Why your user count is 3X your headcount. And, why that’s not a bug

In part two of our series "Closing the IT Data Trust Gap: From Raw Records to Decision‑Grade Intelligence" we talk about how identity classification can help turn inflated directory counts into numbers that match reality.

Pull up your Entra ID tenant right now. Count the identity objects. Now compare that to your actual headcount.

If you’re like most organizations we work with, the directory number is 2–3x the number of people who actually work there. A 500-person company shows 1,200 identities. A 5,000-person org shows 12,000.

This isn’t a data quality issue. Entra ID is doing exactly what it’s supposed to do. It tracks every identity object in the system, because identity management requires it. The problem is what happens when that raw count gets piped into a dashboard labeled “Total Users.”

What’s Actually in Your Directory

Every identity provider maintains records for a wide range of identity types, not just employees. When you connect an IDP to an asset management platform, you’re importing all of them:

• Human users: full-time, part-time employees and contractors with corresponding HRIS records

• Service accounts: non-human accounts used by applications, scripts, and automated jobs

• Guest accounts: external identities invited to collaborate from another organization

• Shared accounts: single accounts used by multiple individuals

• Test accounts: QA, demo, and training environment accounts

• Agents: machine or automation identities acting on behalf of users

• Disabled accounts: deactivated in IAM, HRIS, or both

• Admin accounts: accounts with elevated access or administrative roles

• Federated accounts: authenticated through external identity providers

• Orphaned accounts: discovered through non-IAM sources that can’t be mapped to an authoritative record

Most platforms display all of these as “users.” IT leaders don’t say “filter out service accounts.” They simply expect “users” to mean people.

The Identity Funnel

The fix isn’t hiding data. It’s organizing it. At Asato, we present identity data through a progressive funnel:

All Identities → Active Identities → Active Users

The first level shows everything discovered across all sources. The second filters to active identities — removing disabled and terminated accounts. The third filters to human users — the number that should match your organization’s employee count.

The default view matches expectations. The full picture remains one click away for deeper analysis. No data is hidden — it’s classified and presented in a way that aligns with how you actually think about your organization.

Why Classification Matters for Everything Downstream

Getting identity right isn’t just about the user count on a dashboard. It cascades through every downstream workflow. License optimization only works when you know how many actual humans need licenses. Utilization metrics are meaningless if service account activity inflates the numbers. Renewal negotiations require defensible user counts that hold up in vendor conversations.

The classification itself uses a combination of heuristic rules (naming conventions, account type flags, absence of interactive sign-in activity) and cross-dataset lookups (matching against HRIS records, checking for corresponding accounts in other systems). The goal: every identity gets a type, and that type determines how it’s counted, filtered, and presented across the platform.

The difference between “1,200 users” and “500 employees, 200 service accounts, 300 guests, and 200 disabled accounts” is the difference between skepticism and trust.