Shadow IT in SaaS: Finding Tools Employees Bought Without IT Knowing

Your finance team is using an AI writing tool you've never heard of. Your engineers connected a third-party CI integration to your GitHub org last quarter. Someone in marketing put the company credit card into a data enrichment platform that processes customer emails. None of these went through IT.

Shadow IT in SaaS is not a new problem, but it has exploded in the subscription era. Tools are cheap, trials are free, and any employee with a corporate card or a personal email can spin up a new app in three minutes. By the time you find out, it may have already touched sensitive data.

What You'll Learn

• Where shadow SaaS actually hides and how to surface it systematically
• How to triage what you find by actual risk level, not just gut feel
• What to do with the tools you discover — block, adopt, or tolerate
• How to build a lightweight approval process that stops the next wave
• Common mistakes IT teams make when cracking down on unapproved tools

What Shadow IT Actually Looks Like in 2024

Shadow IT used to mean someone installing unlicensed desktop software. Today it's almost entirely SaaS, and it's far harder to detect because nothing is installed on a managed device. An employee visits a URL, creates an account, and starts uploading files. From your network's perspective, it looks like normal HTTPS traffic.

Common categories include: AI productivity tools (Notion AI, Otter.ai, Jasper), data connectors and ETL utilities, project management apps, file sharing and e-signature platforms, and communication tools spun up by one team that never made it into the official stack. The irony is that many of these tools are genuinely useful. The problem isn't that employees are lazy about process — it's that the official process often feels too slow for the pace they're working at.

Why Employees Go Around IT (and Why That's Worth Understanding)

Before you build a detection strategy, it helps to understand the motivation. Employees don't buy shadow tools to cause problems. They do it because they have a deadline, they found something that solves it, and the official approval queue takes two weeks. Understanding this shapes how you respond.

The most common drivers are:

• Speed: The procurement process is slower than the project timeline.
• Friction: Approval forms are long, requirements are unclear, and the answer often comes back as and the answer often comes back as "no" without a clear explanation.
• Feature gaps: The approved tool stack doesn't solve a specific problem, so employees look elsewhere.
• Department autonomy: Individual teams have their own budgets and decision-making authority.
• Free trials: Many SaaS products require no procurement process at all during evaluation.
• AI experimentation: Employees are testing AI tools faster than governance processes can adapt.

If you approach shadow IT purely as a compliance problem, you'll miss the root cause. In many organizations, shadow SaaS is actually a signal that business needs are outpacing internal processes.

Step 1: Start With Financial Data

One of the fastest ways to uncover shadow SaaS is to follow the money.

Most organizations already have valuable signals hiding in:

• Corporate credit card statements
• Expense reimbursement reports
• Accounts payable records
• Procurement systems
• Finance software exports

Look for recurring charges that resemble SaaS subscriptions:

OPENAI
NOTION
FIGMA
ATLASSIAN
OTTER
JASPER
MURAL
AIRTABLE

Many organizations discover dozens of subscriptions that never appeared in IT inventories.

The goal isn't to immediately shut them down.

The goal is visibility.

Create a spreadsheet containing:

This becomes the foundation of your SaaS inventory.

Step 2: Analyze Single Sign-On Logs

If your organization uses:

• Microsoft Entra ID
• Okta
• Google Workspace
• JumpCloud
• OneLogin

you already have another valuable data source.

Review:

• New application registrations
• OAuth authorizations
• SAML integrations
• User consent activity
• Third-party application connections

Many SaaS tools request permissions such as:

Read emails
Read contacts
Access files
Read calendar

Those permissions often reveal shadow applications long before finance notices recurring billing.

Pay particular attention to OAuth grants because employees frequently connect applications without realizing the scope of access they're providing.

Step 3: Review Email Domains

Many SaaS products send:

• Welcome emails
• Invoice notifications
• Password resets
• Usage reports

Search email systems for:

welcome to
invoice
subscription
billing
workspace created
trial ending

When combined with domain analysis, this can expose applications that never appeared in expense systems.

Examples:

notifications.airtable.com
billing.notion.so
app.clickup.com
workspace.monday.com

The goal isn't employee surveillance.

It's identifying services operating under company identities.

Step 4: Examine Browser and Network Data

Organizations with secure web gateways or DNS monitoring have another source of insight.

Look for:

• High-volume SaaS domains
• Recently observed services
• Unknown cloud platforms
• AI application traffic

Examples include:

chat.openai.com
claude.ai
perplexity.ai
notion.so
loom.com
airtable.com

Traffic alone doesn't prove a paid subscription exists.

However, it often highlights tools worth investigating further.

Be careful not to overreact.

Employees visiting a website once is very different from a department running business processes through it.

Step 5: Audit Source Code and Development Integrations

Engineering teams create a unique category of shadow IT.

Common examples include:

• GitHub Apps
• CI/CD plugins
• Monitoring integrations
• Package repositories
• Developer productivity tools

Review:

• GitHub organization integrations
• GitLab applications
• Jenkins plugins
• CI pipeline connections
• Cloud IAM relationships

You may discover:

Unknown deployment tools
Third-party build services
Code analysis platforms
External package feeds

Many of these have legitimate business value but still require governance.

