The discovery: A 200-person fintech company's IT team audits their Okta instance and finds 847 unique SaaS applications connected via SSO or OAuth. Their official IT-approved tool list: 62 applications. The remaining 785 tools were purchased, signed up for, or connected by employees without IT or procurement review.
This is shadow IT — and it is not a rogue employee problem. It is a procurement gap problem. When buying a SaaS tool is easier than getting approval for one, employees buy first and ask for approval never.
This guide gives you 4 discovery methods to find every unauthorized tool in your environment and a 4-phase governance workflow to prevent new shadow IT from accumulating.
What Shadow IT Is (and Isn't)
Shadow IT in the SaaS context is any tool purchased, used, or connected to your corporate identity without IT or procurement review and approval. It includes:
- Tools purchased with departmental credit cards or personal expense reports
- Free tiers or trials that persist for months or years without oversight
- OAuth-connected apps (the "Sign in with Google" apps your employees authorize)
- Tools that were approved years ago but are now outside governance review cycles
- Vendor-provided "free" modules embedded in contracts you didn't know about
65%
More SaaS tools than IT knows about — avg. mid-size company (Gartner 2025)
$1,400
Average annual shadow IT spend per employee at 100-500 person companies
31%
Of enterprise data breaches involve unauthorized SaaS applications (IBM Security 2025)
The security risk you can't ignore: Shadow IT tools handle real company data — customer lists, financial records, HR information, source code — without having passed security review. The average unauthorized SaaS app has not been evaluated for SOC 2, GDPR compliance, or data handling practices. Each unauthorized tool is a potential breach vector and a regulatory liability.
The True Cost of Shadow IT at Your Company
The cost of shadow IT is not just the license fees for unauthorized tools. It is four compounding cost categories:
| Cost Category |
Example |
Estimated Annual Cost (100-person company) |
| Direct license cost |
Teams paying for duplicate tools (3 project management tools, 2 analytics platforms) |
$40K–$100K |
| Compliance exposure |
GDPR fines for unauthorized data processing by unauthorized vendors |
$0–$500K (risk-adjusted exposure) |
| Integration maintenance |
Engineers maintaining ad-hoc integrations between unauthorized tools |
$20K–$60K |
| Security remediation |
Cost to investigate and clean up after unauthorized tool causes incident |
$10K–$200K per incident |
| Negotiating leverage loss |
Paying full price on approved tools because shadow tools fragment volume |
$15K–$40K |
Total annual shadow IT cost for a 100-person company: $85K–$400K+ — with the wide range driven by whether a compliance incident occurs. The median company with no active governance is spending $120K–$150K more than necessary on SaaS.
4 Discovery Methods: Finding Every Unauthorized Tool
No single discovery method finds everything. Use all four to build a complete picture. Each method finds a different category of shadow IT.
What it finds: Every application your employees have authenticated with using corporate credentials (Google Workspace SSO, Okta, Microsoft Azure AD). This is the single most complete discovery method for modern SaaS environments.
How to run it:
- Okta: Admin Console → Reports → System Log → filter for "User.Authentication.Auth_Via_MFA" or "App.OAuth2.Token.Grant" events. Also check Applications → Applications for all active integrations.
- Google Workspace: Admin Console → Reports → Apps → All Apps. Shows every OAuth-connected app with number of users and access scope.
- Microsoft Azure AD: Azure Portal → Enterprise Applications → All Applications. Shows all apps registered with SAML or OAuth.
What to look for:
- Apps with high user count that aren't on your approved list
- Apps requesting excessive permission scopes (e.g., an analytics tool requesting "Read and write access to all files in Google Drive")
- Apps registered by individual employees, not by IT (look for personal email addresses as app administrators)
- Apps with zero active users in the last 30 days (connected but abandoned)
Typical findings: 5–30x more apps than IT's approved list. A 200-person company using Google Workspace typically has 300–1,200 unique OAuth-connected apps. The vast majority are legitimate but unreviewed.
Quick win: In Google Workspace Admin, you can restrict OAuth app authorization to admin-approved apps only. This immediately stops new shadow IT from OAuth channel. Do this after the audit — not before — to avoid breaking active workflows.
What it finds: SaaS tools purchased with company credit cards, personal cards (expensed), departmental P-cards, or ACH payments. This is the only method that finds paid shadow IT with specific cost data.
How to run it:
- Pull 12–24 months of corporate card transactions. Filter for merchant categories: Software, Computer Services, Online Services, Subscriptions.
- Pull expense report line items from your T&E system (Concur, Expensify, SAP). Search for: "subscription," "software," "SaaS," "license," "annual," "monthly."
