Enrollment Decline, International Revenue Collapse, and Financial Distress Are One Crisis. At Mid-Size Institutions, It Lands on the Identity Team First.
Every August at a regional comprehensive with 5,000 students, somewhere between 1,800 and 2,200 of last year's accounts belong to people who are not coming back. Some transferred. Some stopped out. Some were dual-enrolled high schoolers whose semester ended in December and whose accounts are still active in the LMS, the email system, the library proxy, and three SaaS platforms that nobody in central IT approved. Meanwhile, a new cohort is arriving, and every one of them needs provisioning across a stack that has grown from a handful of on-prem systems to dozens of cloud applications that accumulated during the pandemic and never got rationalized.
The work of creating those accounts, assigning entitlements, and deprovisioning the ones that should have been terminated months ago falls on an IT staff that just lost a position to a hiring freeze. And will lose another one next year.
This is the identity lifecycle tax. It creates security exposure. More immediately, it is a labor problem denominated in dollars. At Tier 2 and Tier 3 institutions facing converging financial pressures, it is becoming untenable in a way that the CFO can see on a spreadsheet if someone puts the right numbers in front of them.
The pressure system
The instinct in any committee is to treat the enrollment cliff, the international student revenue collapse, and sector-wide financial distress as three separate agenda items. They are one pressure system. The institution that treats them as three line items on a risk register will miss the compound effect until it arrives as a budget crisis that forecloses the options that would have resolved it.
The enrollment cliff is the structural floor. WICHE projections show a 13% decline in high school graduates through 2041, with projected declines of 16% to 20% across the Midwest, Northeast, and West, hitting hardest in the regions where regional comprehensives and community colleges are already enrollment-dependent. The peak was 2025. What follows is a sustained contraction with no recovery scenario in the demographic data.
Layered on top of that structural decline is the international student revenue collapse, which arrived with a speed that demographic projections never could. New international student enrollment fell approximately 17% in fall 2025 and an estimated 20% in spring 2026, with the national revenue impact estimated at roughly $1.1 billion. These figures have been widely reported across higher education press citing SEVIS data and NAFSA economic impact analyses, but I should note that as of this writing, no single consolidated source publishes all three figures with a unified methodology. The directional scale is not in dispute; the precision of any individual number should be treated as approximate. At institutions where international students pay full tuition and cross-subsidize domestic financial aid, even the low end of these estimates represents a structural revenue loss arriving in the same fiscal year as the enrollment peak.
The financial distress signals confirm what the enrollment and revenue data predict. Fitch assigned a "deteriorating" sector outlook for U.S. higher education in its 2025 sector assessment. S&P Global Ratings data from its 2025 higher education outlook indicated that more than half of rated private institutions were running operating deficits. Closures and mergers accelerated through 2025 and into 2026, concentrated among exactly the institution types this piece is about: small privates, regional publics, and community colleges with limited endowments and high tuition dependency.
These three forces are the "why now" that makes identity automation a budget survival question. An institution losing domestic enrollment to demographics, losing international revenue to policy disruption, and running an operating deficit does not have the budget to hire its way out of any operational problem. Including the one that all three forces are simultaneously making worse.
Churn does not shrink when enrollment does
Most people outside higher education IT have never had reason to think about this, but the identity lifecycle workload does not decline when enrollment declines. It can increase.
The reason is churn. At the least selective public four-year institutions, which map closely to the regional comprehensives that constitute the Tier 2 core, NCES retention data shows first-year retention rates around 59%. Roughly 41% of entering students do not return for their sophomore year. At community colleges, National Student Clearinghouse data puts fall-to-fall persistence at approximately 62.5%, with the most recent figures showing a slight decline from 62.9% the prior year.
Those figures capture only first-time, first-year students. They do not account for the populations that generate the highest identity lifecycle transaction volume per capita:
- Dual-enrolled high schoolers now represent 21% of community college enrollment and cycle in and out on a semester or even term basis, with enrollment in this category surging 10% in 2024 alone.
- Transfer students: nearly 500,000 moved from two-year to four-year institutions in fall 2024.
- Stop-outs re-enroll after gap semesters. Non-degree seekers appear for a single term.
- Contingent faculty, who constitute 50% to 80% of the instructional workforce at many institutions, require term-by-term provisioning.
At a 5,000-student institution with 40%+ annual churn, the identity team processes roughly 4,000 lifecycle events per year. Each event touches a dozen or more systems. That is closer to 50,000 transactions.
