
Every CISO has had this conversation: “We need to reduce cloud costs by 20% next quarter.” The CFO points to the eye-watering monthly AWS or Azure bill, and suddenly everyone’s scrambling to find orphaned instances and resize compute resources. But there’s a massive cost driver hiding in plain sight that most organizations miss entirely: over-provisioned identity access.
According to Gartner, companies are projected to waste $135 billion on unused cloud resources in 2024 alone—about 30% of global public cloud spend.1 Combined with SaaS license waste, identity sprawl isn’t just a security risk—it’s a massive financial drain that demands immediate attention. Here’s how to turn identity security into a cost optimization engine and make the CFO your biggest advocate.
The True Cost of Identity Sprawl
Here’s what typically happens: A developer needs access to an S3 bucket for a project. Instead of granting specific, limited permissions, someone assigns them PowerUser or even AdministratorAccess “just to get things working.” The project ends, the developer moves to a different team, but those permissions remain. Multiply this by hundreds of users and thousands of resources, and you’ve created a perfect storm of unnecessary costs.
The financial impact manifests in several ways:
1. Unnecessary Resource Provisioning
When users have broad permissions, they spin up resources without constraints. Organizations routinely discover that developers with admin access have created high-cost GPU instances for testing, then forgotten about them. It’s not uncommon for organizations to discover $50,000 per month in unused resources—all provisioned by users who shouldn’t have had that level of access in the first place.
2. SaaS License Waste
Research from Zylo shows that companies wasted an average of $18 million on unused SaaS licenses in 2023—a 7% increase from the prior year.2 For large enterprises, this figure can reach as high as $127 million annually.2 Users accumulate premium licenses they don’t need: Salesforce Enterprise editions for users who only run reports, GitHub Enterprise seats for contractors who left months ago, or Snowflake Enterprise accounts for analysts who only need reader access.
- 78% of service accounts have no assigned owner
- 61% of organizations can’t see who has access to sensitive data in cloud platforms like AWS or Snowflake
- 72% of privileged identities have unused permissions
3. Shadow IT Proliferation
When users have unchecked purchasing power or admin rights, they bypass procurement to buy duplicate tools. Marketing has three different analytics platforms, engineering has redundant monitoring solutions, and sales has multiple CRM add-ons—all because over-privileged users could provision their own solutions. This shadow IT sprawl typically adds 20-30% to software spending.
4. Data Transfer and Storage Explosion
Over-privileged users often create redundant data copies across regions, accounts, and SaaS platforms. Without access boundaries, there’s no incentive to clean up. Consider a financial services firm discovering they’re paying $30,000 monthly for cross-region data transfers that serve no business purpose—all because users had unconstrained access to replicate data.
5. Premium Service Enablement
Users with excessive permissions inadvertently enable expensive services. AWS GuardDuty, advanced monitoring tiers, premium support levels, or enterprise SaaS features get activated across the entire environment when they’re only needed for specific use cases. These “accidental” activations can add thousands to monthly bills.
The Least Privilege Dividend
Here’s where identity security becomes a cost optimization strategy. By implementing least privilege access, organizations create natural spending boundaries that align with business needs.
Immediate Savings Through Access Boundaries
When permissions align with actual job requirements, cost savings follow automatically:
- Developers can only provision resources within defined parameters
- SaaS licenses automatically downgrade when premium features aren’t used
- Temporary access means that temporary resources actually get cleaned up
- Service activation requires deliberate approval, not accidental clicks
A typical retail company could reduce cloud and SaaS costs by 20% simply by implementing role-based access boundaries. They don’t have to change their architecture or reduce functionality—they just need to ensure people only get what they need for their actual job functions.
The SaaS Optimization Opportunity
Least privilege principles applied to SaaS create immediate wins:
- Automatically deprovision licenses when users change roles
- Right-size license tiers based on actual feature usage
- Eliminate duplicate accounts across business units
- Convert permanent licenses to just-in-time access for occasional users
Most companies struggle to even see who has access to SaaS applications, let alone right-size them. Veza’s State of Access Report found that only 12% of organizations can accurately report effective permissions across their top 5 SaaS systems. Without visibility, SaaS sprawl grows unchecked, resulting in wasted E5 licenses, abandoned Salesforce accounts, and zombie collaboration tools draining budget.
