Shadow IT: how to find it, why it's costing you, and how to stop it
Shadow IT — software in use without IT or finance approval — typically accounts for 30–50% of a mid-market company's total SaaS spend. It's also the most predictable source of breach, audit, and renewal pain. Here's how to surface it and shut it down without becoming the office police.
Shadow IT isn't a moral failing. It's the natural output of teams that need to ship and a procurement process that takes three weeks to approve a $19/month tool. The fix isn't a stricter policy — it's a faster sanctioned path plus a discovery loop that catches the rest.
The four sources of shadow IT
- Personal credit card SaaS — a manager subscribes to a $30/month tool and expenses it. Multiplied across a 200-person company, this is the largest source.
- Free-tier creep — a team adopts a free version, the team grows, the free tier silently becomes a $5k/year paid plan that no one reviewed.
- Trial-to-paid drift — a 14-day trial auto-converts to a paid subscription because no one cancelled.
- Acquired tools — a company you bought brought 12 new SaaS subscriptions you don't yet know about.
Why it actually costs you
| Cost | Magnitude (typical 200-employee org) |
|---|---|
| Direct waste (duplicate, unused, untracked) | $50k–$200k/year |
| Compliance / audit findings | One auto-remediation can run $10k+ per finding |
| Security incidents | 67% of breaches in 2025 traced to unmanaged SaaS — IBM Cost of Breach data |
| Renegotiation leverage lost | Vendor knows your seat count, you don't — net 8–15% margin |
Discovery techniques that actually work
1. Expense-report trawl
Pull the last 12 months of corporate card and expense data. Filter by merchant categories like SaaS, software, subscriptions. Group by vendor name. The list of vendors you've never heard of is your first shadow-IT pile.
2. Identity-provider OAuth grants
Most modern SaaS authenticates via Google or Microsoft. Both IdPs maintain a list of every third-party app users have granted access to. Export that list — it's typically 3–5x what your IT team thinks is in use. Settings → Security → OAuth apps in Google; Enterprise apps in Microsoft Entra.
3. DNS / proxy logs
If you run a corporate proxy or DNS resolver, the top destinations by request volume reveal which SaaS endpoints employees hit. Cross-reference against your sanctioned-tool list.
4. SaaS-to-SaaS connectors
Tools like Slack, Notion, and Zoom expose lists of installed apps. A Slack admin can list every app that's been added to a workspace. Same for Notion (integrations) and Zoom (marketplace apps). Each list has shadow-IT candidates.
5. Browser extension audit
For Chrome / Edge / Safari managed fleets, list installed extensions. Many "extensions" are actually full SaaS products with backend services and contracts.
The triage matrix
Once you have a list, sort each shadow-IT find into one of four buckets:
| Bucket | Action |
|---|---|
| Sanctioned (just untracked) | Add to inventory, attach to owner, normal lifecycle |
| Useful but redundant | Migrate users to existing sanctioned tool, cancel |
| Compliance / security risk | Block, migrate, or remediate based on data sensitivity |
| Personal use | Remove from corporate billing; user can keep on personal card if wanted |
Don't lead with shame
The fastest way to push shadow IT deeper is to publicly punish the first people you catch. Treat the first sweep as discovery, not enforcement. Enforcement starts after you've shipped a fast sanctioned path.
The fast sanctioned path
Eliminating shadow IT permanently requires a sanctioned alternative that's actually faster than going around procurement. The right pattern:
- Self-serve catalogue of pre-approved tools with one-click access.
- "New tool" request flow that resolves in < 5 business days for tools under a threshold ($500/month).
- Auto-approval for replacing-an-existing-tool scenarios.
- Clear escalation for compliance-sensitive cases (HR data, customer data, regulated workflows).
If a tool can be approved and provisioned in 4 days, expense reports stop being the path of least resistance.
Continuous prevention
One sweep finds the backlog. A continuous loop prevents it returning:
- Monthly OAuth-grant review — anything new gets categorised.
- Expense reports automatically tagged for SaaS — finance reviews monthly.
- Trial-conversion alerts on the corporate card.
- Quarterly user survey — "what tools do you use that aren't on the sanctioned list?" Often surfaces things that matter.
How InventorIA helps
InventorIA pulls expense data, IdP OAuth grants, and SaaS-API integrations into one shadow-IT view. Anything new gets flagged with its provenance ("first seen 2026-04-12 via expense report; user: Maria L.; cost: $29/mo"). Triage becomes a list with one-click actions — sanction, migrate, or block. More on the broader license discipline here.
Find your shadow IT before your auditor does
InventorIA surfaces every untracked SaaS — from expense reports, IdP grants, and 50+ integrations. Free tier covers 10 users.
Start free →