A forgotten integration with broad repository permissions can create a larger risk than a small SaaS subscription.

Step 6: Survey Departments Directly

Technology alone won't find everything.

Sometimes the fastest method is simply asking.

Create a short questionnaire:

• What software do you use weekly?
• What tools do you pay for?
• What tools do you wish IT approved?
• What tools contain customer data?
• What tools connect to company systems?

Keep it brief.

Employees are more likely to cooperate when they believe the goal is understanding needs rather than punishment.

You'll often uncover tools that never appear in finance records because they started as free plans or personal subscriptions.

Building a Risk-Based Triage System

Not every shadow tool deserves the same response.

Treating all discoveries as critical security incidents creates unnecessary friction.

Instead, classify findings by risk.

Low Risk

Examples:

• Diagramming tools
• Note-taking apps
• Productivity utilities
• Time tracking software

Characteristics:

• No sensitive data
• No system integrations
• Minimal permissions

Typical response:

Monitor and document

Medium Risk

Examples:

• Project management platforms
• Team collaboration tools
• Survey software
• Workflow automation services

Characteristics:

• Business data present
• Shared team usage
• Moderate integrations

Typical response:

Review and standardize

High Risk

Examples:

• AI tools processing customer information
• CRM alternatives
• File-sharing platforms
• OAuth-connected applications
• Data enrichment vendors

Characteristics:

• Sensitive information
• Customer records
• Financial data
• Broad permissions

Typical response:

Immediate review and remediation

Focus resources on the highest-impact risks first.

What To Do When You Find a Shadow Tool

Organizations generally have three options.

Option 1: Adopt It

Sometimes the shadow tool is genuinely better than the approved alternative.

Questions to ask:

• Does it solve a real business problem?
• Is security acceptable?
• Is pricing reasonable?
• Can IT support it?

If yes, formalize ownership and bring it into the approved stack.

Many widely adopted enterprise tools started as shadow IT purchases.

Option 2: Replace It

Sometimes the functionality already exists elsewhere.

Example:

Marketing buys a project management platform even though the company already licenses one.

In this case:

• Migrate workflows
• Train users
• Consolidate licenses

The goal is reducing redundancy rather than punishing users.

Option 3: Block It

Reserve this option for genuinely risky situations.

Examples:

• Unapproved AI tools processing customer data
• Applications violating compliance requirements
• Services with poor security practices
• Vendors lacking contractual protections

Blocking should be based on risk, not frustration.

Building an Approval Process People Actually Use

Many shadow IT problems originate from broken approval processes.

A lightweight process often works better than a strict one.

Good approval workflows should:

• Take less than a few days
• Have clear criteria
• Explain decisions
• Offer alternatives
• Support experimentation

Example workflow:

Step 1

Employee submits:

Tool name
Business purpose
Data involved
Expected users

Step 2

IT reviews:

Security
Compliance
Privacy
Integration risk

Step 3

Decision within 48 hours.

Fast responses reduce the incentive to go around the process.

Common Mistakes IT Teams Make

Treating Every Discovery as a Violation

Employees usually adopt tools because they need something.

Start with curiosity before enforcement.

Focusing Only on Security

Shadow IT is often a symptom of process issues.

Fixing procurement friction can reduce future problems dramatically.

Ignoring Free Plans

Many of today's largest SaaS deployments started as free accounts.

Track them before they become business-critical.

Forgetting AI Applications

AI tools have become one of the fastest-growing categories of shadow SaaS.

Employees often upload:

• Meeting transcripts
• Customer data
• Internal documents
• Source code

without realizing the implications.

AI governance should be part of every shadow IT program.

Creating Approval Bottlenecks

An approval process that takes weeks encourages employees to bypass it.

Speed matters.

A Practical Shadow SaaS Audit Checklist

Quarterly, review:

✓ Corporate card charges

✓ Expense reports

✓ SSO integrations

✓ OAuth permissions

✓ Network traffic

✓ Department surveys

✓ GitHub and CI integrations

✓ AI application usage

✓ File-sharing services

✓ Data-processing vendors

This process catches most shadow SaaS before it becomes a major risk.

Final Thoughts

Shadow IT isn't fundamentally a technology problem. It's an organizational signal.

When employees repeatedly bypass approved systems, they're usually telling you something important: the business needs a capability that current processes, tools, or timelines aren't providing.

The most effective organizations don't respond by declaring war on shadow SaaS. They focus on visibility, risk assessment, and faster decision-making. They build inventories, classify risks, formalize useful tools, and remove genuinely dangerous ones. Most importantly, they create approval processes that move at the speed employees need.

The goal isn't to eliminate every unapproved application. That's unrealistic in a world where anyone can create an account in minutes. The goal is to know what's being used, understand what data it touches, and ensure that convenience doesn't quietly become a security, compliance, or operational problem six months later.