The urgency is growing. Latest data shows 52.7% of purchased licenses now go unused, costing organizations an average of $21 million each year.3 Even mid-sized companies with around 600 employees waste approximately $1 million annually on idle licenses.3 These aren’t just statistics—they represent budget that could fund critical security initiatives or innovation projects.
A large life sciences organization can potentially save over $1 million annually by implementing dynamic SaaS license management based on access intelligence. Premium Salesforce licenses can drop by half, Tableau Creator seats can convert to Viewer roles, and Microsoft E5 licenses can be right-sized where appropriate.
The Multiplier Effect
Least privilege creates a virtuous cycle:
- Reduced attack surface means lower security tool costs
- Fewer resources to monitor means lower observability expenses
- Cleaner environments reduce operational overhead
- Compliance becomes easier (and cheaper) to demonstrate
- Vendor negotiations improve with accurate usage data
Automation Opportunities
With proper identity governance, organizations can automate cost controls:
- Auto-terminate resources when access expires
- Dynamically adjust SaaS license tiers based on usage patterns
- Set spending limits tied to role definitions
- Create approval workflows for high-cost services
- Generate alerts when users approach permission boundaries
- Implement charge-back models based on actual access patterns
Making the CFO Your Identity Security Champion
It’s now feasible to transform your CFO from a budget adversary into your biggest supporter.
1. Speak Their Language
Don’t just lead with risk reduction—try leading with cost optimization. Present specific scenario data:
“Consider an organization with 50 users holding admin access who’ve collectively provisioned $73,000 in monthly resources outside approved architecture. Add 312 users with premium SaaS licenses unused for 90 days, costing $58,000 monthly. Implementing least privilege could reduce this by approximately $95,000 per month.”
“According to Veza’s access analysis, over 70% of privileged accounts aren’t actively used—yet they contribute to significant cloud resource consumption and license waste. Based on benchmarks from Veza’s customer base, implementing access controls and visibility tools can drive 15–25% in cloud/SaaS savings.”
2. Provide Quick Wins
Start with the lowest-hanging fruit:
- Identify and remove unused service accounts (instant savings)
- Revoke admin access from users who haven’t used it in 90 days
- Downgrade SaaS licenses based on feature usage
- Implement time-bound access for expensive resources
- Consolidate duplicate SaaS subscriptions under a single contract
A typical technology company might save $100,000 in its first month just by removing access from departed employees’ service accounts that are still running workloads and consuming licenses.
3. Create Visibility Dashboards
Build dashboards that show:
- Cost per identity/role across cloud and SaaS
- License utilization rates by platform
- Resources provisioned by permission level
- Spending trends correlated with access grants
- ROI from access restrictions
- Shadow IT discovery and consolidation opportunities
When the CFO can see the direct correlation between identity controls and cost savings, they become your advocate.
4. Propose a Shared Savings Model
Suggest that a portion of the cost savings from identity optimization be reinvested in security initiatives. This creates a self-funding model for your security program while demonstrating fiscal responsibility.
The Path Forward
With $135 billion in cloud waste1 and average SaaS license waste reaching $21 million per organization,3 the financial imperative is clear. Start by answering these questions:
- What percentage of users have admin or power user access?
- How many premium SaaS licenses are assigned to users who don’t use premium features?
- How many service accounts are actively provisioning resources?
- What’s the monthly spend on resources created by over-privileged users?
- How many duplicate SaaS subscriptions exist across departments?
Organizations that don’t know these answers are likely leaving significant money on the table.
The beauty of connecting identity security to cost optimization is that it transforms security from a cost center to a value creator. When security leaders can walk into the CFO’s office and say, “Our identity security initiative will save millions this year across cloud and SaaS spending while reducing our risk,” they’ve changed the entire conversation.
In today’s economic climate, this approach isn’t just smart—it’s essential. The organizations that thrive will be those that recognize identity security can do more than minimize the impact of breaches; it’s about enabling efficient, cost-effective operations at scale.
Over-provisioned access isn’t just a security risk waiting to happen—it’s money bleeding from the organization every single day through inflated cloud bills and wasted software licenses. The question isn’t whether you can afford to implement least privilege. It’s whether you can afford not to.