Enterprise SaaS waste is not a line item anyone chose to pay. It is the structural cost of infrastructure that cannot distinguish a user who will return from one who never will. The invoices arrive monthly. The ghosts accumulate annually. The architecture has no mechanism to stop billing for absence - so it doesn't.

Companies are paying for software tools that nobody is using - and the billing system was never designed to stop charging for empty seats.

Open the license management dashboard of any enterprise with more than a thousand employees. Scroll past the active users, past the ones flagged for low engagement, past the ones whose last login was six weeks ago. Keep scrolling. You will find seats purchased for people who changed departments eighteen months ago. Seats belonging to contractors whose projects ended before the fiscal year turned. Seats assigned to employees who left the company quietly, whose exit triggered an HR workflow that deactivated their email, revoked their badge access, and did absolutely nothing about the forty-seven SaaS subscriptions still tethered to their name. Those seats are not errors. They are not oversights anyone failed to catch. They are the sedimentary deposit of an infrastructure that was never built to ask whether someone is still there.

Big companies have huge lists of software accounts still being paid for - belonging to people who quit, switched jobs, or left long ago - and nothing in the system ever automatically cleaned them up.

The scale of this deposit is no longer debatable. Zylo's 2026 SaaS Management Index, built on analysis of more than forty million licenses and seventy-five billion dollars in spend under management, reports that organizations use just 54% of their provisioned licenses on average, producing $19.8 million in annual waste per enterprise. The 2025 edition of the same index placed the figure higher still - $21 million per organization, a 14.2% year-over-year increase. A separate analysis from Ramp estimates that 53% of SaaS applications go underutilized or entirely unused, with only 34% of subscriptions actively generating value. The waste rate has not improved with awareness. It has worsened with scale.

Studies show companies only actually use about half the software seats they pay for, wasting roughly $20 million a year each - and the problem is getting worse, not better.

Trace the arithmetic to its stratigraphic layer. The average enterprise now manages 305 SaaS applications and adds nine new ones per month. Total enterprise SaaS spending has climbed to $55.8 million annually, with per-employee costs reaching $4,830. The global SaaS market itself grew from approximately $157 billion in 2020 to over $400 billion by 2025. If the waste rate holds - and there is no structural reason to expect it will not, absent an architectural intervention that does not yet exist - the industry is billing itself for hundreds of billions of dollars in absent users every year. Not as a bug. As a feature of how the billing layer was designed.

The average large company runs over 300 software tools and spends $56 million a year on them. With half going unused, the industry is collectively burning hundreds of billions on software nobody is using.

The Stratum Nobody Audits

The layer nobody looks at.

The standard enterprise response to license waste is governance: periodic audits, renewal reviews, automated reclamation workflows. These are reasonable practices. They are also, structurally, janitorial. They operate after the fact, cleaning up what the system has already generated, because the system itself contains no primitive for understanding that someone has gone.

Companies try to fix the wasted licenses by doing occasional check-ups and cleanups - but that only fixes the mess after it's already been made. The system itself keeps making the mess because it was never built to notice when someone leaves.

The distinction matters. A janitor sweeping an empty room does not alter the building's decision to keep the lights on. The lights are on because the wiring diagram assumes occupancy. SaaS infrastructure operates on an identical assumption: every provisioned identity is potentially active until a human being, somewhere in the organization, manually intervenes to declare otherwise. The median enterprise processes 247 SaaS renewals per year - approximately one per business day. Most proceed without usage analysis. Most auto-renew with contractual price escalations of 5-15% built into the terms. The system is not failing to catch the waste. The system is producing the waste, reliably, as an emergent property of its own design.

Every software account stays active until a real person manually shuts it off. Nobody does that consistently - so renewals keep rolling through, prices keep rising, and the waste keeps building automatically.

This is not a problem that better dashboards solve. It is a problem that lives in the protocol layer, in the place where identity is provisioned and presence is assumed.

Better reporting tools won't fix this. The problem is baked into how the software identity system was built in the first place.

The Fossil Record of a Breach

The security problem hiding in the same place.

