The accounts you stopped watching are your biggest security hole and your biggest bill
An employee leaves on a Friday. A week later, almost nothing about their account has changed. The mailbox still receives mail. The license is still assigned. The sign-in still works, if anyone bothers to try it. Finance is still paying for the seat. Security is still leaving the door open. Nobody decided either of those things on purpose. They are just what happens to an account once it stops being watched.
Most companies treat the cost of that account and the risk of that account as two separate problems. Cost belongs to finance and procurement. Risk belongs to security and IT. They run on different tools, different reviews, and different calendars. The license true-up happens once a year. The access review happens when an auditor asks for it. In between, the account sits there being both expensive and dangerous, and nobody is looking at it from either angle.
That separation is the mistake. The wasted dollar and the open door are not two problems that happen to share an account. They are one problem, the account nobody is watching, seen from two sides.
One neglect, two bills
Picture the leftover account in concrete terms. It belonged to someone in sales. It still has a Microsoft 365 E5 license, the expensive tier, because that is what the sales team gets by default. The mailbox is live. The OneDrive is full. The person has not signed in for months because they no longer work here, but the account was never disabled, so technically it could sign in tonight.
To finance, that account is a line item. You are paying full price every month for a seat that produces nothing. To security, the same account is an unmonitored credential with real access to real data and no human paying attention to whether it gets used. Both descriptions are true at the same time, about the same object, for the same reason. The account fell out of view.
This is why "we should cut software spend" and "we should tighten access" so often turn out to be the same project once you start. The list of accounts costing you money you cannot justify and the list of accounts representing risk you cannot see overlap almost completely. They are both just the accounts that nobody owns, nobody uses, and nobody reviews.
Keeping tabs is mostly reading the exhaust
When people hear "monitor user accounts," they picture surveillance, or a quarterly spreadsheet somebody dreads building. It is neither. Every system your company runs already records what happened, as a byproduct of normal use. Microsoft 365 knows the last time each account signed in. It knows which licenses were assigned and which features got touched. It knows whether the mailbox is active, whether OneDrive holds anything, whether the person shows up in Teams, whether a desktop app was ever activated against the license. It knows whether multi-factor authentication is registered and whether the identity has been flagged as risky.
None of that requires reading anyone's mail. The signal is who, what, when, and how much, not content. The pattern is the diagnosis. An account that has not signed in for ninety days, holds a premium license, has no MFA registered, and still has access to shared mailboxes is not a privacy question. It is an operational fact, sitting in plain view, that nobody has connected to a decision.
Keeping tabs just means reading that exhaust on purpose, continuously, instead of reconstructing it by hand the one time someone asks. The same activity data answers both the security question and the cost question, because both questions are really asking the same thing: is this account doing anything, and does anyone still need it?
The security case: the quiet doors
Breaches do not usually start with a clever exploit. They start with an account that should not have been there. A former contractor whose access was never removed. An admin account created for a migration two years ago and forgotten. A service account with a shared password nobody has rotated. The mailbox of someone who left, still licensed, still reachable, still trusted by every system that recognizes the address.
These accounts are dangerous precisely because they are quiet. An active employee notices when something is wrong with their account. A dormant account has no one to notice. It can be probed, taken over, and used as a foothold without tripping the one alarm that actually works, which is a human being saying "that is not me."
Watching accounts turns those quiet doors into visible ones. The signals that matter are not exotic. An account that is enabled but has not signed in for a long stretch. A privileged account without MFA. A user the identity provider has marked as at risk or compromised. A guest from a partner who finished their project a year ago and never left. A contractor who sits outside HR, came in through a personal email, and is touching company data that nobody mapped. Each of these is something you can see today, in data you already have, the moment you decide to look at all of it in one place instead of one portal at a time.
The point is not to generate a longer alert list. It is to make the obvious action obvious. Disable this account. Enforce MFA here. Review this risky user. Convert this departed employee's mailbox to a shared mailbox and pull the license. Remove this contractor. The risk was never that the data did not exist. The risk was that it lived in a dozen systems that do not talk to each other, so the door stayed open by default.