- Pull AP/ERP vendor list and match against known SaaS vendor names. Flag any vendors not in your approved vendor list.
- Check AWS, GCP, and Azure bills for Marketplace purchases and third-party service charges embedded in cloud bills.
What to look for:
- Recurring monthly charges to the same vendor (strong signal of shadow subscription)
- Multiple employees expensing the same vendor (signal of uncoordinated team purchase)
- Annual charges from unknown vendors (often shadow IT that was signed up once and forgotten)
- Charges from personal email domains suggesting personal-account tool use on company expense
Common finds: Project management tools (Notion, Monday.com, ClickUp) purchased by individual teams; design tools (Canva Pro, Adobe CC) expensed by individuals; AI tools (ChatGPT Plus, Claude Pro, Perplexity) expensed without enterprise license; analytics tools (Mixpanel, Amplitude) purchased by product teams without IT involvement.
Sample search query for expense report analysis:
Expense Report Keywords to Flag:
- "subscription" OR "license" OR "SaaS" OR "software"
- Monthly amounts: $10-$500 (individual SaaS subscriptions)
- Annual amounts: $100-$10,000 (team/department SaaS)
- Recurring charges from same vendor across 3+ months
AP Vendor Matching:
1. Export AP vendor list
2. Export approved SaaS vendor list
3. VLOOKUP/match — flag any AP vendors NOT in approved list
4. For flagged vendors: pull all payments in last 24 months
What it finds: Every SaaS domain accessed from your corporate network or through your corporate DNS/proxy. This is the most comprehensive method but requires network infrastructure access.
How to run it:
- DNS logs: If you control DNS (via your own DNS servers or a service like Cloudflare Gateway, Cisco Umbrella), pull a list of all unique domains resolved in the last 30–90 days. Filter for SaaS domains.
- Proxy/firewall logs: Web proxy solutions (Zscaler, Palo Alto Prisma, Cisco Umbrella) provide categorized traffic reports by application. Look for categories: "Software as a Service," "Business Applications," "Cloud Storage."
- CASB (Cloud Access Security Broker): Tools like Netskope, McAfee MVISION, or Microsoft Defender for Cloud Apps purpose-built for SaaS discovery. Can identify 99%+ of SaaS apps from traffic analysis. $15–$30/user/year.
What to look for:
- High-traffic domains that aren't on your approved list (strong signal of active shadow IT)
- Personal cloud storage domains (personal Dropbox, Google Drive via personal accounts)
- AI/LLM services (ChatGPT, Claude, Gemini) being used without enterprise license (potential data leakage risk)
- Competitor or blacklisted SaaS categories
Limitation: Network monitoring misses tools used from home networks, personal mobile devices, or via VPN that bypasses corporate traffic. Catches 60–80% of shadow IT in a hybrid work environment, not 100%.
Data leakage risk: AI tools are the #1 shadow IT concern in 2026. Employees are feeding customer data, source code, financial projections, and HR information into ChatGPT, Claude, and other AI services via personal accounts — with no enterprise data protection, no audit trail, and no DPA in place. This is GDPR and HIPAA exposure hiding in plain sight. Network monitoring catches this; expense reports often don't.
What it finds: Tools used from personal devices, personal accounts, or home networks — invisible to network monitoring and expense analysis. Also surfaces tools employees are using for free that IT needs to know about.
How to run it: Send a structured survey to all employees (or department leads for initial discovery). Keep it anonymous to get honest responses.
Subject: SaaS Tool Inventory — 5-Minute Survey (Anonymous)
We're auditing our software tools to reduce costs and improve security. Your responses are anonymous. This is NOT about finding policy violations — it's about helping IT better support the tools your team actually uses.
Please list all software tools you use for work:
1. Tools your team uses that IT manages (Slack, Salesforce, etc.): [free text]
2. Tools you use that you signed up for yourself (including free tools): [free text]
3. Tools you use that your team purchased without IT involvement: [free text]
4. Tools you used to use but no longer need: [free text]
5. Tools you WISH you had that would make your job easier: [free text]
6. Department: [Engineering / Sales / Marketing / Operations / HR / Finance / Other]
Survey closes [DATE]. Questions: [contact]
What to look for:
- Tools appearing across multiple departments (candidate for consolidation into enterprise license)
- Free tools that the company should standardize and pay for (Figma Free → Figma Professional)
- Duplicates of existing approved tools (signal of user dissatisfaction with the approved option)
- Tools from Question 5 — this is your product roadmap for approved tools and a signal of where shadow IT will grow next
Typical findings: 20–40% of tools found in the employee survey are invisible to the other three methods. Mobile apps, browser extensions, and personally-managed tools are almost entirely missed by network/expense analysis.