When you compound first-year attrition with the term-over-term cycling of these populations, the annual identity lifecycle transaction volume at a Tier 2 or Tier 3 institution routinely exceeds 40% of the total account base. At a typical mid-size institution that has moved most of its applications to the cloud (88% had migrated at least a quarter of their apps by 2024), a single student's identity footprint spans a dozen or more systems.
An institution whose enrollment drops from 5,000 to 4,500 has not reduced its identity workload by 10%. It has the same churn rate applied to a slightly smaller base, processed by a staff that just got smaller too. The ratio gets worse.
What manual provisioning actually costs
Published benchmarks for per-student provisioning cost in higher education are sparse, and I want to be transparent about confidence levels throughout this section.
The most cited figure comes from vendor-produced white papers estimating 30 minutes per provisioning request for account creation and another 30 minutes for group and entitlement configuration in a manual environment. This is vendor data, and I flag it as such. But it is consistent with what I observed operationally during a decade in higher education IT, and with the Forrester TEI literature that documents time savings of 10 minutes per provisioned user in automated versus manual enterprise environments, with end users saving an average of 2 hours per year from fewer access issues and improved provisioning workflows. A separate Forrester TEI study found more than $11 million in savings through application access automation and a 90% reduction in onboarding time at the enterprise composite level. These are cross-sector figures, not higher-ed specific, but the directional magnitude is instructive. The higher education number for per-event manual labor likely runs higher than the enterprise average because the entitlement model is more complex: a student's access profile changes when they declare a major, enroll in a lab course, join a research group, or shift from full-time to part-time status. Each change is a lifecycle event.
Take the conservative end. Assume 30 minutes of staff time per provisioning or deprovisioning event in a manual environment. At a 5,000-student institution with 40% annual churn, you are looking at roughly 4,000 total lifecycle events per year. That is 2,000 hours of identity lifecycle labor. At a fully burdened IT staff rate of $35 to $45 per hour at a regional public, that is $70,000 to $90,000 in labor cost dedicated to account creation and termination alone. Before you count password resets (one large university documented 3,500 password reset calls annually, at 15 minutes each), access reviews, or the mid-year entitlement changes that dual enrollment and major declarations generate.
Put that number next to the staffing picture and it becomes urgent. It represents roughly one full-time equivalent position at an institution where 42% of IT leaders expect budget decreases in the current year, with a median expected cut of 8%. The most common cost reduction strategies reported in that same EDUCAUSE QuickPoll: hiring freezes, reduced travel, and changes to technology contracts. The FTE doing manual provisioning is either being cut, being frozen when they leave, or being reassigned to work that someone with authority considers higher priority.
The provisioning still needs to happen. And the deprovisioning needs to happen even more urgently.
The license waste that shows up on the invoice
The labor cost lives in timesheets and task allocation, and CFOs have to take the CIO's word for it. License waste shows up on invoices.
| Source | Waste / Underutilization Rate | Scope |
|---|---|---|
| Ramp analysis | 47% | Education sector (leads all industries) |
| G2 Track | ~47% | Cross-sector, corroborating Ramp |
| Zylo SaaS Management Index (Jan 2026) | 36% | 40M licenses, $75B in spend |
| Gartner benchmark | 25% | Cross-sector provisioned SaaS |
Higher education SaaS spend per employee runs lower than the cross-sector average, in the range of $3,000 to $5,500 annually according to sector-adjusted benchmarks drawing on Zylo and Vertice data. A mid-size institution with 500 employees spending $3,000 to $4,000 per employee on SaaS is looking at $1.5 million to $2.0 million in annual SaaS expenditure. At 25% to 36% waste, that is $375,000 to $720,000 in annual license spend on accounts that nobody is using. I want to be clear: this is a constructed estimate, not a reported figure from a higher-ed-specific study. But the inputs are sourced, and the range is conservative given that education's 47% waste rate exceeds the cross-sector average.
The structural driver is deprovisioning failure. When a student leaves and their accounts are not terminated, every SaaS license assigned to that student continues to bill. When 84% of applications and 74% of spending sit outside IT's direct responsibility (Zylo 2025), with an average of 7.6 new applications entering the environment each month, the IT team doing manual deprovisioning may not even know which applications to deprovision. The accounts become orphaned. The licenses keep billing. The CFO sees a SaaS line item that grows every year without a corresponding increase in users, and nobody can explain why because the connection between identity lifecycle management and software spend has never been made visible to the people who control the budget.
The audit finding nobody budgeted for
A third cost category tends to surface after the first two have already done their damage. Orphaned accounts are not just a license waste problem. They are an audit finding waiting to happen.