License waste is the financial symptom. The security consequence is worse, and it follows the same structural logic: if the infrastructure cannot distinguish between a user who stepped away and a user who left permanently, it also cannot distinguish between a dormant account and a compromised one.

The money wasted on unused accounts is bad enough - but the security risk is worse. If the system can't tell who's gone, it also can't tell when a dead account has been taken over by an attacker.

The pattern has been demonstrated at the highest possible scale. In late November 2023, the Russian state-affiliated threat group known as Midnight Blizzard initiated a password spray attack against Microsoft's own infrastructure. Their target was not a production system. It was a legacy, non-production test tenant account - dormant, unmonitored, and lacking multi-factor authentication. That single abandoned identity provided sufficient leverage for lateral movement into Microsoft's corporate environment, ultimately compromising email accounts belonging to senior leadership, cybersecurity personnel, and legal staff. The test account had been granted elevated OAuth application permissions in Microsoft's production tenant at some earlier point. The permissions persisted. The account persisted. Nobody was watching because the infrastructure had no reason to watch. Absence is not an event that triggers attention. It is the ambient state of most digital identities on any sufficiently large network.

In 2023, Russian hackers broke into Microsoft by finding one old, forgotten test account with no password protection. That one abandoned account let them reach executive emails and sensitive legal files - because nobody was watching it and the system had no reason to.

Follow that ratio to its operational conclusion. If 51% of enterprise SaaS licenses are dormant at any given time, and dormant accounts are exponentially less likely to carry modern security controls, then the majority of provisioned identities on most enterprise networks are simultaneously unmonitored, unprotected, and fully credentialed. Each one is a door the building forgot it installed. The Drizly breach in 2020 followed the same tectonic fault line: an executive was granted GitHub repository access for a one-day hackathon, the access was never revoked, the executive's seven-character reused password was compromised in an unrelated breach two years later, and the resulting intrusion exposed 2.5 million consumer records. The FTC's enforcement action - which personally followed the CEO to future companies for a decade - concluded that the breach was not a failure of detection. It was a failure of architecture. There was no system capable of recognizing that the access had outlived its purpose.

With over half of all software accounts sitting dormant and mostly unprotected, most large companies have more unlocked side doors than they realize. Two real breaches - at Microsoft and at Drizly - show exactly how attackers walk through them, and regulators now hold executives personally responsible.

The Ghost Workforce

The forgotten accounts that aren't even human.

The human licenses are only the visible stratum. Beneath them lies a deeper and faster-growing formation: non-human identities. Service accounts, API keys, OAuth tokens, automation credentials, and - increasingly - AI agents operating with their own authentication profiles. These machine identities now outnumber human users in enterprise environments by ratios that would have been considered implausible five years ago. Entro Security's H1 2025 report documented a 44% year-over-year growth rate in non-human identities, with the machine-to-human ratio reaching 144 to 1. ManageEngine's 2026 Identity Security Outlook found organizations reporting ratios of 100:1, with some environments reaching 500:1. CSO Online's analysis of the 2026 landscape noted that only 12% of organizations have automated lifecycle management for these identities, and while 80% of leadership believes dormant machine accounts are being tracked, only half of practitioners confirm it.

It's not just unused human accounts. There are far more machine accounts - bots, automated tools, and AI systems - and they're growing fast. For every one human, there are now 144 machine accounts, and most companies have no system to manage them.

The word "tephrochronology" describes the dating of geological events by the layers of volcanic ash they leave behind. Each eruption deposits a stratum that persists, identifiable, long after the event itself has ended. Non-human identities accumulate in enterprise environments by the same mechanism. A developer creates a service account for a proof-of-concept. The proof-of-concept is abandoned. The service account remains, carrying the permissions it was granted at creation, invisible to the governance workflows designed for human employees who eventually resign or retire. Ninety-seven percent of non-human identities carry excessive privileges. One in every thousand machine identities is over a decade old. These are not accounts anyone chose to keep. They are the tephra of prior workflows, still settling.

Machine accounts are like layers of ash from old eruptions - they build up over time and stick around long after the project that created them is gone. Almost all of them have more access than they should, and some are over a decade old.

