Have you heard of the SCIM tax?

Your CFO has a question. She's been looking at the SaaS renewal list and can't figure out why the company is on Slack Enterprise Grid at $24 per user per month when Business+ is $7.50. "What are we getting for the extra $16.50?" she asks. "What features are we actually using?"

The honest answer, the one the IT Director gives after a beat, is: SCIM.

She doesn't know what SCIM is. He knows but has never had to explain it to a CFO before. The conversation gets awkward. The renewal gets approved because switching plans mid-year isn't worth the headache. And she never hears the name for what just happened.

IT has a name for it. It passes around in sysadmin threads and budget post-mortems. It rarely makes it into the CFO's meeting. The name is the SCIM Tax.

SCIM is a protocol. The standardized way your identity provider talks to your apps. When you add someone in Okta or Entra, SCIM is what tells Slack to create their account. Not a feature. Plumbing.

Most apps lock SCIM behind their enterprise tier. Not because enterprise customers need more capacity. Because vendors know that any company running a real identity program needs SCIM to automate provisioning, so they price accordingly.

Slack: automated provisioning means Enterprise Grid. Notion: Business Plus. GitHub: Enterprise instead of Team. Same repo features, different price. That gap is the SCIM Tax.

It adds up quietly. A few extra dollars per user per app, across a hundred seats, across eight or ten apps, billed annually, renewed without much scrutiny because IT needs it and finance assumes they're paying for features.

Run the math on a 200-person company. Five core apps charging 3x to 5x for enterprise tier, where the difference traces straight back to one protocol. Not a rounding error. A budget line. Finance thought it was buying software. IT knew it was buying provisioning infrastructure. The assumption went unchallenged because no one had named it yet.

You're not paying for enterprise features. You're paying a tax your vendor imposed because your identity stack needs a protocol they chose to lock behind a paywall. The feature list is the cover story. The protocol is the reason.

It gets worse. Even after paying the SCIM Tax on every app that takes it, most of your stack still doesn't have SCIM. Standard-plan tools, legacy apps, the software that predates your SSO: Airtable, Miro, Loom, the internal wiki, the thing someone in finance set up three years ago with sixty active users. SCIM doesn't reach those at any price. You paid enterprise rates for the apps you could upgrade, and you're still running a manual queue for everything else.

Paid the tax. Still don't have full coverage. That's the part that stings.

SCIM used to be the only way to automate provisioning. That wasn't a choice. It was a constraint. If you wanted governance that actually ran automatically, you paid what vendors charged for the protocol. Identity teams paid it because the alternative was worse.

It stops being a constraint when provisioning doesn't need SCIM.

Iden covers every SCIM app in your stack by default. Same as any IGA tool. That's table stakes. What's different is everything past the SCIM boundary. Custom proprietary automation goes deep into every app, down to the last entitlement. Call it SCIM++. SCIM apps and non-SCIM apps, enterprise tier and standard plan, legacy tools and whatever someone signed up for last quarter, all governed the same way. Apps you've been upgrading just for SCIM access can go back to the plan that fits your actual usage. The tax disappears because it was always a workaround, not a requirement.

We'd run the numbers: per-seat cost across your current stack, mapped against where you're paying the SCIM premium and what eliminating it would look like. No deck. Just the product.