4-Phase Governance Workflow
Discovery is Phase 1. Governance is what prevents the problem from re-accumulating. The full workflow runs over 12 weeks to establish, then operates quarterly for ongoing oversight.
Phase 1: Discovery (Weeks 1–4)
Goal: Complete inventory of all SaaS tools — approved and shadow.
- Week 1: Run SSO/IdP audit (Okta/Azure AD/Google Workspace). Export all connected apps.
- Week 2: Run expense report and AP analysis. Pull 24 months of transactions.
- Week 3: Run employee survey. Parse DNS/proxy logs if available.
- Week 4: Consolidate all findings into master inventory spreadsheet. Remove duplicates. Categorize by department.
Output: Master SaaS inventory: vendor name, annual cost, department, number of users, data type handled, current approval status.
Phase 2: Risk Assessment (Weeks 5–8)
Goal: Assess each shadow tool for security risk, compliance exposure, and business value.
- Week 5–6: Triage tools into 3 risk tiers based on data sensitivity (see tiers below).
- Week 6–7: For Tier 1 tools: request SOC 2 report, GDPR DPA availability, and vendor contact. Decision: approve, migrate to approved alternative, or terminate.
- Week 7–8: For Tier 2 tools: abbreviated review. For Tier 3: acknowledge and monitor.
Triage tiers:
- Tier 1 (High risk): Handles PII, financial data, PHI, source code, or customer data. Full security review required. Examples: CRM alternatives, analytics tools with customer data, HR tools.
- Tier 2 (Medium risk): Handles internal business data but not regulated data. Abbreviated review. Examples: project management, internal communications, productivity tools.
- Tier 3 (Low risk): Standalone tools with no data integration. Acknowledge and monitor. Examples: grammar checkers, design tools with no data upload, scheduling tools used with public calendars.
Phase 3: Policy Creation (Weeks 9–12)
Goal: Establish the rules that prevent new shadow IT from accumulating.
- Week 9: Draft SaaS Procurement Policy (see template below). Get legal and HR review.
- Week 10: Define approved tool categories and the approved alternatives for common use cases. Publish as internal wiki.
- Week 11: Set up approval workflow for new SaaS requests (lightweight Jira ticket or form, reviewed weekly by IT + Finance).
- Week 12: Communicate policy to all employees. Frame as "we're making it easier to get the right tools" not "we're cracking down." Provide the approved tool list. Launch request process.
Phase 4: Ongoing Monitoring (Quarterly)
Goal: Catch new shadow IT before it becomes entrenched. Monitor existing tools for usage and value.
- Monthly: Review new OAuth app connections in IdP. Flag any not on approved list for review.
- Quarterly: Run abbreviated expense report scan for new recurring software charges. Review seat utilization for approved tools (deprovision unused seats).
- Semi-annually: Re-run employee survey to catch gaps. Update approved tool list.
- Annually: Full re-audit using all 4 methods. Update security reviews for Tier 1 tools.
KPIs to track: Number of unapproved tools discovered (should decline YoY), time-to-approval for new tool requests (target: under 5 business days), SaaS spend per employee (should stabilize or decline), number of unused licensed seats across portfolio.
