The SaaS graveyard: Are you paying for ghost users?

Every modern business knows the sweet convenience of SaaS. Need a new marketing tool? Click, subscribe, done. Need to onboard a new employee? Click, license provisioned, done. We’ve built organizational foundations on software tools like Slack, Salesforce, and Figma, and it feels like sweet, sweet efficiency.

But what if I told you your company is being haunted?

Your budget spreadsheet is currently the site of a slow, silent, and incredibly expensive haunting. We’re not talking about flickering office lights or mysterious noises; we’re talking about ‘ghost users’ – digital ghosts lurking in the corners of your SaaS stack, patiently waiting for their monthly payroll deposit. 

What is a ‘ghost user’?

Foolish mortal Allow us to introduce the ghost user: the most costly phantom in your digital environment. 

A ghost user is an account that was assigned (set up and paid for) but is no longer actively being used or accessed. It’s the empty chair at the digital table, still ordering lunch every single day. Most often, this ghoul belongs to an employee who has since departed, but whose access license was never properly revoked.

Why does this happen? Typically it’s because of a lack of proper user lifecycle management. It means you are actively subsidizing the SaaS graveyard, resulting in serious financial waste and introducing unnecessary security risks into your environment.

It’s time to grab your proton pack and perform an exorcism.

Anatomy of the ghost user problem

Understanding where these unused licenses originate is the first step toward prevention. Ghosts typically materialize from four main sources:

1. The departed: This is the most common and urgent source. An employee leaves, HR completes their offboarding, but the IT or Finance team forgets to formally deprovision or remove their licenses across the 20+ applications they used.
2. The dormant project: Licenses are often purchased in bulk for temporary needs, such as a six-month external contractor engagement or a short-term development sprint. Once the project wraps, the licenses sit unused, sometimes for years, until the renewal date prompts an awkward question.
3. The forgotten trial/migration: During tool evaluations or migrations, administrators create test accounts or temporary licenses that never get cleaned up after the new system is stable.
4. The over-provisioned (the “Zombie”): While not a true ghost, the “zombie” user is someone who still works at the company, but holds an expensive, high-tier license (e.g., “Enterprise Admin”) when they only need basic features (e.g., “Viewer”).

The hidden costs of inactive accounts

The impact of the SaaS graveyard goes far beyond simple wasted dollars.

Financial waste

This is the most tangible cost. Imagine a typical scenario:

• Cost per license: $15 per user per month (for a mid-tier tool like Asana or Zoom)
• Number of inactive users: 10 forgotten accounts
• Annual cost: ($15 x 10 users x 12 months) = $1,800 wasted

Scale this across dozens of tools, and a mid-sized company can easily waste tens of thousands annually.

Security risk

An unmonitored, active account is a prime target for misuse. 

If a departed employee’s credentials are ever compromised (say for example through a data breach on another site), the attacker gains a “back door” into your corporate environment, often with the high-level permissions the employee once held.

Audit headache

During compliance reviews (like SOC 2) or annual license true-ups, tracking down every single active license and justifying its existence increases friction, costs, and time spent, often resulting in expensive, unexpected renewal fees.

Exorcising the ghosts: A 3-Step audit strategy

You can’t manage what you can’t see—you need a 360 degree view. Exorcising the SaaS graveyard requires a dedicated process and the right tool.

Step 1: Discover and map your tools

The first hurdle is shadow IT—the tools purchased outside of IT’s visibility. 

To combat shadow IT, you need a single, centralized inventory. While a dedicated SaaS Management Platform (SMP) is ideal, a robust collaboration between IT, Procurement, and Finance to track all monthly expenses is a strong starting point. Inventory every subscription, its cost, and its administrator.

Step 2: Define “active” and “inactive”

Once you have your inventory, you need data to classify your users. 

Start by establishing a clear metric of inactivity, such as “no login activity for 90 days”. Then pull usage data for every user in your most expensive tools. The “last login” date is typically the most accessible and reliable metric to start with. Any user exceeding the 90-day threshold is flagged for review. 

But pulling this data can be a time suck—which is why spend management tools like BetterCloud exists to easily integrate with all of your software and highlight inactive users in one dashboard. 

Step 3: Integrate HR data with automated provisioning and de-provisioning 

Manual user management is tricky and prone to user error because it relies on human input, which can lead to mistakes in data entry, missing information, or inconsistencies across different systems. The most sustainable solution is automation.

By integrating with your organization’s HRIS, SaaS management platforms enable automated user lifecycle management, often done using protocols like SCIM (System for Cross-domain Identity Management) via your identity provider (e.g., Okta, Azure AD). This automatically triggers the deactivation and, eventually, the deletion of accounts when an employee’s status changes to “terminated” in the HR system.

Long-term strategies: Preventing re-infestation

Getting rid of the ghosts is great, but keeping them away requires systemic changes.

Implement a standard offboarding checklist

Offboarding must be treated with the same meticulous attention as hiring.

Make SaaS deprovisioning mandatory and documented. The process should include a checklist requiring the manager of the departing employee to formally sign off, confirming that all access has been revoked across the core applications.

We created the ultimate offboarding employees workflow checklist here!

Adopt least privilege access

Preventing over-provisioning saves money even when users are active.

A common foundational security principle is called least privileged access. It ensures users have the minimal permissions needed to perform their tasks. This approach reduces exposure to security breaches.

IT teams utilizing least privileged access annually review user roles for excessive permissioning. 

If your usage data confirms a user is only utilizing 10% of their expensive “Pro” license features, downgrade them to a “Basic” or “Viewer” tier. Ensure your company policy dictates that new employees are always provisioned with the lowest necessary tier by default.

PoLP or RBAC, which is right for your organization? Read more here.

Schedule quarterly or bi-annual audits

Deprovisioning shouldn’t be a panic measure taken right before a renewal deadline.

A helpful tip: Set a recurring calendar reminder for IT and Finance teams to run the “Last Login Date” report across the top five most expensive subscriptions. This transforms deprovisioning from a reactive chore into a preventative habit.

Your IT budget deserves better

Ghost users are a real, persistent drag on company efficiency and security. They represent immediate financial waste and introduce unnecessary cyber risk.

It’s time to take control. Luckily, BetterCloud is here to help!

With BetterCloud, the need to tirelessly monitor spending is over. BetterCloud offers a single pane of glass for your entire tech stack to easily uncover shadow IT and continuously monitor your SaaS stack for new applications and changes in expenses.

Your CFO and budget will thank you.

Stop paying for an empty graveyard and start putting those dollars back to work.