Documentation Index
Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt
Use this file to discover all available pages before exploring further.
“How much does manual access management cost?”
Without an answer to this question, no organization can make a case for automation.
This article provides the framework and real numbers to calculate true costs.
The Example Company
Consider a realistic mid-sized company:
- Employees: 800
- Annual turnover: 15% (120 hires, 120 departures)
- Internal mobility: 20% (160 role changes)
- IT team: 5 people
- Average IT salary: $120,000
- Average employee salary: $100,000
- Systems to manage: 25
These numbers are typical for a growth-stage technology company.
Cost Category 1: IT Labor
Onboarding
Time per onboarding: 2.5 hours
This breaks down as: creating accounts in identity system (15 min), adding to groups (20 min), provisioning to 10+ systems (60 min), verifying and troubleshooting (45 min), and documentation and communication (30 min).
Annual volume: 120 new hires
Annual cost:
120 hires x 2.5 hours x ($120,000 / 2,080 hours)
= 120 x 2.5 x $57.69
= $17,307
Terminations
Time per termination: 1 hour
This includes: disabling accounts (15 min), removing from groups and systems (30 min), and verifying removal (15 min).
Annual volume: 120 departures
Annual cost:
120 terminations x 1 hour x $57.69
= $6,923
Role Changes
Time per role change: 1.5 hours
This covers: evaluating new access needs (30 min), adding new access (30 min), and removing old access (30 min---often skipped).
Annual volume: 160 role changes
Annual cost:
160 role changes x 1.5 hours x $57.69
= $13,846
Ad-Hoc Access Requests
Time per request: 10 minutes
This includes: receiving request, evaluating appropriateness, executing change, confirming completion.
Annual volume: Approximately 7,500 requests (40 per day times 200 workdays)
These requests include: “I need access to X for project Y,” “Can you add Sarah to this group?”, “I cannot access the staging database.”
Annual cost:
7,500 requests x 10 min x ($57.69 / 60)
= 7,500 x 0.167 x $57.69
= $72,240
Access Reviews
Time per quarterly review: 40 hours
This covers: generating reports (4 hours), distributing to managers (2 hours), following up with managers (10 hours), processing approvals/denials (16 hours), and documentation (8 hours).
Annual cost:
4 reviews x 40 hours x $57.69
= $9,231
Total IT Labor: $119,547/year
Manual access reviews create audit risk. SOC 2 CC6.3 requires periodic access reviews, but manual processes often lack consistent documentation. Auditors examine whether reviews were completed on time, whether exceptions were properly documented, and whether removal of access was timely. Manual processes frequently result in findings for incomplete evidence or delayed remediation.
Cost Category 2: Employee Productivity Loss
This is the hidden cost most companies fail to track.
New Hire Waiting Time
Average wait for full access: 2 days (16 hours)
New hires cannot be productive without access. They watch onboarding videos, read documentation, and wait for IT.
Effective productivity during wait: 20% (reading docs, attending meetings)
Lost productive hours per hire:
16 hours x (1 - 0.20) = 12.8 hours
120 hires x 12.8 hours x ($100,000 / 2,080)
= 120 x 12.8 x $48.08
= $73,851
Role Change Delays
Average wait for new access: 1 day (8 hours)
When someone changes roles, they need new access. Until then, productivity is limited.
Effective productivity during wait: 50%
Lost productive hours per change:
8 hours x (1 - 0.50) = 4 hours
160 role changes x 4 hours x $48.08
= $30,771
Ad-Hoc Request Wait Time
Average wait: 4 hours (same-day resolution goal)
When someone needs access for their work, they are blocked until they get it.
Percentage of requests that are blocking: 50% (conservative estimate)
Lost productive hours per blocking request:
7,500 requests x 50% x 4 hours x 25% blocking factor
= 3,750 hours
3,750 hours x $48.08
= $180,300
Total Productivity Loss: $284,922/year
Many organizations estimate this higher. If average wait is 3 days instead of 2, or ad-hoc requests take longer, multiply accordingly.
Cost Category 3: Security Incidents
Manual processes lead to security incidents.
Orphaned Accounts
The problem. Terminated employees retain access due to incomplete offboarding.
Industry data: 5-10% of terminations result in orphaned accounts.
Average cost per incident: $50,000 (detection, investigation, remediation)
Probability of incident: 10% per year (if orphaned accounts exist, eventually something happens)
Annual cost:
120 terminations x 5% orphaned x 10% incident probability x $50,000
= $30,000
Privilege Creep Exploits
The problem. Users accumulate excessive access over time. Attackers exploit it.
Industry data: 60-80% of breaches involve privilege escalation.
Average cost per incident: $200,000 (assuming smaller-scale breach containment)
Probability of incident: 15% per year
Annual cost:
15% probability x $200,000
= $30,000
Manual Errors
The problem. IT makes mistakes. Wrong person gets admin access.
