Every company is now a software company. The uncomfortable corollary nobody puts on a slide: most of them have lost the inventory. Ask a CIO how many SaaS applications their organization runs and you will get a confident number. Then pull the expense reports, the OAuth grants, and the browser telemetry, and the real figure is routinely two to three times higher. IT departments are unaware of roughly three times more SaaS apps than they know about. You are not running the software estate you think you are. You are running a much larger, mostly invisible one, and you are paying for all of it.
Here is the scale. Zylo's 2025 SaaS Management Index found that large enterprises (10,000-plus employees) now hold an average of 660 applications in their portfolio, with annual SaaS spend averaging $284M and a per-employee SaaS bill of $4,830, up 21.9 percent year over year. Of that, organizations are wasting an average of $21M annually on unused licenses, a 14.2 percent jump from the prior year. Meanwhile less than half of company SaaS applications are regularly used by employees, around 45 percent. You bought a fleet. Half of it sits in a parking lot you forgot you rented.
The reframe that matters: your single largest unbudgeted spend leak and your single widest attack surface are the same thing. They are the software you forgot you bought. Fix the inventory problem and you fix both at once. Ignore it and the two compound against you every quarter.
The Market Built This Trap on Purpose
This is not a discipline failure inside your walls. It is the predictable output of how the software market now sells. Gartner forecast worldwide public cloud end-user spending to reach $723 billion in 2025, with SaaS the largest single segment, approaching $300 billion. Broader business software spend is projected to grow 14.7 percent in 2026 to more than $1.4 trillion. That growth does not come from CIOs deliberately doubling their app counts. It comes from product-led growth: free tiers, self-serve credit-card signups, and per-seat pricing engineered to spread sideways across teams before procurement ever sees a contract.
The buying power moved with it. Zylo found that lines of business now account for 70 percent of SaaS spend, with IT responsible for only 26.1 percent. The department chartered to govern software no longer controls three quarters of the budget that buys it. That is the structural definition of shadow IT, and Gartner has long estimated shadow IT at 30 to 40 percent of total IT spending in large enterprises, with the Everest Group putting it north of 50 percent in some organizations. Gartner also projects that the share of employees who acquire, modify, or build technology outside IT's knowledge will rise from 41 percent toward 75 percent by 2027. The trend line is not bending back.
The Hidden SaaS Bill
Sprawl is not evenly distributed. It concentrates in categories where self-serve adoption is easiest and per-seat economics punish you hardest. The table below maps where the leak lives, using utilization and waste patterns drawn from the SaaS-management research cited throughout this piece.
| Category | Typical app footprint | Share underutilized | Why the waste concentrates here |
|---|---|---|---|
| Collaboration / messaging | High (overlapping tools) | ~40-55% | Multiple chat and meeting tools bought by different teams |
| Project / work management | High | ~50% | Per-seat sprawl, abandoned trials become paid plans |
| Design / creative suites | Medium | ~45% | Expensive seats assigned, rarely logged into |
| AI-native tools | Fast-growing | Unknown / unmeasured | Spend up 75.2% YoY, mostly ungoverned |
| Departmental point tools | Very high (long tail) | 50%+ | Bought on cards, never enter the IT inventory |
The pattern is consistent: Productiv's State of SaaS work shows roughly 40 percent of licenses going unused on average, climbing toward 41 percent at enterprise scale. The AI-native row deserves a flag of its own. Zylo recorded AI-native app spending up 75.2 percent year over year, almost all of it arriving through the same self-serve channels that produced the last decade of sprawl, only faster and with data-access scopes nobody is reviewing.
The Same Sprawl Is Your Attack Surface
Here is where the budget story turns into a security story. Every forgotten app is an account, a set of credentials, an OAuth token, and an integration scope that lives outside your monitoring. AppOmni's 2024 State of SaaS Security Report, built on a survey of 644 organizations across six countries, found that 31 percent suffered a SaaS data breach in the prior year, up five percentage points year over year. The same report exposed the visibility gap directly: 49 percent of frequent Microsoft 365 users believed they had fewer than 10 connected applications, while AppOmni's own data showed an average of more than 1,000 connections per environment.
