IT Infrastructure

Shadow IT Discovery: Find Every App Your Employees Use

Shadow IT Discovery Find Every App Your Employees Use

Ask a CIO how many applications their company runs, and you’ll get a number from the asset register. Ask what employees are actually opening every day, and the honest answer is usually “we don’t fully know.” That gap is the entire problem shadow IT discovery exists to close: the systematic process of finding every SaaS tool, browser extension, AI assistant, and cloud service employees have adopted on their own — outside of IT’s visibility, approval, or security review.

The gap is rarely malicious. A marketing lead signs up for a free trial to hit a deadline. An engineer wires a personal API key into a script because provisioning the sanctioned one takes two weeks. None of it shows up in the asset register, and none of it gets patched, backed up, or reviewed for who can access it. A focused infrastructure audit is usually the fastest way to see how wide that gap already is — most teams are surprised by the count on day one. This guide walks through why the gap keeps growing, the methods and tools that actually close it, and what to do with what you find.

What Is Shadow IT Discovery?

Shadow IT discovery is the ongoing practice of identifying every application, cloud service, and integration in active use across an organization — including the ones IT never provisioned, approved, or was told about. It covers three overlapping categories: unsanctioned SaaS tools employees sign up for directly (a project tracker, a design tool, a file-sharing service), unsanctioned AI tools and browser extensions employees install for individual productivity, and unmanaged connections — OAuth grants and API integrations that quietly link a sanctioned tool to an unsanctioned one behind the scenes.

It is distinct from a one-time software audit. A spreadsheet inventory captures what people admit to using when asked; shadow IT discovery is built on the assumption that most of it won’t be admitted, because most employees don’t think of a free SaaS signup as an “IT decision” in the first place. The output isn’t a static list — it’s a living inventory that gets re-checked on a schedule, because new tools get adopted continuously and the list from last quarter is already stale. Most organizations first run into the scale of the problem during the discovery phase of a broader IT modernization effort, where an outdated asset list is one of the first things a real audit exposes.

Why Shadow IT Keeps Growing — and Why “Just Ask IT” Doesn’t Work

Shadow IT isn’t a one-time cleanup problem; it’s a structural side effect of how modern software gets adopted. Any employee with a corporate email and a credit card can be running a new tool in minutes, with no procurement step, no security review, and no reason to loop IT in unless something breaks. The scale is bigger than most leadership teams assume:

The numbers behind the gap: Gartner has long estimated that shadow IT accounts for 30-40% of IT spending in large enterprises — spend that never passes through a security or procurement review. The Cloud Security Alliance’s State of SaaS Security Report 2025-2026 found that 72% of security teams don’t actually know how many shadow IT apps exist in their environment, even though 55% confirm employees are adopting SaaS tools without security’s involvement right now. And it isn’t a victimless gap: IBM’s 2025 Cost of a Data Breach Report found that breaches linked to shadow AI tools occurred in 20% of studied organizations, added an average of $670K to the total breach cost, and involved a lack of any access controls 97% of the time.

“Just ask IT what’s in use” fails for a simple reason: IT can only report what it was told about, and most shadow tools were adopted specifically because asking felt slower than signing up. That’s why discovery has to be evidence-based rather than survey-based — pulling from the systems that see usage happen (identity logs, network traffic, expense records, endpoints) rather than relying on employees to self-report something they may not even realize counts. A few signals reliably mean the gap is bigger than leadership assumes:

  • Finance can’t map every recurring software charge to a named owner or business justification.
  • New hires get most of their toolset from a teammate’s recommendation, not from an IT-provisioned onboarding list.
  • The security team has never run a browser-extension or OAuth-grant audit against the company’s identity provider.
  • Nobody can say, with confidence, which tools currently hold customer or financial data outside the systems of record.
  • The last “complete” software inventory was built manually, by asking department heads, more than six months ago.

6 Shadow IT Discovery Methods, Compared

No single method sees everything — each one is tuned to catch a different kind of blind spot, which is why real shadow IT discovery programs layer several together rather than picking one tool and calling it done:

MethodWhat It CatchesBlind Spot
Identity provider / SSO log auditOAuth grants and “Sign in with Google/Microsoft” connections made through the corporate identity providerApps signed up with a personal email instead of SSO never appear here
Network traffic / DNS analysisAny cloud service reached from the corporate network or VPN, regardless of how the account was createdApps used only from personal devices or mobile data bypass the network entirely
CASB (Cloud Access Security Broker)Broad cloud app usage patterns with automated risk scoring across thousands of known servicesTypically the most expensive option; still blind to non-web and off-network traffic
SSPM (SaaS Security Posture Management)Misconfigurations, risky OAuth scopes, and third-party integrations inside apps that are already at least partially connectedOnly sees apps already integrated with something IT knows about — misses fully standalone tools
Expense report / procurement miningPaid subscriptions, including ones miscategorized under “office supplies” or “professional services”Free-tier tools and unreported personal expenses never generate a paper trail
Endpoint / browser extension agentApp and extension usage directly on the managed device, independent of network or billing signalsRequires agent deployment and consent; unmanaged BYOD devices are usually excluded
6 Shadow IT Discovery Methods, Compared

