six months after they left — is a credential that can be phished, reused, or exploited. The account isn't being monitored, because nobody thinks about it. It doesn't show up in your identity provider's active-user dashboard if the app doesn't sync with your IdP.
This is the cost that a CFO doesn't see until a security incident puts it in a board deck.
Audit and compliance liability.
SOC 2 CC6.1 requires evidence that access is provisioned based on need and removed when no longer needed. Ghost accounts are a direct failure of that control. When an auditor pulls your app user lists and matches them against your HR offboarding dates, every active account belonging to a departed employee is a finding. In a mid-market company running manual offboarding, those findings are common.
The dollar value of a SOC 2 finding is not a license cost — it is a deal-blocker when an enterprise prospect asks for your report.
Operational drag on the IT team.
Every quarter, the IT operator or the IT manager has to make a call: do we do the cleanup audit now, or do we handle the five tickets that came in this morning? License waste is a known problem that competes with everything else for attention. The result is that it never gets fully fixed — it gets partially fixed, and the gap rebuilds.
How do you reclaim unused SaaS licenses without risking access?
The worry is real: if you revoke the wrong account, you break someone's workflow. Here is how to do the reclaim without that risk.
Rule 1: Verify before you revoke.
Never revoke based on "no login in 90 days" alone. Some legitimate users log in once a quarter — finance people, legal team members, executives. Cross-reference the login data against the HR roster first. If the account belongs to a current employee, flag it for them to confirm before touching it.
Rule 2: Revoke the departed employees first.
The zero-risk category: anyone who left the company more than 30 days ago and still has an active seat. Their access should have been revoked on their last day. It wasn't. Revoke it now, with no further checking needed.
Rule 3: Downgrade before deleting.
For over-provisioned tiers — a team Figma plan where 10 of 30 seats are unused — downgrade the plan to match actual usage before removing specific users. This recovers the spend without revoking access to anyone who is actively working.
Rule 4: Document every revocation.
For audit purposes, keep a record of who was deprovisioned, from which app, on which date, and why. This is not just compliance hygiene — it is the evidence you need if anyone asks "why did my access get removed?" six months from now.
Here is how the three methods compare for actually running this at scale:
| Method | Speed | Coverage | Audit trail | Ongoing? |
|---|---|---|---|---|
| Manual spreadsheet audit (quarterly) | Slow (full day per audit) | Partial — misses apps without easy exports | None by default | No — snapshot only |
| SaaS management platform (standalone) | Medium — still manual approvals | Good for apps with APIs | Usually yes | Partial — depends on integration depth |
| Identity lifecycle automation (e.g. KINT) | Fast — automated on HR events | Deep — API + SCIM + browser automation | Full — signed, timestamped, SOC 2 mapped | Yes — continuous |
How does KINT handle SaaS license reclaim?
KINT (by Kingsley Integrators) is an HR-driven identity lifecycle automation platform for companies with 100–500 employees. It is relevant to the license reclaim problem in two ways:
Continuous deprovisioning. When someone leaves — detected via BambooHR, Workday, Rippling, Keka, Greythr, or any of the other connected HR sources — KINT triggers a deprovisioning workflow immediately. Not at the next quarterly audit. When the HR event fires. That workflow runs revocations across connected apps in approximately 47 seconds end-to-end, running multiple apps in parallel. Every action is signed with Ed25519 and timestamped for SOC 2 CC6.1/6.2/6.3 audit evidence.
This eliminates the ghost account problem at the root. Licenses get reclaimed at the moment of departure, not three months later.
SaaS Access Intelligence. For accounts that accumulated before KINT was connected — or for apps that aren't tied to the offboarding workflow — KINT's access intelligence surface continuously scans for dormant accounts. It flags them for human review, and with one approval, triggers the deprovisioning. You stay in control; KINT does the execution.
KINT connects to 50+ live API and SCIM connectors, with 200+ mapped in the catalogue — covering the API-connected apps (Google Workspace, Microsoft Entra, Okta, Slack, GitHub, Salesforce, HubSpot, Zendesk, Zoom, Jira, Freshdesk, ServiceNow, Dropbox, 1Password) and browser automation for apps without proper APIs. Setup is OAuth, under five minutes. Self-serve at app.kingsleyint.com — no card, 14-day trial.
What KINT doesn't do (honest version): it does not track SaaS spend dollar amounts or manage vendor contracts. It does not discover shadow IT from credit card statements. It is the identity and access layer — who has access, to what, and whether that access is still warranted. The license cost reclaim is a downstream effect of keeping access current.
What does KINT cost — and does the reclaim pay for it?