And now, agentic AI is accelerating the deposition rate beyond anything human governance processes were built to absorb. These are not chatbots answering questions. They are systems authorized to execute commands, move production data, modify configurations, and trigger downstream workflows autonomously. Microsoft Copilot reaches into SharePoint. GitHub Copilot commits to repositories. Marketing agents pull customer records from Salesforce. Each one operates with an identity. Each identity carries permissions. Each set of permissions persists until someone - a human, always a human - decides to revoke them. The machine creates identities at machine speed. The governance operates at human speed. The gap between those two velocities is where the ghost workforce grows.

AI tools are making this explode. These aren't just chatbots - they're systems that can take actions, move data, and change settings on their own. Every AI agent creates a new account with permissions, and those permissions stay forever unless a human manually removes them. Machines create accounts at machine speed; humans clean them up at human speed.

Pause. One hundred and forty-four machine identities for every single human.

To put it plainly - 144 machine accounts exist for every single person in the company.

Twelve percent with automated lifecycle management. The rest governed by spreadsheets, manual rotation schedules, and institutional memory that degrades with every departure. The ghosts are not just former employees. They are former workflows, former integrations, former experiments - all still credentialed, all still billable, all still exploitable.

Only 1 in 8 companies automatically manages these machine accounts. Everyone else is relying on manual lists and human memory - both of which fall apart every time someone leaves. These aren't just ex-employee accounts. They're the leftovers of every old project, every past tool, every test that was never cleaned up - and they're all still active, still costing money, and still vulnerable.

The Invoice That Compounds in Silence

The Cost That Keeps Growing Quietly.

License waste does not hold still. It accretes. Auto-renewal clauses carry price escalations. AI feature surcharges add 20-40% to base subscription costs. Usage-based pricing models - now applied to 42% of SaaS products, up from 27% in 2023 - introduce cost variability that compounds on top of seats nobody occupies. Seventy-eight percent of IT leaders reported unexpected SaaS charges in the past year tied to consumption-based or AI pricing models; 61% were forced to cut projects or initiatives as a direct result.

This waste doesn't stay the same size - it grows on its own. Contracts auto-renew with price increases built in. AI features are adding 20-40% on top of what you already pay. New pricing models mean costs can spike even on seats nobody uses. Nearly 8 in 10 IT leaders got hit with unexpected bills last year - and more than 6 in 10 had to cancel other projects to cover them.

The compounding is not incidental. It is the financial expression of an architectural vacuum. When the system cannot distinguish between a seat that is occupied and a seat that is abandoned, every pricing innovation applied to occupied seats is automatically applied to abandoned ones. AI surcharges bill the ghost at the same rate as the living. Price escalations compound on top of usage that has already reached zero. The waste does not grow linearly. It grows in the shape of whatever the vendor's pricing model dictates, applied uniformly to an audience that is partially fictional.

When a system can't tell the difference between someone actively using software and someone who's gone, every price increase gets charged to both. AI fees, price hikes - they all pile up on accounts nobody is using. The waste doesn't grow slowly and steadily. It grows as fast as the vendor raises prices, and it's being charged to users who don't exist anymore.

Enterprise procurement teams negotiate renewal terms 90 to 120 days in advance of contract expiration. In that window, the standard playbook involves reconciling usage data, benchmarking pricing, and rightsizing license counts. But reconciliation requires visibility, and visibility requires that someone - a human being, with a calendar reminder and a mandate - perform the analysis for each of the 305 applications in the portfolio. The structural reality is that most renewals proceed on autopilot. The ghost rent renews alongside the living rent. The invoice treats them identically because it has no mechanism not to.

Companies usually renegotiate software contracts 3 to 4 months before they expire. Ideally, they'd check who's actually using what before signing again. But with hundreds of apps, nobody has time to check each one. So abandoned accounts just get renewed automatically, billed the same as real users, because the system has no way to tell them apart.

The Fault Between Two Disciplines

This section is about a gap between two teams that both deal with the same problem but don't talk to each other.

