Derek Mills

We Tried Running a Software Audit and It Got Political Immediately

February 10, 2026

We didn't expect it to go sideways this fast. We announced the audit on a Tuesday. By Thursday, two department heads weren't speaking to each other, someone had cc'd the boss on an email without warning anyone, and Tory - who is somehow still the most upbeat person in this building despite his car being repossessed last month - actually said, out loud, that he'd never seen a spreadsheet cause this much suffering. That's coming from a guy whose life is currently on fire.

Here's my position on all of this: software audits go political because the software isn't just software. It's territory. And every company that tries to run one without understanding that first is going to have a very bad week.

Let me back up.

Why We Even Did This

The trigger wasn't some grand efficiency initiative. It was a billing email. Specifically, an auto-renewal charge for a tool that - as far as anyone could tell - hadn't been opened since sometime in 2023. Nobody remembered signing up for it. Nobody could find who authorized the purchase. It just kept charging us like a slow, polite leak in the ceiling.

That's not unusual. The lack of an intentional procurement plan for SaaS products can drive unnecessary spending throughout the tech stack - sometimes the result of suboptimal bargaining at scale, redundancy, or even forgotten active subscriptions. We had all three. So we decided to do what any reasonable company does when it discovers it's been bleeding money quietly: we attempted to look at everything we were paying for.

The numbers in this space are genuinely alarming once you start looking at them. One SaaS study pegs 53% of licenses as unused or under-used, and 2024 data suggests the average enterprise leaves millions on the table annually. We are not an enterprise. We are a mid-sized team that definitely does not have millions to leave on the table. In 2024, average SaaS spending saw a 9.3% year-over-year increase - the first increase in three years - bringing the average company's annual spend to $49 million, or $4,830 per employee. That per-employee number is the one that gets you. You do the math on headcount and suddenly that forgotten subscription doesn't feel so small.

So we started a spreadsheet. Classic opening move. Manual SaaS tracking isn't realistic at scale. It becomes spreadsheet management and hope. Which is exactly what we had.

The First Thing That Went Wrong

The moment we started asking "who's using this and what for," it stopped being a financial exercise and started being something else entirely. It became a question of whose tools mattered more. Whose workflows were considered essential versus redundant. Whose department had "justified" its subscriptions well enough to survive the cut.

This is the part nobody writes about in the software audit guides. The guides talk about license counts and renewal calendars. They do not talk about what happens when you tell a team that the tool they've built their entire process around is being flagged as a duplicate. They do not talk about the look on someone's face when they realize that a tool they championed is now on a list. They definitely don't talk about what happens when two teams find out they've been independently paying for different software that does the same thing.

Without a centralized procurement process, teams are often left to acquire software on their own. This uncoordinated approach can result in different teams using new applications that serve the same function, which can lead to inefficiency both in cost and effect. We had this in at least three categories. And when we surfaced it, nobody wanted to be the team that "lost." Nobody wanted their tool to be the one that got cancelled. The whole thing turned into a proxy war almost immediately.

Stephanie, bless her, suggested we just keep all of them and pay for both. She genuinely could not understand why that wasn't the obvious solution. To be fair, when you grew up the way she did, the idea that you'd have to choose between two software subscriptions probably does seem like a strange thing to argue about. The rest of us stared at her for about four seconds and then kept going.

The Shadow IT Revelation

Here's where it got really interesting. Once we started actually cataloguing everything, we found tools that IT didn't know about. Tools that specific individuals had signed up for with their company cards and just... kept using. Quietly. For years in some cases.

This is everywhere right now. Shadow SaaS accounts for 26% of all SaaS usage within organizations, with an average of 129 shadow SaaS apps per company - which significantly expands an organization's attack surface, as well as the risk of data breaches and non-compliance. That number hit me hard. Not because it's surprising, but because it's so clearly the product of people trying to get their jobs done and not wanting to wait three weeks for IT approval on something that costs $29 a month.

"SaaS sprawl usually isn't the result of bad intentions - it's often the result of good people trying to solve real problems quickly," and I think that's actually the most honest thing anyone has said about this whole space. Nobody signs up for a rogue tool because they're trying to undermine the company. They do it because the approved tool doesn't work for them and the approval process takes too long.

But when an audit surfaces those tools, suddenly the person who was just trying to do their job looks like they were hiding something. And that's when it gets personal. That's when people get defensive. That's when someone CC's the boss.

"Citizen SaaS buyers" - employees outside the IT department who buy software for their teams - now influence 40% of all company SaaS spending. This shift decentralizes purchasing decisions, speeding up software adoption but also increasing the need for coordinated governance to avoid redundancy and security risks. Forty percent. Nearly half of what companies are paying for software was decided by someone who is not in IT. Running an audit without accounting for how that feels to the people who made those calls is a recipe for exactly what happened to us.

I kept thinking about the Resistance in The Last Jedi - specifically the moment when Poe Dameron is absolutely convinced he knows what needs to happen, starts a mutiny, and nearly destroys everything because nobody stopped to explain the actual plan to him first. That's what a software audit without communication looks like from inside a team. You're Poe. You made a decision that made complete sense with the information you had. And now someone with a spreadsheet is treating it like a crime.

The Numbers That Should Be Scaring You

I want to be clear that this isn't just an us problem. The auditing environment right now is genuinely intense. A late-2024 survey found that 62% of respondents were audited by a major software vendor in the past year, a sharp increase from 40% in 2023 - meaning the majority of businesses experienced at least one vendor audit in 2024. That's not just internal audits like what we ran. That's vendors coming after their own customers to make sure they're paying correctly.