Pricing is published at kingsleyint.com/pricing. No demo required.
| Plan | Price | Best for |
|---|---|---|
| Starter | $3/employee/month | 100–250 employees. 1 HR source, 50+ API and SCIM connectors. Full JML workflows, SOC 2 audit trail. |
| Growth | $5/employee/month | 250–500 employees. Unlimited sources, all 200+ connectors, browser automation (up to 5 apps), access intelligence and license reclaim, MCP/AI integration. |
| Custom | Talk to us | 500+ employees. Unlimited browser automation, custom connectors, 99.9% SLA, data residency (US/EU/India). |
The reclaim math for a 250-person company:
- KINT Growth plan: $5 × 250 = $1,250/month → $15,000/year
- Industry research estimate for license waste at 250 employees: ~$26,000/year
- Reclaim potential: the licence waste alone more than covers the platform cost
These are illustrative numbers using the industry benchmark. Your actual savings depend on how much ghost-account waste exists in your stack when you start. KINT doesn't guarantee a specific reclaim amount — it gives you the tooling and the visibility to find and fix it.
Founding offer: for the first few customers, there's a $1.50/employee/month price, locked for 12 months, in exchange for case-study collaboration and product feedback. If you are running a company with 100–500 employees and want to be part of building what this becomes, that is the offer. See if a spot is still available.
KINT (by Kingsley Integrators) is an HR-driven identity lifecycle automation platform for companies with 100–500 employees. It automates onboarding, role changes, and offboarding across SaaS apps — including apps without APIs, via browser automation — and produces SOC 2 CC6 audit evidence as a byproduct. Pricing is published per employee per month ($3 Starter, $5 Growth). Self-serve signup at kingsleyint.com.
Ready to see the waste in your own stack?
Book a 15-minute walkthrough — I'll show you how KINT maps your current SaaS access against your HR roster and surfaces what can be reclaimed.
14-day trial · No card · Live in under an hour
Or start free at app.kingsleyint.com and connect your first HR source today.
FAQ
What is SaaS license waste?
SaaS license waste is the money a company pays for software licenses that are not actively used. This includes accounts assigned to employees who have left, seats provisioned for a project that ended, and paid tiers that exceed what the team actually uses. It accumulates silently because no single person owns the full SaaS estate.
How much do mid-market companies waste on unused SaaS licenses?
Industry research estimates that companies with around 250 employees waste approximately $26,000 per year on unused or underused SaaS licenses. This is an industry benchmark, not a KINT-measured outcome. Actual waste varies by industry, stack complexity, and how rigorously access is managed during offboarding. Larger companies tend to waste proportionally more: a 500-person company running manual offboarding often sees double the waste in absolute dollar terms.
What are the most common causes of SaaS license waste?
The three biggest causes are: (1) ghost accounts — seats left active after employees leave or change roles, because offboarding is manual and skips apps; (2) over-provisioning — giving everyone a paid seat when only some people use the tool; (3) shadow IT — apps bought by individual teams that IT never tracked and therefore never audited. Together these account for most of the waste in companies with 100–500 employees.
How do you find unused SaaS licenses?
The most reliable method is to cross-reference your HR system (who is actually employed, in what role) against your SaaS app roster (who has a paid seat). Any seat assigned to a former employee or an inactive user is immediate reclaim territory. For apps connected via SCIM or API, this can be automated. For apps without APIs, browser automation can read the admin console and flag unused seats.
How long does it take to reclaim unused SaaS licenses?
For apps with a live API or SCIM connection, access can be revoked in seconds once the right workflow is in place. The bottleneck is usually the audit step — finding all the seats, confirming which are inactive, and getting a second approval before revoking anything that might still be in use. That review process typically takes one to two business days the first time, then becomes near-instant once it is automated and running continuously.
What is the difference between SaaS license reclaim and SaaS management?
SaaS management is the broader category: tracking what software the company pays for, who uses it, and what it costs. License reclaim is one specific action within that — finding seats that are paid but unused and either downgrading or removing them. Reclaim is the fastest-ROI action inside a SaaS management program because it cuts real spend without touching anything that is actively in use.
Can KINT automatically reclaim unused SaaS licenses?
Yes. KINT's SaaS Access Intelligence surface identifies dormant accounts and license waste across connected apps. It flags them for review, and with one approval, KINT revokes access — the actual deprovisioning runs in approximately 47 seconds end-to-end across multiple apps running in parallel. All actions are signed and timestamped for SOC 2 audit evidence. See the full solution →
How much does KINT cost for a 250-person company?
KINT's Growth plan is $5 per employee per month. For a 250-person company that is $1,250 per month, or $15,000 per year. Industry research estimates that same company is currently wasting approximately $26,000 per year in unused licenses — meaning the reclaim alone more than covers the platform cost. A founding-customer offer is also available at $1.50 per employee per month for early customers who want to collaborate closely on the product. See pricing →
Published: May 30, 2026 · Last updated: May 30, 2026 · Author: Gowtham Palanisamy, Founder, Kingsley Integrators
Gowtham Palanisamy
Founder of Kingsley Integrators, building KINT in public. Writes about identity lifecycle, SaaS access, and audit evidence.