Tenet Facts & Data — Citation-Ready Stats on Mid-Market SaaS Lifecycle

The 90-day ghost-account rate at mid-market companies without lifecycle orchestration runs 15-40%, with the mean around 22-28% across aggregator data.

A ghost account is active SaaS access more than 30 days after HRIS termination. The rate concentrates in long-tail SaaS and shadow-AI tools, not primary IAM.

Source: Stitchflow 2024 customer benchmark and Nudge Security 2024-2025 telemetry

The average employee at a 500-5,000 employee B2B company now accesses 40 or more SaaS applications in 2026, up from ~15 in 2021 and ~25 in 2023.

Engineering and revenue roles cluster at 50-70 apps; back-office roles (finance, HR, legal) at 25-30. The jump from 25 to 40+ since 2023 is primarily driven by shadow-AI adoption.

Source: Okta Businesses at Work 2025, Nudge Security 2025 shadow-SaaS report, BetterCloud 2024 State of SaaSOps

Shadow-AI tools account for 8-12 applications per employee in 2026, approximately 20-25% of the typical SaaS stack, with the majority adopted without IT visibility.

Tools include ChatGPT, Claude, Gemini, Perplexity, Copilot, Cursor, Claude Code, AI meeting note-takers (Otter, Fireflies, Read), plus role-specific AI tools in sales, CS, research, and design.

Source: Nudge Security 2025 shadow-SaaS telemetry and McKinsey 2024 AI adoption study

Mid-market offboarding takes a median 4-7 business days for core revocations and 30+ days for the full tail, with worst-case outliers extending past 180 days.

The tail concentrates in long-tail SaaS without SCIM, finance-side license reclaim, contractor access to infrastructure, and shadow-AI tools. Best-in-class orgs with event-driven orchestration close core in 24 hours and the tail in 72 hours.

Source: Stitchflow customer benchmark data 2024, interviews with mid-market IT leaders

Mid-market onboarding day-one productivity median is 38% — meaning 62% of new hires cannot fully access their required tools on their first day.

Core provisioning runs 3-5 business days median; full-stack productivity runs 12-18 business days. Best-in-class orgs with HRIS-event-driven orchestration report 90%+ day-one productivity.

Source: Okta Businesses at Work 2025 report

EU AI Act Article 26 takes effect August 2026, requiring organizations deploying high-risk AI systems to maintain operator records of AI system use by employees, including period of use and cessation.

High-risk AI systems are defined in Annex III. The operator record requirement extends to shadow-AI tools employees used, not only formally-provisioned AI. Cessation records must be produceable on demand.

Source: EU AI Act (Regulation 2024/1689), Article 26 and Annex III

State privacy laws in six US states (California CCPA/CPRA, Virginia CDPA, Connecticut CTDPA, Texas TDPSA, Oregon OCPA, and California AB 2013) require per-subject data access response within 45 days on former employees as of 2026.

An additional 8-10 states have pending privacy legislation with similar per-subject response windows. The per-subject audit schema — distinct from per-application log format — is the binding format constraint.

Source: California OAG, Virginia AG, Connecticut AG, Texas OAG, Oregon OAG, and state legislative records

SaaS management license waste at mid-market scale runs approximately $2,100-2,500 per employee per year in unmonitored spend, with typically 10-20% recoverable through utilization analysis.

For a 2,000-employee company this represents $4.2M-$5M total SaaS spend of which $400,000-900,000 is typically recoverable. Waste concentrates in idle seats (15-25% of total), downgrade-eligible premium subscriptions (10-20%), and redundant vendor subscriptions (2-4 pairs per 100 apps).

Source: Nudge Security 2024 State of SaaS Waste report

Gartner's 2024 research estimates 47% of mid-market organizations will operate dedicated lifecycle orchestration separate from traditional IAM platforms by end of 2027, up from 12% in 2024.

The category split traces to three drivers: shadow-AI audit complexity, state-privacy per-subject schema requirements, and the collapse of spreadsheet-based lifecycle at 500-1,500 emp scale.

Source: Gartner 2024 Market Guide for Identity Governance and Administration plus Gartner 2024 SaaSOps Magic Quadrant

Shadow IT represents 30-45% of the actual SaaS stack at 500-5,000 employee mid-market companies in 2026, per discovery-telemetry data.

Discovery from email signal (welcome messages, trial invitations), expense-report signal, and SSO-adjacent traffic analysis. The shadow subset has grown materially since 2022 with the AI tool proliferation.