Nearly 32% of organizations incurred financial liabilities exceeding $1 million from audits in 2024, more than tripling from just 10% two years ago. The software companies are doing their own audits on you whether you do yours or not. Oracle, IBM, SAP - vendors known for aggressive audits have continued or even stepped up their efforts, while even cloud-era vendors still find ways to enforce compliance.

And even if you avoid the vendor audit nightmare, the internal waste is real. Organizations typically overspend 25-30% annually on unused or underutilized IT assets. For a company spending $500K a year on software, that's potentially $125,000 to $150,000 sitting in tools that aren't pulling their weight. That's not rounding error. That's a hire.

We've written about some of this adjacently - the AI agents creeping into your stack without anyone noticing problem is a version of this same issue. And honestly, the AI layer is making the sprawl worse. More AI tools mean more scattered software and unapproved departmental IT solutions, and AI adoption can inflate SaaS costs and introduce new security vulnerabilities. Everyone's signing up for AI features right now without thinking about where they fit in the broader picture. We've got at least four tools that added AI functionality to their dashboards in the last eighteen months. Three of them overlap. Nobody knew.

What Actually Happens When You Find the Redundancy

Let's say you find two tools doing the same thing. Two different teams using competing project management platforms, or two separate cold outreach tools, or whatever. You'd think the obvious next step is: pick one, cancel the other, save the money. Clean. Easy.

It is not clean. It is not easy.

What actually happens is that each team has years of workflow baked into their tool. Their automations, their templates, their way of doing things. Telling them to switch isn't just a software change - it's a process change. Audits create significant operational disruption, with six-month cycles typical of complex audits causing project delays, security update postponements, and innovation paralysis. Even a small internal audit that identifies a duplicate tool can turn into a months-long migration project when you try to actually collapse them.

Chris pulled me aside during all of this and - with that completely guileless sincerity that only he can pull off - said he didn't understand why this was so hard. "Can't you just move everyone to one thing?" I explained that you could, technically, but that every person who uses the "losing" tool is going to spend the next six months telling you the old one was better. He nodded thoughtfully. He's not wrong that it should be simpler. He's also never been in a migration meeting.

This is also why we've previously written about how office teams split when any major tech change gets introduced. The pattern is the same: some people adapt, some people resist, and the resist group will find a way to make their resistance known. An audit just concentrates that dynamic into a very small timeframe.

My Actual Take on Why This Keeps Happening

Software audits go political because companies treat them as accounting exercises instead of organizational ones. They approach it as: what are we paying for, and what can we cut? When the real question is: who decided to buy this, why did they decide that, and what are we disrupting if we take it away?

The second framing requires talking to people. The first one just requires a credit card statement.

The most significant cause of SaaS sprawl is a lack of a clear procedure, hierarchy, and communication. And the audit that tries to fix sprawl without addressing those same three things will just create new sprawl. People will find workarounds. They'll sign up for new tools quietly. The cycle restarts.

There's also a timing problem. If you don't have a SaaS management program in place, SaaS sprawl will take over your environment like ants at a picnic - with an average of 7.6 applications entering the tech environment each month, software portfolios could see growth upwards of 33.2%. You can't do one big annual audit and expect to stay ahead of that. By the time you finish reviewing what you had, you've already added a dozen more things.

Tory asked me, while eating a granola bar that I'm pretty sure was his only meal that day, whether any of this was actually going to save us money or if we were just "redistributing the anxiety." I didn't have a great answer. He seemed fine with that. He seems fine with everything, which is genuinely unsettling.

The tools we use for things like CRM or lead generation are the ones that always survive audits because their ROI is visible - someone can point directly at a pipeline number or a contact list and say "this did that." The tools that get killed are the ones where the value is ambient. Productivity tools. Collaboration stuff. Things that are useful but whose absence wouldn't immediately crash a revenue number. That's not actually a good way to decide what to cut. But it's the way most audits end up working when they go sideways into politics.

What I'd Do Differently

Tell people what you're doing and why before you start. Not after you've already built the spreadsheet. The moment the spreadsheet exists and people find out about it secondhand, you've already lost control of the narrative.

Also: don't frame it as cutting. Frame it as cleaning up. There's a difference, and people respond differently to each. Cutting implies someone loses something. Cleaning up implies you're making things work better for everyone. Both can result in the same cancelled subscriptions. One of them gets you to the finish line without a diplomatic incident.

The most successful organizations are moving beyond reactive audit response to proactive compliance management. This requires continuous visibility into software deployments, usage patterns, and licensing positions - something that's impossible to achieve manually at scale. That's the honest answer. A once-a-year spreadsheet isn't a strategy. It's a way to discover that you've already been messy for twelve months and now you have to clean it up under pressure.

The audit we ran was necessary. I still think we were right to do it. I think the political fallout was the natural result of doing it badly, not evidence that audits themselves are the problem. The AI agent overlap we found was genuinely alarming - nobody had a complete picture of what was running or what it was touching. The duplicate tool situation needed to be resolved. The ghost subscriptions needed to go.

Rey's arc in the sequels is actually a perfect analogy here and I know nobody wants to hear this but - she's essentially doing an audit of her own identity the entire trilogy. She keeps finding things that were there the whole time, that nobody told her about, that change what she thought she understood. The information was always true. The problem was the timing and communication of when it surfaced. Everyone acts like the reveal in The Last Jedi is a failure. I think it's the most honest thing in all three films. Sometimes the answer isn't what you wanted. That doesn't mean the audit was wrong. It means you weren't prepared for what it found.

Tory just asked me if I've made that point about Rey this week already. I told him I've made it eleven times. He said "sounds right" and went back to his desk.

Anyway. Run the audit. Just talk to your people first. And maybe don't do it on a Tuesday.