There is a particular kind of organizational fracture that forms when two teams are solving the same problem without a shared language. In most enterprises, SaaS cost governance belongs to procurement, FinOps, or IT asset management. Identity governance belongs to security, IAM, or a compliance function. These teams rarely share a reporting line. They almost never share a platform. The ghost seat - the license still billing for a user who no longer exists - sits precisely on the fault between their jurisdictions.

In most companies, one team manages software costs and a different team manages who has access to what. These teams rarely share tools or report to the same leader. An abandoned account that's still being billed falls right between their responsibilities - so neither team fully owns it.

The cost team sees an unused license. The security team sees a dormant credential. Neither team has the mandate or the tooling to connect those two observations into a single architectural insight: this entity has stopped, and both the financial and security posture of the organization should change in response. The 2026 Zylo data confirms that business units now control 81% of SaaS spend, while IT directly manages just 15%. The purchasing authority is distributed. The identity authority is centralized. The ghost sits in the gap between them, belonging fully to neither, governed effectively by no one.

The cost team spots a license nobody's using. The security team spots an old login sitting idle. But neither team connects the dots to realize it's the same problem. On top of that, business units now control most software spending while IT only manages a small slice, so purchasing power and access control are handled by completely different groups. Nobody fully owns the ghost.

This jurisdictional void is not a management failure. It is a structural consequence of building organizational governance on top of infrastructure that treats presence and billing as a single, undifferentiated state. When the protocol layer cannot distinguish between active and absent, every governance layer built above it inherits that blindness. The cost team optimizes spend. The security team manages access. The ghost persists because no single discipline owns the concept of sustained non-presence as a category requiring action.

This isn't a people problem - it's a design problem. The software infrastructure these teams are built on top of can't tell the difference between someone who's present and someone who's gone. So every team built on top of that infrastructure inherits the same blind spot. Nobody owns "this person stopped showing up" as a category that requires a response.

The Architectural Vacancy

None of this is a failure of the people operating within the system. IT leaders, procurement teams, FinOps practitioners - they are aware of the waste. They build programs to contain it. Zylo's 2026 data shows that organizations with mature SaaS management practices improved license utilization from 47% to 54% in a single year, reducing waste from $20.9 million to $19.8 million. That improvement is real. It is also, candidly, the difference between wasting $20.9 million and wasting $19.8 million. The system improved its janitorial efficiency by 5.3% while the underlying architecture continued producing waste at industrial scale.

The people running these systems aren't failing. They know about the waste and they work to reduce it. One study shows that mature organizations cut wasted spending by about $1 million in a year. That's real progress. But they went from wasting $20.9 million to wasting $19.8 million. The system got slightly better at cleaning up a mess it keeps making.

The problem is not that governance is insufficient. The problem is that governance is doing the work that architecture should be doing. Every dollar spent on SaaS management platforms, license reclamation workflows, and renewal optimization consultants is a dollar spent compensating for the absence of a single protocol-level capability: the ability for infrastructure to recognize that an entity has stopped.

The real problem isn't that companies are bad at managing software - it's that they have to manage it at all. Every dollar spent on tools and consultants to track down wasted licenses is money spent fixing something that the underlying technology should have prevented automatically. The infrastructure never learned how to recognize when a user stops existing.

No such protocol exists. HTTP waits for requests. TCP maintains connections through keepalive packets. OAuth tokens expire on a timer, indifferent to whether the expiration represents a deliberate logout or a permanent departure. SCIM (System for Cross-domain Identity Management) handles provisioning and deprovisioning as discrete events, but it requires an upstream system - an HR platform, a directory service, a human administrator - to issue the deprovisioning command. If no command arrives, the identity persists. The infrastructure does not ask questions. It does not notice. The seat stays warm and the meter keeps running.

None of the core internet technologies can recognize that a user has permanently left. They wait for requests, maintain connections, expire on timers - but no protocol asks "is this person actually still here?" Even the system designed to remove user accounts only works if someone tells it to. If nobody sends the removal command, the account just stays, forever.