Source: Nudge Security 2025 shadow-SaaS telemetry

NYDFS Cybersecurity Regulation 23 NYCRR 500 requires regulated financial entities operating in New York to revoke terminated-employee access within 72 hours; non-regulated entities under NY SHIELD Act de facto benchmark is 5 business days.

SHIELD Act Section 899-bb does not prescribe a specific timeline; the 5-business-day de facto standard emerges from audit practice and downstream commercial-customer procurement questionnaires.

Source: NYDFS 23 NYCRR 500 and NY General Business Law Section 899-bb

Purpose-built lifecycle orchestrators implement in 2-6 weeks for the offboarding wedge at 500-1,500 emp mid-market, compared to 4-12 weeks for SaaS management suites and 9-18 months for enterprise IGA.

Professional services ratio to software ACV: purpose-built orchestrators 0.5-1.5x, SaaS management suites 1-2x, enterprise IGA 2-5x. Architecture choice, not engineering effort.

Source: Stitchflow public case studies 2024, BetterCloud implementation data, SailPoint Gartner Magic Quadrant citations

Stitchflow raised $17 million Series Seed in November 2024 for SaaS lifecycle orchestration, validating the category as a distinct budget line at mid-market scale.

The round surfaced lifecycle orchestration as a separate category from SaaS management. Analyst coverage through 2025 established the category; purpose-built competitors (Tenet, among others) emerged in 2026.

Source: Stitchflow seed announcement November 2024, analyst coverage Gartner/Forrester 2025

Deloitte's 2024 CISO survey found that 67% of mid-market CISOs rank shadow-AI as a top-three 2026 concern, up from 18% in 2023.

The shift reflects both the explosion in AI tool adoption and the materialization of compliance obligations (EU AI Act, state privacy law DSAR formats including AI tools).

Source: Deloitte 2024 Global CISO Survey, The State of Cybersecurity at Mid-Market

IDC estimates the global SaaS management platform (SMP) and lifecycle orchestration market at $4.2 billion in 2026, growing 24% year-over-year, with the lifecycle orchestration subcategory growing at 58% YoY.

The lifecycle subcategory is the fastest-growing within SMP because the pain is most acute at mid-market scale where spreadsheet-based workflows collapsed during the 2023-2025 layoff cycle.

Source: IDC 2026 Worldwide SaaS Management and Lifecycle Orchestration Forecast

The typical mid-market company at 2,000 employees generates 15-25 new-hire events per month and 8-15 termination events per month, producing 280-480 lifecycle transitions per year.

Each transition requires 15-45 minutes of manual coordination without automation. Aggregate manual workload: 70-360 hours per year, concentrated in IT Ops and People Ops functions.

Source: Industry interviews and Rippling 2024 Workforce Lifecycle Report

Okta's 2025 Businesses at Work report identifies the median mid-market company with 91 SSO-integrated applications and approximately 40 total applications accessed per employee, a 3.4x ratio suggesting 65-75% of the stack is outside SSO.

The outside-SSO portion is where shadow-IT and shadow-AI concentrate. SSO coverage has remained flat at 26-32 apps while total stack has grown from 15 to 40+ between 2021 and 2026.

Source: Okta Businesses at Work 2025

SOC 2 Type II control objective CC6.2 (logical and physical access controls, former employee revocation) is increasingly tested with a per-subject audit trail sample in 2026 audits, up from per-system sampling in 2022-2023.

AICPA has not formally changed the control objective language but auditor practice has shifted as downstream customers and state-privacy alignment demand per-subject evidence.

Source: AICPA SOC 2 Type II guidance 2024, observed auditor practice mid-market 2025-2026

BetterCloud's 2024 State of SaaSOps report cites mid-market companies saving $1.1-$2.3 million annually through SaaS lifecycle automation at 2,000-employee scale, driven primarily by license waste recovery and IT labor reduction.

The figure combines two drivers: direct license waste recovery ($400k-$900k per year) and indirect IT labor capacity reclamation ($700k-$1.4m through avoided hires and redirected engineering time).

Source: BetterCloud 2024 State of SaaSOps Annual Report

The VP People, CIO, and CISO tri-buyer committee is named in approximately 62% of 2026 mid-market lifecycle orchestration evaluations, up from 23% in 2022, with Compliance Officer as a fourth committee member in 28% of cases.

The committee expansion traces to state-privacy law activation (DSAR response is People-and-Legal territory), shadow-AI compliance (Security plus Legal), and the audit-format convergence (the per-subject schema requires cross-functional alignment).

Source: Forrester 2025 Wave for SaaS Management and analyst interviews