The governance gap is just as stark. AppOmni found that 90 percent of organizations have policies requiring only sanctioned apps, yet 34 percent admit those policies are not strictly enforced, up 12 points since 2023. A policy you do not enforce is a document, not a control. And the blast radius extends beyond your own tenant. Verizon's 2024 Data Breach Investigations Report found third-party involvement in 15 percent of breaches, a 68 percent jump from the prior year, and the 2025 DBIR put that figure at 30 percent. Every unsanctioned SaaS vendor you cannot name is a third party with a key to data you are accountable for.
You cannot patch, monitor, deprovision, or audit an application you do not know exists. Shadow IT is not a budget annoyance with a security side effect. It is a security failure with a budget side effect.
Three Myths That Keep the Estate Invisible
Myth 1: "Our SSO catalog is our inventory."
Single sign-on covers the apps you already sanctioned. It is blind by design to the credit-card signups, personal-account logins, and direct integrations that make up the shadow estate. 70 percent of ChatGPT users at work hide it from their employer, and 67 percent use personal accounts, none of which appear in your SSO logs. Treating the SSO catalog as ground truth is how the inventory drifts to a third of reality.
Myth 2: "Unused licenses are just wasted money, not a risk."
A dormant license is still a live account. It still holds data-access scopes, still has credentials that can be phished, and still sits unmonitored because nobody is using it to trip an alert. The $21M in average annual waste and the 31 percent breach rate are not two problems. They are two readings off the same broken gauge.
Myth 3: "Sprawl is the cost of moving fast."
Speed and sprawl are not the same thing. Zylo's data shows app counts barely consolidating even as spend climbs double digits, which means the sprawl is buying duplication, not velocity. Three overlapping project tools do not make a team faster. They make it slower, more confused, and more expensive, while tripling the surfaces an attacker can probe.
The Auto-Renewal Ratchet
The waste already described does not sit still. It compounds. Every contract you signed has a clock on it, and the clock favors the vendor. According to Vertice's 2026 SaaS Inflation Index, software prices rose 12.2% in a single year, with cost per employee climbing from $7,900 in 2023 to $9,100 by the end of 2025. That is software inflation running close to five times the standard market rate of the G7 economies. Your finance team budgeted for last year's price. The vendor already moved the goalposts.
The mechanism is quiet by design. An analysis of more than 10,000 contracts by Common Paper found that 85% of cloud service agreements carry automatic renewal, 84% require a 30-day non-renewal notice, and 21% bake in an automatic fee increase of 5 to 8% on renewal. Miss the notice window by a day and you have re-upped for another year at a higher rate, on a tool you may have already established is barely used. Tropic notes that renewals account for 70 to 80% of annual SaaS spend, which means the renewal table is where the real money is decided, not the new-purchase table most procurement teams obsess over.
Now stack the two facts together. A price increase on a tool you fully use is a tax. A price increase on a tool 40% of whose licenses sit idle is a tax on waste, multiplied annually, with no one watching. The ratchet only turns one way.
The counter is unglamorous and it works: benchmark, and de-clause. Buyers who bring market data to the table claw the increases back. Tropic reported $56 million in verified savings across $362 million in negotiated spend in the first half of 2025, a 15.5% average savings rate. Vendr pegs the average negotiated discount at roughly 10% and falling, which tells you vendors are pressing harder every cycle. Procurement that renews on autopilot, without a benchmark and without striking the auto-renewal and uplift clauses, is not buying software. It is signing a ratchet and handing the vendor the wrench.
The Offboarding Hole
There is a second leak, and it runs in the opposite direction from spend. People leave. Their accounts do not. Every departed employee who still holds a live login is two problems at once: a seat you are likely still paying for, and a door you forgot to lock.
