Finding 30 active accounts from people who left three to six months ago is not a fringe scenario for a 300-person company — it is what happens when offboarding depends on a manager mentioning it in passing or a quarterly review that nobody prioritizes. By the time the account is caught, it has been sitting live long enough to show up as a SOC 2 finding.
The common response to that finding is to evaluate a full IGA platform. The common blocker is the cost and implementation complexity of enterprise tools built for organizations ten times the size. Here is what actually works in the middle ground — how mid-market teams are finding and closing the orphan account gap without a six-figure deployment.
Why the Standard Workarounds Don't Work
The three approaches — monthly HR termination reports, quarterly app owner reviews, and login activity reports from larger SaaS apps — all fail for the same reason: they are reactive, delayed, and have coverage gaps that compound each other.
Monthly termination reports that run 2-3 weeks behind mean every departure creates at minimum a two to three week window where access is live and unreviewed. For a company processing ten terminations a month, that is perpetually 20-30 accounts in the exposure window at any given time.
Quarterly app owner reviews that nobody responds to until chased produce the right outcome — someone eventually confirms whether access is still appropriate — but with a 30 to 90 day lag depending on when in the cycle the departure occurred. The accounts that show up in those reviews as orphaned have been active for months.
Login activity reports from apps that support good reporting cover roughly 60% of a typical mid-market SaaS stack. The other 40% — smaller tools, legacy on-prem systems, applications without good native reporting — have no visibility at all. Orphan accounts in those applications are effectively invisible until someone looks directly.
The root cause is correct: the HR-to-IT disconnect is where this breaks. If IT finds out someone left when their manager mentions it or when a quarterly review happens to surface the account, no process improvement downstream fixes the gap. The fix starts upstream.
Step One: Fix the HR-to-IT Signal Before Anything Else
Every practical solution starts here. Whether it is a daily export from the HR system, a webhook integration, or a simple scheduled API call that bounces the HR roster against the directory — some form of timely termination signal is the prerequisite for everything else.
Webhook or real-time API integration is the cleanest option. When HR marks a user as terminated, the event pushes immediately to your identity or provisioning system and triggers deprovisioning. No lag, no batch window.
Daily scheduled report or file drop works for HR systems that do not support real-time webhooks. A daily HR roster dropped to a file share or S3 bucket, compared against directory accounts, surfaces any mismatch within 24 hours rather than weeks. Simple scripting or a lightweight automation tool handles the comparison and flags accounts that need action.
Okta with HR integration enabled is an option specifically for organizations already using Okta for SSO. With the workforce lifecycle add-on and HR system integration configured, Okta can trigger deprovisioning automatically when the HR system records a departure — which handles the SSO-federated application layer cleanly. The gap that remains is the 40% of applications that do not federate to Okta: those still require either explicit integration or a separate process.
The auditor's framing worth noting: if SSO-connected applications deprovision when the Okta account is disabled, those applications are effectively handled at the SSO level and the orphan risk is mostly a cleanup issue rather than an active access risk. The real exposure is the applications outside SSO coverage. That is where the visibility gap actually lives.
Step Two: Surface the Accounts You Cannot See
Even with a better termination signal going forward, the accounts that have been sitting active for months need to be found. For a 300-person company with 20+ applications and 40% having poor native reporting, that discovery process is not trivial.
Cross-reference HR roster against directory and app user lists. Pull a full list of active users from your HR system. Pull active accounts from every application you have access to administer. Compare them. Any active application account whose owner does not appear in the current HR active roster is a candidate for orphan status. This is tedious to do manually across 20+ applications but scriptable — and if you have never done it, the first run will almost certainly surface accounts you did not expect.
Use SSO audit logs as a proxy for coverage. Your SSO logs show which applications employees are authenticating to. Any application that does not appear in SSO logs at all — meaning users access it directly rather than through SSO — is an application with no automatic deprovisioning when SSO access is removed. Those applications are your highest-risk orphan account candidates and your highest-priority integration targets.
Discovery platforms that aggregate across sources. Tools that pull from SSO logs, financial transaction data, and endpoint agents build a map of actual application usage that extends beyond what SSO covers. When that map is compared against the HR active roster, orphaned accounts surface automatically — including in the applications that lack good native reporting. This is the capability gap that drives organizations toward a dedicated discovery or IGA layer even when they are not ready for full enterprise IGA.
Step Three: Automate Cleanup and Stop the Accumulation
Finding existing orphan accounts is a one-time remediation exercise. The structural fix is stopping the accumulation going forward.
