The SaaS Sprawl Problem: The Real Cost of Shadow IT

A product manager signs up for a tool on a free trial. The trial converts. They invite the team. Six months later, three other teams adopted it independently. Finance has no record of it. IT has no visibility. And when that PM leaves, the subscription keeps billing, quietly, indefinitely.

That’s not an edge case. That’s shadow IT in 2026. And at scale, it’s one of the most expensive problems CIOs are systematically underestimating.

The numbers are worse than you think

Gartner estimates the average organization uses over 100 SaaS applications and that number keeps climbing as teams adopt tools faster than IT can track them.

The waste is just as striking. Flexera’s 2026 State of the Cloud Report found that organizations waste an average of 28% of their cloud and SaaS spend, licenses that are paid for but unused, duplicated across teams, or still billing after the employee who bought them left the company. The mechanism is always the same: decentralized purchasing, no offboarding automation, and no one with a complete picture of what’s running.

Four costs hiding in plain sight

• Redundant spending: When procurement is fragmented, the same tool category gets purchased three times at retail price instead of once at an enterprise rate.
• Zombie licenses: IT can’t deprovision what it doesn’t know exists. When employees leave, their shadow subscriptions keep billing. In a company with 15–20% annual turnover, this is a predictable, recurring cost, not an exception.
• Compliance exposure: Every unreviewed SaaS tool is a potential unvetted data processor. Customer records, financials, personnel data, all flowing to vendors that have never signed a DPA or been reviewed for SOC 2. The Verizon 2025 DBIR notes that third-party and supply chain vectors continue to grow as an initial access path. Shadow SaaS is, by definition, an unreviewed third-party.
• Lost negotiating leverage: Fragmented buying makes you look like a small customer to every vendor, even when your aggregate spend would qualify for significant enterprise discounts.

‍

Visibility first, then automation

The organizations that get ahead of shadow IT aren’t the ones with the strictest controls. They’re the ones with the best visibility: continuous SaaS discovery through SSO logs and expense data, license attribution mapped to actual usage, and offboarding workflows connected directly to license revocation so deprovisioning is automatic, not manual.

The goal isn’t a bigger wall. It’s closing the gap between what your organization is actually spending and what it knows it’s spending.

How to automate it: finding Okta apps with no users assigned

Continuous visibility isn't a manual process - it's an automated one. A practical starting point is identifying Okta apps that have been configured but have zero users assigned. These are often legacy tools, abandoned trials, or apps whose last users were offboarded without anyone cleaning up the integration.

Left unchecked, they represent real exposure: active app integrations, potential SSO access paths, and (if the app is still licensed) ongoing spend for no active users.

What the workflow does

This n8n workflow queries the Okta API for all configured applications, cross-references each one against its assigned users, and surfaces any app where the assigned user count is zero. The output can be routed to a Slack alert, a ticket in your ITSM, or a Google Sheet for review - whatever fits your existing triage process.

Key steps

1. Authenticate against the Okta API using an API token scoped to read application and user assignment data.
2. List all active Okta applications via the /api/v1/apps endpoint.
3. For each app, query assigned users via /api/v1/apps/{appId}/users and check whether the result set is empty.
4. Filter for zero-user apps and pass them to your preferred output node - Slack, Jira, ServiceNow, or a spreadsheet.
5. Schedule the workflow to run weekly (or trigger it as part of your offboarding sequence) to keep the list current without manual audits.

The workflow is open-source and available on GitHub - you can adapt the output step to fit your environment without changing the core logic.

→ Okta Apps With No Users Assigned - n8n workflow on GitHub

This kind of targeted automation - focused on a single, high-signal data point - is more durable than broad SaaS discovery efforts that require ongoing tuning. Start with what Okta already knows about your environment, and build from there.

‍

Until then, you’re not managing your SaaS stack. You’re just hoping the parts you can’t see aren’t too expensive.

‍