A Step-by-Step Shadow IT Discovery Process

You don’t need every tool in the comparison table above to get a usable inventory. The sequence below is built to produce a working shadow IT picture within a couple of weeks, using layered evidence rather than a single source of truth:

  1. Pull identity provider logs first — it’s free and it’s already sitting there. Export every third-party OAuth grant and SSO connection from your identity provider (Okta, Entra ID, Google Workspace). This alone typically surfaces the majority of sanctioned-adjacent shadow tools, since most modern SaaS signups still route through “Sign in with Google/Microsoft.” It’s the same data set behind running a user access review without spreadsheets, so teams doing both end up reusing most of the same export.
  2. Cross-reference with 90 days of network and DNS traffic. Match the domains your firewall or DNS resolver has actually seen against your identity-provider list. Anything reached from the network but absent from the SSO log is a strong shadow IT candidate — it means someone signed up without using company identity.
  3. Mine expense reports and card statements for recurring software charges. Finance data catches paid tools that never touch the network during a review window and often exposes duplicate spend on tools that already have a sanctioned equivalent.
  4. Run an endpoint or browser-extension scan on managed devices. This picks up locally installed apps and extensions with no meaningful network or billing footprint — a category that increasingly includes AI coding assistants and writing tools.
  5. Consolidate into a single inventory and score by risk, not by volume. Merge all four sources into one list, deduplicate, and rank by what data the tool can touch and who has access — not by how many people use it. A tool with three users and admin access to customer data outranks a tool with three hundred users and read-only access to a public calendar.
  6. Put a recurring re-scan on the calendar. New tools get adopted continuously, so a one-time inventory decays within a quarter. Treat discovery as a standing process — monthly identity-log pulls, quarterly full re-runs — not a project with an end date.
No single source sees every shadow tool — layering identity, network, financial, and endpoint signals is what produces a complete, risk-ranked inventory.

What to Do Once You Find Shadow IT

Discovery without a follow-up action just produces a longer, more anxiety-inducing spreadsheet. Every tool that surfaces should get routed to one of four outcomes, based on what it touches rather than how many people use it — this is also the inventory a compliance audit under frameworks like NIS2 will expect you to be able to produce on request:

Risk TierWhat It Looks LikeAction
CriticalHandles regulated or customer data; has admin, write, or export access to production systemsFormalize under a proper contract and security review immediately, or migrate off within days — and scope its access down to a least privilege access model as part of formalizing it
ModerateInternal productivity tool with no sensitive data, but broadly adopted across a teamRun a lightweight security review; add to the approved catalog if it passes
LowIndividual productivity tool, free tier, no data leaves the deviceLog it and set a review reminder — don’t burn scarce security time here first
DuplicateOverlaps functionally with an already-sanctioned tool the company pays forConsolidate: redirect users to the sanctioned tool and offboard the shadow instance
What to Do Once You Find Shadow IT

Tools That Make Shadow IT Discovery Achievable Without a Dedicated Team

Shadow IT discovery has historically been pitched as something that requires a standalone security platform and a dedicated analyst. Most of the first pass, though, is achievable with tools a lean IT team already has access to — the specialized platforms are worth adding once the program proves its value, not before.

Free and native tools you already have

Your identity provider’s admin console (Okta System Log, Microsoft Entra ID Enterprise Applications, Google Workspace OAuth app report) will export every third-party app connection at no extra cost — this is the single highest-value, lowest-effort first step. Your firewall or DNS resolver already logs outbound traffic; most can generate a top-domains report without new infrastructure. And finance/procurement software your team already uses for expense management can usually be filtered by vendor category to surface recurring software charges in an afternoon.

Purpose-built shadow IT discovery platforms

Once the native-tool pass proves the scale of the problem, a CASB or SSPM platform automates the ongoing monitoring — continuous OAuth-grant scanning, automated risk scoring, and alerting on new unsanctioned connections as they appear, rather than relying on a quarterly manual pull. The right formal control to require, per NIST SP 800-53’s system component inventory control (CM-8), is that the inventory itself — however it’s produced — is reviewed and updated on a defined, recurring schedule, not built once and left to go stale. That ongoing cadence is usually easiest to sustain when it’s folded into whatever cybersecurity monitoring program already watches the rest of the environment, rather than run as a separate, easily forgotten process.

Teams without spare capacity to run any of this internally often fold shadow IT discovery into a broader IT infrastructure audit engagement, which produces the inventory, the risk ranking, and the remediation plan in one pass instead of standing up a new program from scratch.