The price case: the seats you forgot you bought
Now look at the same accounts through finance's eyes, and the waste is just as concrete.
The first kind is the seat you are paying for that nobody uses. With Microsoft licenses, you buy a quantity, you consume some, and the gap between what you bought and what you actually assigned is money sitting idle. Then there are the licenses that are assigned but dead, attached to accounts that have not signed in for months. Across HubSpot, Asana, Google Workspace, and the rest of the stack, the same pattern repeats: billable seats held by people who left, guests counted as users, inactive accounts that were disabled in one system and still billed in another.
The second kind of waste is subtler and usually larger. It is the account on the wrong tier. A premium license, the E5 or the Business Premium, costs a multiple of the essentials tier. Plenty of users carry the premium one and use none of what makes it premium. They send email and join the occasional Teams call. They never touch the advanced security, the analytics, the voice features, the compliance tooling that justified the price. The usage data says, plainly, that this person is an essentials user wearing a premium price tag. Downshifting them changes nothing about their day and takes real money off the bill, every month, for as long as they work here.
You cannot find either kind of waste from a license count alone. A license count tells you how many seats you bought. It does not tell you which ones are doing anything, or whether the people holding the expensive ones need them. That answer only exists when you join the billing data to the activity data, which is exactly the same join the security question needs.
They are the same job
Here is the part worth sitting with. Everything the security review wants to know and everything the cost review wants to know comes from one combined picture of each account: who it belongs to, whether it is active, what it can access, what it costs, and what tier it is on. Build that picture once and both reviews are already done.
The departed employee's account is the cleanest example. The security action is disable it and lock down the data. The cost action is unlicense it and convert it to a shared mailbox so the team keeps the history without paying for a seat. Same account, same trigger, same moment of attention, two wins. Run security and cost as separate projects on separate schedules and you will visit that account twice, late, and probably miss it both times. Watch the account once, continuously, and you catch it the week it goes quiet, when both fixes are easy.
This is why splitting the work by department is so expensive. It is not that finance and security want different things. It is that the act of looking is the whole job, and you are paying for it twice while doing it half as well.
Make the next action the point
Visibility on its own does not save money or close a hole. A dashboard that shows you four hundred accounts and leaves you to figure out what to do with them is just a more detailed version of the problem. The value shows up when the data resolves into a decision.
- This account has been inactive for ninety days. Disable it and reclaim the license.
- This user is on E5 and uses none of it. Downshift to E3.
- This departed employee is still licensed. Convert the mailbox, archive the data, remove the seat.
- This privileged account has no MFA. Enforce it.
- This contractor finished six months ago and still has access. Offboard them.
- You are paying for twelve seats more than you have assigned. Drop the count at renewal.
Each of those is a sentence finance and security would both sign off on, and each comes from the same underlying view of accounts and their activity. That is the whole argument. The reason to keep tabs on user accounts, their licenses, and their activity is not that monitoring is virtuous. It is that the unwatched account is the single thing that is simultaneously costing you money you cannot justify and exposing you to risk you cannot see, and the act of watching it fixes both at the same time.
The companies that understand their accounts will spend less and be safer, not as two achievements but as one. The companies that do not will keep paying for seats nobody uses and keep leaving doors open behind people who left, and they will keep treating those as unrelated surprises. They were never unrelated. They were always the same account, waiting for someone to look.
Keep reading
If your data is wrong, you're making worse decisions than with no data at all
A wrong number is more dangerous than no number at all. Why bad data disables judgment, where your real data actually lives, and how to know whether a figure can be trusted before you act on it.
What Is Technology Resource Planning?
Every company is now a technology company. Technology Resource Planning is the operating layer companies need to understand, govern, and optimize the technology resources that power the business.
Stop guessing what your technology is doing. Find out.
Connect ORVO to your environment and see for yourself.