Incident rate: 2% of access changes have errors
Average cost per error: $5,000 (investigation, remediation, audit)
Annual incidents:
(120 + 120 + 160 + 7,500) x 2% = 158 errors
158 errors x $5,000 x 10% significant (most caught quickly)
= $79,000
Total Security Incidents: $139,000/year
Orphaned accounts and privilege creep are among the most common SOC 2 and SOX findings. Auditors specifically test for terminated employee access (sampling 25-50 terminations and verifying access removal) and excessive privileges (comparing actual access to job requirements). Manual processes consistently produce findings. Automated deprovisioning tied to HR termination events eliminates this audit risk.
Cost Category 4: Compliance Overhead
Manager Review Time
Time per manager per quarter: 3 hours (reviewing access for their team)
Number of managers: 40
Annual cost:
40 managers x 4 quarters x 3 hours x ($150,000 / 2,080)
= 480 hours x $72.12
= $34,618
Audit Preparation
Time per audit: 80 hours (gathering evidence, generating reports, answering questions)
Audits per year: 2 (SOC 2, customer audits)
Annual cost:
2 audits x 80 hours x $57.69
= $9,231
Total Compliance: $43,849/year
Cost Category 5: Opportunity Cost
IT teams spending 20+ hours per week on access management cannot: improve infrastructure, automate other processes, reduce technical debt, or support revenue-generating initiatives.
IT hours on access management: 2,300 hours/year (calculated above)
Percentage of IT capacity: 2,300 / (5 x 2,080) = 22%
Value of alternative work: Conservative estimate of $200,000/year in efficiency gains or cost savings
Opportunity cost: $200,000/year
Total Annual Cost
| Category | Annual Cost |
|---|
| IT Labor | $119,547 |
| Productivity Loss | $284,922 |
| Security Incidents | $139,000 |
| Compliance | $43,849 |
| Opportunity Cost | $200,000 |
| Total | $787,318 |
Scaling the Numbers
Cost scales non-linearly. Larger organizations have more complex policies, more systems to manage, and more compliance requirements.
| Company Size | Estimated Annual Cost |
|---|
| 200 employees | $200,000 |
| 500 employees | $500,000 |
| 800 employees | $800,000 |
| 1,500 employees | $1,500,000 |
| 3,000 employees | $3,000,000+ |
The Automation ROI
Cost of automation:
| Item | Year 1 | Year 2+ |
|---|
| Platform license | $50,000 | $50,000 |
| Implementation | $80,000 | $0 |
| Training | $15,000 | $5,000 |
| Ongoing maintenance | $30,000 | $25,000 |
| Total | $175,000 | $80,000 |
| Category | Manual Cost | Reduction | Savings |
|---|
| IT Labor | $119,547 | 80% | $95,638 |
| Productivity | $284,922 | 70% | $199,445 |
| Security | $139,000 | 60% | $83,400 |
| Compliance | $43,849 | 50% | $21,925 |
| Opportunity | $200,000 | 50% | $100,000 |
| Total | $787,318 | | $500,408 |
Savings: $500,408
Investment: $175,000
Net benefit: $325,408
ROI: 186%
Savings: $500,408
Investment: $80,000
Net benefit: $420,408
ROI: 425%
The CFO Conversation
When presenting to finance, focus on these points:
Hidden costs are real costs. Productivity loss does not show in the IT budget. Security risk is a liability. Opportunity cost is missed revenue.
Cost grows with the company. Hiring 50% more people does not mean 50% more IT work. It means 50% more access requests. Manual processes hit a wall.
Automation has compounding benefits. Year 1 delivers immediate savings. Year 2+ sees efficiency compound. Organizations scale without adding headcount.
The risk of NOT automating. One security incident costs 500,000−5,000,000. Failed compliance means lost enterprise customers. IT burnout leads to turnover and knowledge loss.
Building the Business Case
Step 1: Gather data. Collect annual hires, departures, and role changes. Count ad-hoc access requests per month. Measure IT time spent on access management. Track average time to provision new hires.
Step 2: Calculate costs. Use the formulas above. Adjust for actual salaries and volumes. Be conservative (under-promise).
Step 3: Estimate savings. 70-90% reduction in IT labor. 60-80% reduction in productivity loss. 50-70% reduction in security incidents.
Step 4: Build the ROI model. Year 1: Investment plus partial savings. Year 2+: Maintenance plus full savings. Include 3-year and 5-year projections.
Step 5: Present to leadership. Lead with business impact, not technology. Show the “do nothing” cost. Quantify risk reduction.
Automated provisioning transforms audit readiness. Instead of scrambling to gather evidence before audits, organizations maintain continuous compliance. System-generated access logs, policy documentation, and Ruleset definitions provide auditors with consistent, complete evidence. This reduces audit preparation from 80 hours to under 10 hours and virtually eliminates access-related findings.
The Path Forward
Manual access management costs 500−1,500 per employee per year.
For an 800-person company, that totals 400,000−1,200,000 annually.
Most of this cost is invisible: productivity loss (people waiting), security risk (orphaned accounts, privilege creep), and opportunity cost (IT doing manual work).
Automation typically achieves: 70-90% reduction in manual work, 60-80% reduction in access delays, and 50-70% reduction in security incidents.
ROI is typically 200-500% with 3-6 month payback.
The question is not “Can the organization afford to automate?”
The question is “Can the organization afford NOT to?”