The $19.8 million is not a cost the enterprise chose. It is the structural tax levied by infrastructure that was designed for a world in which every user is presumed present until proven otherwise, and in which proof requires manual intervention that scales linearly against a problem growing exponentially.

That $19.8 million in waste isn't a decision anyone made. It's an automatic byproduct of infrastructure that assumes everyone is present until a human manually proves otherwise. And the number of humans needed to do that checking grows alongside the number of accounts - which keeps growing faster.

What Remains When the Occupant Leaves

Consider what it would mean for that assumption to invert. Not presence as default with absence as exception, but absence as a signal the system is architecturally equipped to detect, interpret, and act upon. In such an infrastructure, the question shifts from "is this identity still active?" to "what does this identity's sustained non-activity mean, and what should happen in response?"

Right now systems assume everyone is present unless told otherwise. Imagine flipping that - what if the system was built to notice when someone stops showing up, and could automatically figure out what that means and what to do about it?

The enterprise would still run 305 SaaS applications. Employees would still leave without notifying every platform they ever touched. Contractors would still finish projects and move on. Service accounts would still be created at 3 a.m. by engineers under deadline pressure who grant administrative privileges because the alternative is a permissions request that takes four days to process. But the infrastructure itself - at the protocol layer, not the governance layer - would observe the silence. Not as an absence of data, but as data. A recognizable pattern, carrying meaning, triggering architectural responses that do not depend on a human being remembering to check a dashboard that was never designed to surface what it cannot see.

Companies would still have hundreds of apps. Employees would still leave without logging out of everything. Contractors would disappear. Engineers would still create powerful system accounts at midnight when they're under pressure. None of that changes. But if the infrastructure itself could notice when an account goes silent - and treat that silence as meaningful information rather than nothing - it could act automatically, without waiting for a person to notice and check.

This is not a product. It is not a feature request for a SaaS management vendor. It is a missing primitive - a concept the protocol stack does not contain and therefore cannot implement, regardless of how many application-layer tools are built on top of it. The invoice arrives every month because the wiring assumes occupancy. The ghosts accumulate because the building has no concept of vacancy.

The internet's plumbing was built assuming everyone is always home. Nobody ever added a way for it to notice when someone leaves. So every tool built on top of that plumbing - no matter how smart - still can't fix the core problem: the pipes don't know the difference between an empty room and a full one. The bills keep coming because the building itself has no idea nobody's there.

The SaaS management industry itself now generates billions in annual revenue - platforms, consultants, analysts, all dedicated to the task of identifying and reclaiming what the architecture should never have provisioned in the first place. There is an irony in this that the market has not yet fully metabolized: the fastest-growing segment of SaaS spending is the segment dedicated to managing the waste produced by SaaS spending. The janitor has become a line item. The janitorial budget grows in proportion to the mess. The mess grows in proportion to the building's refusal to install a light switch.

A whole industry now exists just to clean up the mess that software billing creates. That industry is itself growing fast and costs a lot of money. The more waste the software industry produces, the more the cleanup industry grows. It's a cycle where the solution is funded by the problem it can't fully fix - because the real fix would require changing the foundation, not hiring more cleaners.

Somewhere in a license management dashboard, a seat is still scrollable. It belongs to someone who left the building two years ago. The seat has been billed every month since. It carries the permissions it was granted at provisioning. It has not been audited, because the audit cycle runs annually and the seat does not surface as anomalous. It is not anomalous. It is normal. It is exactly what the architecture was designed to produce. Scroll past it and you will find another, and another, and another - each one a small, perfectly ordinary charge on an invoice that nobody chose to pay, for a presence that ended quietly, in a system that has no way to hear the silence. The question is not what the ghost rent costs. The question is what it means to build an economy on infrastructure that cannot tell whether anyone is home.

Right now, somewhere in a software dashboard, there's an account for someone who quit two years ago. It's been billed every month. It still has the same access it was given on day one. It won't get flagged because it doesn't look unusual - this is just what the system normally produces. Multiply that by hundreds of apps and thousands of former employees, and the real question isn't just how much it costs. It's what it says about us that we built an entire digital economy on infrastructure that has no way of knowing whether anyone is actually there.