top of page
Search

How Many Unmanaged Identities Does the Average Company Have?

How Many Unmanaged Identities Does the Average Company Have?
How Many Unmanaged Identities Does the Average Company Have?

Short answer: more than you think—and no, there isn’t a single, trustworthy “industry number.” The only number that matters is yours. Waldo Security gives you that truth fast: we discover every SaaS app, tenant, account, and OAuth connection in minutes, flag SSO/MFA gaps and risky tokens, and export audit-ready evidence so you can track unmanaged identities down to the last guest user or PAT. Start with Instant SaaS Discovery and keep the receipts in our SaaS Compliance Overview.


Why there’s no single “average” (and why that’s dangerous)

  • Portfolios vary wildly. Depending on who you sample, companies run ~101 apps (Okta) or ~106 apps (BetterCloud). Some SaaS-heavy enterprises see ~275 apps (Zylo). That spread alone makes any single “unmanaged identity average” unreliable. (Okta, BetterCloud, Zylo)

  • Attackers love the gap. In Verizon’s 2025 DBIR, stolen credentials dominate basic web-app breaches—so every account outside SSO/MFA is low-hanging fruit. (Verizon)

  • Shadow AI adds new identities. The average org now uses ~9.6 genAI apps (and the top quartile uses 24+), often via personal accounts or browser add-ons. (Netskope)

Takeaway: your unmanaged-identity count is an output of your actual app footprint, guest usage, OAuth consents, and token hygiene—not a global benchmark.


What counts as an “unmanaged identity” (use this checklist)

  • Local/SaaS-native accounts that aren’t tied to your IdP (password logins to apps you think are SSO-only).

  • External guests with lasting access (contractors, partners) and no current owner.

  • Personal accounts used for work (e.g., Zoom/Dropbox/GitHub with consumer emails).

  • Orphaned users left behind by incomplete offboarding.

  • Service accounts / PATs / API keys that bypass SSO entirely.

  • OAuth grants with offline_access (refresh tokens) that keep access alive after password changes—Microsoft explicitly documents how user consent and token persistence work, and why you should restrict end-user consent. (Microsoft Learn)


A defensible way to measure your unmanaged identities (in one afternoon)

  1. Build a ground-truth inventoryCorrelate IdP sign-ins, email/collab logs, DNS/proxy, browser extensions, and expense data into one list of apps/tenants/accounts. (Yes, multi-signal discovery is table stakes before posture.) (BetterCloud)

  2. Classify identities per app

    • Managed: authenticated via SSO/MFA, in your IdP groups.

    • Unmanaged: local logins, consumer domains, external guests without owners, or users present in the app but not in the IdP.

    • Token-only: PATs, app tokens, or OAuth grants (especially with offline_access).

  3. Confirm persistenceFor Microsoft 365/Google Workspace and top suites, export OAuth grants and highlight scopes like *.ReadWrite.All plus offline_access. Microsoft provides playbooks for investigating consent attacks and restricting user consent. (Microsoft Learn)

  4. Count what mattersReport three numbers:

    • Unmanaged users (per app and total)

    • External guests with elevated roles

    • Persistent grants/tokens tied to users who changed roles or left

With Waldo, this roll-up is automatic; you’ll see unmanaged users, guest sprawl, and persistent OAuth in one view—across Okta/Entra, Google, Slack, GitHub, Atlassian, and more.

“But give me a ballpark…”

You’ll see wide ranges, but two realities anchor the discussion:

  • With ~100–275 apps in play, even a small % of non-SSO logins per app multiplies quickly. Ten apps with just 20 non-SSO users each = 200 unmanaged accounts—and that’s before guests, PATs, or OAuth persistence. (Okta, BetterCloud, Zylo)

  • Orphaned access is common wherever offboarding isn’t automated; industry guidance and incident playbooks keep calling it out because credential abuse remains the #1 web-app problem. (Verizon)

So, while there’s no universal “average,” most mid-sized estates discover triple-digit unmanaged identities on the first full pass—then drive it down with SSO enforcement, consent guardrails, and token cleanup.


How to drive the number down (fast)

  1. Make SSO realEnforce SSO/MFA for high-risk apps first (customer data, HR/finance, code). Alert on password logins to “SSO-only” apps. DBIR shows this closes the most abused path. (Verizon)

  2. Lock down consentIn Microsoft Entra, limit end-user consent to verified publishers and low-risk scopes; require admin approval for tenant-wide/write scopes. (This removes a huge SSO bypass and kills many unmanaged identities at the root.) (Microsoft Learn)

  3. Clean up persistenceFind and remove unused refresh tokens and delete risky OAuth grants; rotate PATs and app keys on schedule.

  4. Tame guestsTime-box guest roles; expire external access by default; assign an internal owner to each external identity.

  5. See shadow AI as identitiesBaseline genAI usage, allowlist by verified publisher, and tie usage back to enterprise identities. Netskope’s numbers explain why—usage is already widespread. (Netskope)


KPIs that prove you’re winning

  • Unknown → Known: % of SaaS users mapped to IdP identities

  • SSO coverage: % of high-risk apps enforcing SSO/MFA

  • Unmanaged user count: total and by app (trend down monthly)

  • Persistent grants/tokens: count with offline_access or long-lived PATs (trend down)

  • Guest hygiene: external accounts with admin/export roles; % time-boxed


Bottom line

Asking “What’s the average?” is the wrong starting point. Your unmanaged identities depend on your app mix, consent settings, guest practices, and token hygiene. Get the truth map, shrink the blast radius, and keep proof up to date. Waldo makes it routine instead of heroic: begin with Instant SaaS Discovery and operationalize clean evidence via the SaaS Compliance Overview.



 
 
 

Comments

bottom of page