The numbers are not edge cases. DoControl's 2023 SaaS Security Threat Landscape Report found that 31% of companies had former employees access SaaS application assets after parting ways, with large companies carrying roughly 20 ex-employees holding lingering access and medium companies more than six. These are orphaned accounts, also called ghost or zombie accounts: still active, no longer tied to a living user. Frontier Zero describes the same pattern, where delayed deprovisioning leaves credentials alive long after the badge is returned.
The security cost is not theoretical. Ex-employee credentials are a known breach vector precisely because they retain real permissions and trigger no alarms. CloudFuze documents how incomplete offboarding turns orphaned accounts into data-breach pathways, and the canonical example, the Colonial Pipeline intrusion, started with a single inactive VPN account that still worked and had no multi-factor protection. One forgotten login was enough to take down fuel supply for the eastern United States.
The cost angle is simpler and just as ugly: you are paying full price for seats belonging to people who no longer work here. A disabled user is still a billed user until someone reclaims the license.
Here is where this section ties back to the entire thesis. You cannot deprovision an account in an app you never knew existed. Every shadow purchase made on a line-of-business card, every tool adopted by a team without IT's knowledge, becomes an offboarding hole the moment that buyer or a teammate leaves. The inventory problem and the offboarding problem are the same problem wearing two coats. Fix the inventory, and the orphaned accounts surface on their own. Skip it, and you are guarding a building without knowing how many doors it has.
The Operator's Playbook: Govern What You Own
This is a solved problem in disciplined organizations. It is not solved by a memo. It is solved by treating your software estate the way a manufacturer treats a parts inventory: every item tracked, owned, and accountable. Run it as a standing program, not a one-time cleanup.
- Build the real inventory first. Reconcile three independent sources: financial data (every card and AP charge), identity data (SSO and OAuth grants), and network or browser telemetry. The overlap is your sanctioned estate. The gap is your shadow estate, and it is usually larger than the part you knew about.
- Assign an owner to every application. No app stays in the catalog without a named business owner accountable for its renewal, utilization, and data scope. Orphaned apps are the ones that breach and bleed.
- Meter utilization, then cut on evidence. Pull 90-day active-usage data per app. With only about 45 percent of apps in regular use, the reclamation list writes itself. Reharvest unused seats before every renewal, not after.
- Consolidate overlapping categories. Pick one tool per job. Migrate, then fully deprovision the losers, including their integrations and tokens. A canceled subscription with live OAuth grants is still an open door.
- Govern AI tools as a first-class category now. With AI-native spend up 75.2 percent, the worst data-access decisions of the next three years are being made today through self-serve signups. Inventory, scope-review, and approve them like any other vendor with a key to your data.
The financial case is immediate. Reclaiming even half of an enterprise's $21M average annual waste funds a serious security program outright. The security case is the same line item read differently: every app you deprovision is an attack surface you retire and a third party you stop trusting blindly.
Close: You Cannot Defend or Budget What You Cannot See
The most dangerous line in any board deck is the SaaS count nobody verified. It anchors a security posture and a budget on a number that is wrong by a factor of two or three. The companies that win the next cycle will not be the ones with the most tools. They will be the ones that know exactly what they own, why they own it, who is accountable for it, and what data it can touch. Everyone else is running a software company that forgot what software it owns, and paying twice for the privilege: once at renewal, once at the breach.
Start with the inventory. Everything else, the savings, the security, the sanity, is downstream of finally knowing what you bought.
Strategia-X helps operators turn invisible software estates into governed, defensible, and dramatically cheaper ones. Talk to us at strategia-x.com.
-Rocky
#SaaSSprawl #ShadowIT #SaaSManagement #ITSpend #FinOps #SoftwareWaste #SaaSSecurity #ITGovernance #EngineeringDreams #StrategiaX
