How To Identify Seats That Haven’t Logged In For 90 Days
Before diving deeper, here’s what matters immediately. A zombie seat is a paid SaaS license with no login activity for 90 days or more. In most growing companies, 10–25% of licenses fall into this category. You can find them quickly by exporting last-login data from your admin dashboard and sorting by inactivity. The safest way to clean them up is to notify managers, suspend accounts first, and only remove licenses after confirmation. The long-term fix is automation: quarterly access reviews and HR-linked offboarding.
Now, the bigger picture.
What Zombie SaaS Actually Is
Zombie SaaS isn’t unused software, it’s unused access. Licenses that are still active, still billed, but quietly untouched. As teams grow and roles shift, accounts linger. Employees change responsibilities. Contractors finish projects. People leave. Access remains.
Because nothing visibly breaks, no one feels urgency. Renewals pass. Budgets expand. Waste compounds quietly.
Ninety days filters out normal variation. Vacations, project pauses, and seasonal work cycles don’t last that long. When someone hasn’t logged in for three months, either they don’t need the tool, they’ve replaced it with something else, or they shouldn’t have access anymore.
That threshold is long enough to be fair and short enough to catch waste before annual renewals lock it in.
How To Surface Inactive Seats Quickly
Most SaaS platforms track last login timestamps. Export the user list. Sort by inactivity greater than 90 days. Cross-check with HR or team leads. The mechanics are straightforward.
What usually slows this down is unclear ownership. Finance sees invoices. IT sees systems. Managers see headcount. Unless someone is explicitly responsible for reconciling all three, zombie seats persist.
If a vendor doesn’t provide visibility into login activity, that’s not just inconvenient, it’s a governance blind spot.
Why Finance Often Misses The Problem
From a finance perspective, SaaS spend looks predictable. A monthly subscription renews. Headcount justifies growth. But engagement data rarely flows into financial reviews. No one challenges whether paid access equals active usage.
A single unused $40 per month seat costs nearly $500 per year. Multiply that across multiple tools and dozens of inactive accounts, and the waste becomes material.
Inactive accounts are not just budget waste, they expand your attack surface. Dormant users often miss updated policies, new MFA requirements, or role restrictions. They’re less monitored and less visible. If compromised, they may go unnoticed longer.
Cleaning up zombie seats reduces cost and reduces risk at the same time.
How To Remove Access Without Causing Chaos
Immediate deletion creates friction. A better approach is staged cleanup. Send managers a list of inactive users and request confirmation. Suspend access first. If no one objects within a defined window, remove the license.
This method prevents accidental disruption while steadily eliminating waste.
The Long-Term Structural Fix
Annual cleanups help, but they don’t prevent recurrence. Sustainable control requires automation. Connect SaaS provisioning to HR systems so offboarding triggers automatic review. Run quarterly access audits. Flag 90-day inactivity automatically and route it to managers for approval.
When zombie detection becomes routine, it stops being reactive.
If an account hasn’t been used in 90 days, treat it as unnecessary until confirmed otherwise. Review before renewal cycles, suspend before deletion, and automate wherever possible. Zombie SaaS rarely causes headlines, but over time, it quietly erodes budget discipline and security posture.