Automated offboarding triggered by HR events. When a termination is recorded in the HR system, an automated workflow revokes access systematically across connected applications. For SSO-federated apps, disabling the SSO account handles deprovisioning. For non-SSO apps with APIs, direct deprovisioning calls handle it. For apps without APIs, a manually assigned task — routed to the right person, tracked to completion — ensures the step happens even if it cannot be automated.
Continuous monitoring for undeprovisioned accounts. Rather than relying on quarterly reviews to catch what offboarding missed, continuous comparison of active application accounts against the current HR roster flags mismatches automatically. When an active account is detected for a user who is marked inactive in HR, an alert fires immediately rather than waiting for the next review cycle.
Tightening SSO coverage. Every application that moves from direct login to SSO authentication gets automatic deprovisioning coverage when the SSO account is disabled. For a mid-market company, expanding SSO coverage to include more of the application stack is often the highest-leverage security improvement available without purchasing additional tooling.
Producing SOC 2 Audit Evidence for Timely Deprovisioning
The specific audit finding — inability to prove timely deprovisioning — requires evidence that is structured, timestamped, and covers the full application stack. The common failure mode is that the evidence exists in different places across different systems and cannot be assembled into a coherent audit trail in the time an auditor expects.
Timely action. Evidence that access was revoked within a defined window after termination — typically within 24 hours for systems with automation, or within the SLA defined in your access management policy for manual steps.
Complete coverage. Evidence that deprovisioning covered all relevant systems, not just the applications that have good native reporting. If 40% of your applications have poor reporting, that 40% is where the audit finding lives.
Documented process. Evidence that the process for detecting and acting on terminations is defined, repeatable, and not dependent on a manager happening to mention it.
The practical approach for organizations building this capability for the first time: document the process first, even if it is partially manual. A defined process with documented execution — IT ticketing system records showing when a termination was received, what actions were taken, and when they were completed — is auditable evidence even if it is not fully automated. It is substantially better than the status quo of no documented process and a spreadsheet.
As automation is added, the evidence trail shifts from manual tickets to system-generated logs. Automated access review campaigns that produce timestamped, structured reports of who was reviewed, what actions were taken, and when — covering the full application stack — give auditors exactly what they are asking for.
The Middle Ground Between Manual and Six-Figure Enterprise IGA
The gap between "manual spreadsheet hell" and "SailPoint at six figures" is not actually empty. Mid-market IGA platforms — tools designed specifically for 100-500 person companies with SaaS-heavy stacks — exist in that middle ground at price points that reflect the scale.
What differentiates a mid-market IGA platform from a spreadsheet-and-script approach: discovery that covers the full application stack, including non-SSO and non-API applications, through multiple data sources rather than relying on each application's own reporting. Automated offboarding triggered by HR events rather than manual handoffs. Continuous monitoring that flags orphan accounts between review cycles rather than surfacing them quarterly. Access review automation that sends reminders, collects responses, and generates audit-ready reports without IT manually chasing every reviewer.
Zluri is built specifically for this — mid-market organizations with SaaS sprawl, limited identity engineering resources, and compliance requirements that demand structured evidence of timely deprovisioning. The implementation timeline is weeks, not months, and the licensing reflects the scale rather than enterprise pricing assumptions. Get a demo to see how it works for your environment.
FAQ
How do you find orphan accounts across SaaS apps without an IGA tool?
The most effective approach combines an HR roster comparison against active application accounts, SSO audit log analysis to identify applications outside SSO coverage, and discovery tools that aggregate usage data from multiple sources. The comparison surfaces accounts whose owners are no longer active in HR — those are your orphan candidates regardless of what the application's native reporting shows.
What is the fastest way to fix the HR-to-IT termination notification gap?
A daily automated HR export compared against your directory and application user lists reduces the notification lag from weeks to 24 hours without requiring complex integration. Real-time webhook integration with your HR system eliminates the lag entirely if your HR system supports it.
What evidence do SOC 2 auditors want for deprovisioning controls?
Auditors want timestamped evidence that access was revoked within a defined window after termination, covering all relevant systems, through a documented and repeatable process. This can come from IT ticketing system records for manual processes or system-generated audit logs for automated ones. The coverage gap — applications that are not included in the evidence — is typically where audit findings originate.
Is there an IGA solution for mid-market companies that is not as expensive as SailPoint?
Yes. Mid-market IGA platforms designed for 100-500 person companies exist at significantly lower price points than enterprise platforms like SailPoint or Saviynt, with faster implementation timelines and feature sets calibrated for SaaS-heavy environments rather than complex on-prem infrastructure.
.svg)