When the external auditor or an internal compliance review discovers active accounts belonging to students or contingent faculty who departed months or years ago, the finding is straightforward: the institution cannot demonstrate that it controls access to its own systems. At institutions subject to GLBA, FERPA, or state data privacy requirements, this is not a footnote. It is a remediation item with a timeline. Cross-sector data suggests that 31% of organizations have experienced former members accessing systems after departure, a figure I cite with the caveat that the underlying study methodology is not fully disclosed, but which is directionally consistent with what I saw in practice.
The remediation cost is where it gets concrete. Manual remediation of orphaned accounts means someone has to audit every system, identify every account that should have been deprovisioned, verify each one against HR and SIS records, and execute the termination. At an institution with 1,800 orphaned accounts spread across a dozen or more systems, that is weeks of staff time, often performed under deadline pressure from the auditor's remediation timeline. A conservative estimate, based on 15 to 30 minutes per account across all systems, puts the remediation effort at 450 to 900 staff hours. That is another quarter to half of an FTE, consumed not by ongoing operations but by cleaning up the consequences of not having automated the lifecycle in the first place. And unlike the ongoing provisioning labor, this cost arrives as a lump: unplanned, unbudgeted, and non-deferrable once the auditor has documented it.
The argument that survives the budget committee
I sat on a vendor risk committee for years. I watched dozens of pitches arrive and most of them die, because the argument was wrong for the room it was in.
The pitches that died opened with security posture, compliance frameworks, and risk mitigation. A budget committee at an institution running an operating deficit will acknowledge those concerns, defer them, and never fund them. The committee members nod. They ask good questions. They say they'll revisit it next fiscal year. They do not.
The pitches that got funded opened with a number the CFO recognized. A cost the institution was already paying. A line item that could be reduced without adding headcount.
Identity lifecycle automation resolves three simultaneous cost problems without requiring new positions. That is the argument. Security posture will improve, and the committee will acknowledge it, and they will never fund it on that basis alone. The argument that gets funded: you are spending money and labor on manual identity lifecycle work that automation eliminates, and you are simultaneously hemorrhaging license dollars on accounts that automation would deprovision on the day the student's SIS record changes.
| Cost category | Annual estimate (5,000-student institution) | Source of cost |
|---|---|---|
| Manual provisioning/deprovisioning labor | $70K–$90K (~1 FTE) | 2,000 hrs at $35–$45/hr |
| SaaS license waste from orphaned accounts | $375K–$720K | 25%–36% of $1.5M–$2.0M SaaS spend |
| Audit remediation (when it hits) | 450–900 staff hours, unbudgeted | Manual cleanup across 12+ systems |
Eighty-three percent of EDUCAUSE QuickPoll respondents said their institution is considering, planning, or implementing technologies that support operational efficiencies as a cost-reduction strategy. They are looking for ways to do the same work with fewer people and less money. Identity lifecycle automation fits that description precisely, if you describe it that way.
The enrollment cliff is structural and permanent. The international revenue collapse is acute. The financial distress is sector-wide and deepening. Every one of these forces will produce more churn and fewer IT staff to handle it. The institution that automates identity lifecycle management is buying back one FTE of manual provisioning labor that the hiring freeze is about to eliminate, reclaiming $375,000 to $720,000 in annual license waste from accounts that should have been deprovisioned the day the student left, and avoiding the 450-to-900-hour audit remediation that arrives when the orphaned accounts are finally discovered.
The CFO does not need to understand eduPersonAffiliation to understand that math. They need someone to put it in front of them.
Things to follow up on...
-
Canvas breach, identity vector: ShinyHunters' May 2026 breach of Instructure's Canvas LMS, which disrupted final exams at institutions nationwide, exploited Free-For-Teacher accounts through social engineering — a credential governance failure, not a technical exploit.
-
EDUCAUSE budget data going dark: EDUCAUSE took its Analytics Services Portal offline on May 31, 2025 for redesign, meaning the most granular IT spending benchmarks by institution type are now accessible only through a member-only community group, a gap that matters for anyone building a cost argument at a specific tier.
-
Fitch's deteriorating outlook holds: Fitch Ratings maintained its "deteriorating" sector outlook for higher education into 2026, joining Moody's and S&P in forecasting continued financial stress driven by shrinking enrollment, expense escalation, and federal funding uncertainty.
-
Dual enrollment surging, compounding churn: Dual enrollment now accounts for 21% of community college headcount after a 10% enrollment surge in 2024, generating term-by-term identity lifecycle transactions that traditional retention metrics do not capture.