Decision Matrix: Keep, Consolidate, or Terminate
For each shadow IT tool discovered, apply this decision matrix:
| Situation |
Decision |
Action |
| Tool is used by 10+ people, no approved alternative exists, passes security review |
Approve and negotiate |
Retroactively approve. Negotiate enterprise license if team has been paying individual accounts. Add to renewal calendar. |
| Tool duplicates an approved tool with similar functionality |
Migrate and terminate |
Set migration deadline (60–90 days). Communicate to users. Cancel after migration. Recover savings. |
| Tool is used by 1–3 people, no broader need, passes security review |
Allow with conditions |
Allow within personal expense limit (e.g., under $50/month). Require data classification: no regulated data. Annual re-review. |
| Tool fails security review or handles regulated data without compliance documentation |
Terminate immediately |
Notify users with 30-day termination timeline. Assist with data export. Offer approved alternative if need is legitimate. |
| Tool is a free tier with no cost, low risk |
Acknowledge and monitor |
Add to inventory. Classify as Tier 3. Review if usage grows or if employee requests paid upgrade. |
| Tool is used by 0 people in last 90 days |
Terminate |
Confirm abandonment with department lead. Cancel. Revoke OAuth access. Recover any prepaid cost. |
ROI Model: 50-Person Company Shadow IT Governance
50-Person Company — Baseline SaaS Scenario
- Total SaaS spend (IT-visible): $840,000/year ($16,800/employee)
- Shadow IT multiplier: 65% more tools than IT knows about
- Estimated shadow IT spend: $360,000/year (30% of $1.2M total estimated)
| Shadow IT Category |
Estimated Annual Cost |
Governance Action |
Recoverable Savings |
| Duplicate tools (redundant with approved stack) |
$80,000 |
Identify + migrate + terminate |
$64,000 (80% recovery after migration cost) |
| Individual accounts where enterprise license should apply |
$90,000 |
Consolidate to enterprise license at volume discount |
$27,000 (30% discount on consolidated license) |
| Abandoned tools still being paid |
$45,000 |
Cancel immediately |
$45,000 (100% recovery) |
| Approved tools with unused seats (revealed by audit) |
$145,000 (wasted seat cost) |
Deprovision unused seats |
$52,000 (36% reduction) |
| Total recoverable savings — Year 1 |
$360,000 shadow + $145K waste |
|
$188,000 |
Cost of running the governance program:
- Initial audit (one-time): 80 hours internal IT/Finance time × $100/hr fully loaded = $8,000
- Ongoing quarterly monitoring: 20 hours/quarter = $8,000/year
- Policy creation and communication (one-time): $3,000–$5,000
- Total Year 1 cost: ~$19,000–$21,000
Year 1 net ROI: $188,000 savings − $20,000 cost = $168,000 net savings. 8.4x return.
Year 2+ ROI: Governance prevents $80,000–$120,000 of new shadow IT from accumulating. Ongoing cost: $8,000/year. Net annual benefit: $72,000–$112,000. 9–14x return.
SaaS Procurement Policy Template
Copy and adapt this policy for your organization. Have legal and HR review before publishing.
SAAS PROCUREMENT POLICY
Effective Date: [DATE]
Applies To: All employees and contractors of [Company Name]
1. PURPOSE
This policy establishes requirements for evaluating, purchasing, and managing SaaS (Software as a Service) tools to protect company data, optimize spend, and ensure regulatory compliance.
2. SCOPE
This policy applies to all SaaS tools, cloud services, and software subscriptions used for company business, regardless of cost, payment method, or whether the tool is free.
3. APPROVAL REQUIREMENTS
3.1 All New Tools Require Prior Approval: No employee may sign up for, purchase, or authorize a SaaS tool for company use without prior approval, except as noted in Section 3.2.
3.2 Self-Service Exception: Employees may use the following without approval:
- Tools on the Approved Tool List at approved.tools.company.com
- Free-tier tools that: (a) do not process company confidential data, customer data, or regulated data, (b) cost $0 and have no credit card requirement, and (c) are used by one individual only with no team-wide rollout
3.3 Approval Process: All other tools require submission of a Tool Request Form (forms.company.com/saas-request) including:
- Tool name, vendor, and annual cost estimate
- Business justification
- Number of users and departments
- Data types the tool will handle
- Link to vendor's privacy policy and SOC 2 documentation (if available)
- Proposed renewal date and budget owner
3.4 Approval Timeline: Tool requests are reviewed within 5 business days by IT Security and Finance. Urgent requests (business blocker) may be escalated to IT Director for expedited review.
4. PAYMENT AND EXPENSE RULES
4.1 All SaaS purchases over $100/month or $1,200/year must be paid through accounts payable (not expense reports).
4.2 Employees may expense SaaS tools under $100/month only if: (a) the tool has been approved, or (b) the tool meets the Self-Service Exception criteria.
4.3 Personal credit card purchases of SaaS tools used for company business are only reimbursable if approved in advance.
5. DATA CLASSIFICATION REQUIREMENTS
5.1 Employees must not use unapproved tools to process:
- Customer data (names, emails, purchase history, support tickets)
- Employee data (HR records, compensation, performance)
- Financial data (bank accounts, payment data, revenue data)
- Regulated data (PHI under HIPAA, personal data under GDPR)
- Confidential company data (source code, product roadmaps, pricing models)
6. ENFORCEMENT
6.1 IT reserves the right to revoke OAuth/SSO access to any unapproved tool.
6.2 Expenses for unapproved SaaS tools may not be reimbursed.
6.3 Repeated policy violations may result in disciplinary action per the Employee Handbook.
6.4 This policy does not apply retroactively to tools purchased before [EFFECTIVE DATE].
7. TOOL REQUEST APPEALS
If a tool request is denied and the employee believes the denial was in error, appeals may be submitted to [IT Director / CTO] within 10 business days.
Questions: it-saas@company.com | Approved Tool List: approved.tools.company.com