Common Mistakes in Shadow IT Discovery

A handful of missteps show up repeatedly in shadow IT discovery efforts that stall or lose executive support before they finish:

  • Treating discovery as a one-time audit. A single inventory pass is out of date within a quarter as new tools get adopted continuously — discovery has to be a recurring cadence, not a project with an end date.
  • Leading with punishment. Framing the first discovery pass as an amnesty rather than an enforcement sweep gets far more honest cooperation — most shadow tools exist because a sanctioned process was too slow, not because someone was trying to hide something.
  • Scoring risk by user count instead of data sensitivity. A tool with three users and write access to customer records is a bigger risk than a tool with three hundred users and no data access — volume-based prioritization routinely misses the highest-risk items.
  • Relying on a single discovery method. Identity-log-only or network-only approaches consistently miss a meaningful share of shadow tools; the methods in the comparison table above have different, non-overlapping blind spots by design.
  • Not fixing the underlying cause. If sanctioned tools take weeks to provision, employees will keep finding workarounds after every cleanup. Pair discovery with a faster, lighter-weight request-and-approval path or the same gap reopens within a few months.

Not sure how much shadow IT is already running in your environment?

Gart Solutions runs shadow IT discovery as part of a broader IT infrastructure and security audit — combining identity, network, and endpoint evidence into a single risk-ranked inventory, plus the remediation plan to formalize, consolidate, or retire what we find.

10+ Years in DevOps & Cloud
50+ Enterprise clients secured
4.9★ Clutch rating
IT Infrastructure Audit Security Audit Compliance Audit (NIS2 / SOC 2) Cybersecurity Monitoring DevSecOps
Talk to an Infrastructure Expert →

Roman Burdiuzha

Roman Burdiuzha

Co-founder & CTO, Gart Solutions · Cloud Architecture Expert

Roman has 15+ years of experience in DevOps and cloud architecture, with prior leadership roles at SoftServe and lifecell Ukraine. He co-founded Gart Solutions, where he leads cloud transformation and infrastructure modernization engagements across Europe and North America. In one recent client engagement, Gart reduced infrastructure waste by 38% through consolidating idle resources and introducing usage-aware automation. Read more on Startup Weekly.

FAQ

What is shadow IT discovery?

Shadow IT discovery is the process of identifying every application, cloud service, and integration employees are actually using — including tools adopted without IT's knowledge or approval. It typically combines identity provider logs, network traffic analysis, expense records, and endpoint data into one unified, risk-ranked inventory rather than relying on employees to self-report what they use.

Why is shadow IT discovery important?

Tools IT doesn't know about don't get patched, backed up, reviewed for access control, or included in compliance evidence. IBM's 2025 Cost of a Data Breach Report found breaches linked to shadow AI tools added an average of $670K to total breach cost, with 97% of affected organizations lacking proper access controls on the tool involved — the financial and security exposure scales directly with how much of the environment stays invisible.

Who should own shadow IT discovery in an organization?

In most organizations, ownership sits jointly between IT and security, with finance/procurement as a supporting data source. In lean teams without a dedicated security function, it typically falls to whoever manages the identity provider and cloud accounts — the key is naming an explicit owner and a recurring schedule rather than leaving it as an implicit, unassigned responsibility.

How do you discover shadow IT without a CASB?

Start with your identity provider's admin console to export third-party OAuth and SSO connections, cross-reference with firewall or DNS traffic logs, mine expense reports for recurring software charges, and run an endpoint scan on managed devices. None of these require a dedicated security platform — a CASB or SSPM becomes worthwhile mainly for ongoing, automated monitoring once the initial scale is understood.

When should you run a shadow IT discovery process?

An initial full pass is worth running immediately if one has never been done, and again before any compliance audit (SOC 2, ISO 27001, NIS2) since auditors will expect a current asset inventory. After that, identity-log pulls should run monthly and a full re-scan quarterly, since new shadow tools get adopted continuously.

What tools are used for shadow IT discovery?

Common methods include identity provider / SSO log audits, network and DNS traffic analysis, Cloud Access Security Brokers (CASB), SaaS Security Posture Management (SSPM) platforms, expense report mining, and endpoint or browser-extension agents. Each catches a different category of shadow tool and none of them alone provides complete coverage.

What happens after you discover shadow IT?

Every discovered tool should be routed to one of four outcomes based on the data it touches: formalize immediately (critical-risk tools with access to regulated data), review and potentially sanction (moderate-risk internal tools), log and monitor (low-risk individual tools), or consolidate into an existing sanctioned tool (duplicates). Discovery without this follow-up step just produces a longer list, not less risk.

Where does shadow IT most commonly hide in an organization?

Marketing and sales teams tend to accumulate the most shadow SaaS due to fast-moving campaign and CRM tooling, while engineering teams are the most common source of shadow AI coding assistants and personal API keys. Both categories are easy to miss because the tools are adopted individually rather than department-wide, so they rarely appear on any team-level software list.
arrow arrow

Thank you
for contacting us!

Please, check your email

arrow arrow

Thank you

You've been subscribed

We use cookies to enhance your browsing experience. By clicking "Accept," you consent to the use of cookies. To learn more, read our Privacy Policy