SaaS sprawl: what it costs Australian SMBs and how to control it

The average Australian SMB is paying for somewhere between 80 and 200 distinct SaaS subscriptions. Most leadership teams know about 25 of them. The remainder, “shadow SaaS”, are bought on individual credit cards, signed up through free tiers that converted to paid, or inherited from departed staff whose accounts nobody disabled. The total cost is rarely on anyone’s radar until somebody runs the numbers.

When we run SaaS audits for clients, the recurring finding is the same. SaaS spend is running 30 to 80 per cent higher than leadership believes. Up to 40 per cent of that spend is on tools nobody actively uses. The security exposure from forgotten accounts is meaningfully larger than the security team realises. And the path from “we have a SaaS problem” to “we have control of our SaaS” is shorter than most businesses assume, but it requires actually starting.

This is the operational reality most Australian SMBs are living with in 2026, and the cost of inaction has compounded enough that it now justifies real attention.

How SaaS sprawl actually accumulates

The growth pattern is consistent across the businesses we work with. Five mechanisms account for most of it.

Department-level purchases that never make it to IT or finance for review. Marketing buys a social scheduling tool. Sales buys a prospecting tool. HR buys an engagement platform. Each individual decision is reasonable. The aggregate creates a portfolio nobody is tracking. By the time leadership notices, there are 40 to 70 active subscriptions paid on company cards across multiple departments.

Free tiers that converted to paid. A team starts using something free, hits the usage limit, upgrades to a paid tier without going through procurement. Slack, Notion, Trello, Miro, Loom, and dozens of others follow this pattern. The conversion is friction-free by design. The result is paid subscriptions that nobody approved.

Departed staff whose accounts remained billable. When somebody leaves, their email account is disabled but their separate SaaS accounts often are not. Some have personal email addresses on them. Some have credit card details that nobody removes. The subscriptions keep running and the bills keep arriving for months or years.

Tool migration without decommissioning. Business switches CRM, project management tool, or marketing automation platform. The new tool goes live. The old tool is left running because some data still lives there, or somebody might need to reference it. Two years later, both are still being paid for.

Vendor consolidation that never finished. Business signs up for the integrated suite that was supposed to replace the four point tools. The migration to the suite is incomplete. The four point tools are still in use for the workflows that did not migrate cleanly. Now there are five tools where there used to be four, and the budget reflects it.

What the real cost looks like

For a typical Australian SMB at 50 staff, the SaaS portfolio breakdown looks like this in 2026.

Direct subscription costs run $80,000 to $180,000 per year across 60 to 120 active subscriptions. The variance comes from the type of business. Professional services firms run heavier on collaboration and document tools. Sales-driven businesses run heavier on prospecting and CRM. Engineering-led businesses run heavier on development tooling.

Wasted spend within that total runs 25 to 45 per cent. The categories are predictable. Duplicate tools doing the same job. Subscriptions with more seats than active users. Tools that were active for a project but never decommissioned. Departed staff still on the bills.

Hidden adjacent costs add another 10 to 20 per cent. Integration tools to connect the SaaS portfolio together. Backup tools for the SaaS portfolio. Audit tooling to make sense of the SaaS portfolio. Security tools to protect the SaaS portfolio. The meta-tools that exist because the underlying portfolio is unmanaged.

Total recoverable saving for a 50-person SMB doing a proper SaaS rationalisation typically lands at $40,000 to $80,000 per year. That figure is consistent enough across the engagements we have run that we now offer the work on a contingency basis for clients who would rather not pay for the audit up front.

The security exposure most people miss

The cost story is the obvious one. The security story is the bigger one, and it is significantly less visible.

Every active SaaS account is an attack surface. Username, password, MFA configuration if it exists. Most SMBs have decent identity governance on the 10 to 15 tools IT explicitly manages. The other 50 to 150 tools have weak authentication, no SSO, password reuse, and credentials that nobody has audited in years.

Departed staff with active accounts are a particular problem. We routinely find ex-employees with valid logins to former employers’ SaaS tools 12 to 24 months after departure. Some have access to customer data. Some have access to financial information. The risk profile depends on which tools, but the pattern is universal and the impact is rarely zero.

Data exposure through OAuth grants and integrations. Every “Connect with Google” or “Connect with Microsoft” button creates a potential data access pathway. Most Australian SMBs have hundreds of these consent grants accumulated over years, with no audit trail of what was granted to which tool with what permissions.

AI assistants connecting to SaaS tools amplify the exposure. Copilot, ChatGPT, Claude, and others now integrate with SaaS portfolios through native connectors. Whatever those AI assistants can read, they can also feed into other contexts. As we covered in our zero-click piece, AI prompt injection through SaaS data is now a meaningful attack vector.

The Notifiable Data Breach scheme treats SaaS portfolio incidents the same as any other data breach. When the audit hits, “we did not know we had that tool” is not a defence. The breach notification clock starts ticking regardless of whether you knew about the exposed data.

The control mechanism that actually works

The pattern we recommend to clients consistently delivers the savings and tightens the security posture. Four mechanisms in sequence.

The execution timeline for a 50-person business is typically eight to fourteen weeks for the discovery and rationalisation work, with governance and tooling rolling out over six to twelve months. The ongoing benefit is permanent if the governance discipline holds.

Where this connects to broader AI and compliance

The SaaS portfolio rationalisation work has compounding effects that go beyond cost.

Copilot and other AI assistants become safer to deploy when the SaaS surface is mapped and controlled. The current AI governance challenge is largely about controlling what AI can see and do. A rationalised SaaS portfolio makes that controllable. A sprawling SaaS portfolio makes it nearly impossible.

Compliance posture improves materially. ISO 27001 audits, SMB1001 assessments, and Essential Eight maturity reviews all benefit from a documented and governed SaaS portfolio. The work that goes into the rationalisation produces the evidence the auditors are asking for.

Privacy Act exposure decreases significantly. The federal amendments coming into effect in December 2026 around automated decisions are easier to comply with when you actually know what tools are making automated decisions in your business. Most SMBs cannot answer that question today.

Cyber insurance underwriting tightens around SaaS exposure year on year. Insurers are increasingly asking for SaaS inventory, SSO coverage, and access review evidence. Businesses that can answer cleanly get better premiums and excess terms.

What we recommend

For any Australian SMB that has not done a SaaS audit in the last 18 months, the discovery exercise is the right first step. Most businesses recover 5 to 15 per cent of the SaaS spend immediately from the audit alone, before any rationalisation work happens.

For businesses preparing to deploy Copilot or expand AI integration into SaaS tools, the rationalisation work should be a precondition. AI on top of a sprawling SaaS portfolio is an AI governance disaster waiting to be audited.

For businesses with cyber insurance renewals or compliance audits coming up in the next 12 months, the SaaS work should be on the prep list. The questions are coming whether you are ready or not.

For businesses where leadership genuinely does not believe they have a sprawl problem, the audit is still worth running. Almost every business that thought they were in control discovered they were not. The discovery itself usually pays for the engagement.