Shadow IT discovery is really a SaaS identity governance problem

At a glance

What this is: This is a vendor-led analysis of tools for eliminating shadow IT, with the central finding that SaaS discovery is inseparable from identity visibility and access governance.

Why it matters: It matters because shadow IT creates unmanaged access paths across NHI, human, and delegated app identities, forcing IAM, IGA, and SaaS teams to govern software usage as an identity problem, not only a procurement problem.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Zluri's analysis of tools for eliminating shadow IT

Context

Shadow IT is what happens when software is adopted outside formal IT visibility, but the governance impact reaches far beyond application inventory. In practice, every unmanaged SaaS purchase creates an identity problem because access, consent, license assignment, and offboarding all happen outside the normal control plane.

The article argues that discovery tools reduce risk only when they connect software usage to who has access, what permissions exist, and whether accounts are still active after employment or role change. That makes the real issue SaaS identity governance, where app visibility becomes the prerequisite for lifecycle control.

For IAM teams, the lesson is familiar: if you cannot see the application, you cannot reliably govern the identities attached to it. That is true for human users, service-linked access, and the broader NHI footprint that often hides inside modern SaaS operations.

Key questions

Q: How should security teams govern shadow IT without overrelying on software inventory tools?

A: Treat software discovery as the first step in access governance, not the final control. The inventory should be linked to identity, entitlement, and offboarding workflows so every hidden app can be evaluated for active users, admin rights, and lingering credentials. Without that linkage, teams only measure sprawl instead of reducing it.

Q: Why does shadow IT create risk for both human and non-human identities?

A: Because unmanaged SaaS often contains both employee access and machine-to-machine access inside the same application boundary. Human users may sign up directly, while API tokens, service accounts, and integrations may be created outside formal review. That combination makes the app estate a mixed identity surface that needs lifecycle control, not just software discovery.

Q: What breaks when offboarding does not include hidden SaaS applications?

A: Leaver processes miss accounts that were created outside IT, so access survives even after the business relationship ends. That leaves dormant licences, active admin roles, and sometimes connected credentials in place long after the employee or contractor has moved on. The result is continued access without accountability.

Q: How do organisations know whether shadow IT controls are actually working?

A: They should look for shrinking gaps between discovered apps and remediated access, not just a larger inventory. Useful signals include fewer unmanaged sign-ins, lower numbers of abandoned licenses, faster removal of unknown admins, and better alignment between expense data and authorised application records.

Technical breakdown

SaaS discovery methods and identity signal coverage

Shadow IT discovery works by correlating multiple signals, not by relying on a single source of truth. SSO and IdP data show authorised apps and sign-ins, finance systems expose purchases made outside IT, direct API integrations reveal permissions and usage, while desktop agents and browser extensions fill in local activity. The architectural point is that no single method captures the full SaaS footprint. Discovery becomes a reconciliation problem across identity, finance, and endpoint telemetry.

Practical implication: teams should validate whether their discovery stack correlates multiple evidence streams before treating its inventory as complete.

Why SaaS inventory and access governance are the same problem

A SaaS inventory is only useful when it maps to active identities, assigned entitlements, and admin rights. Without that mapping, IT can count applications but still miss dormant accounts, over-privileged users, or employees who retained access after offboarding. In identity terms, the platform is describing a lifecycle control problem: joiner, mover, and leaver states must be tied to software discovery or shadow IT persists as a hidden access layer.

Practical implication: connect application discovery to access reviews and offboarding workflows, not just to software asset reports.

Onboarding and offboarding as shadow IT containment

The article’s strongest operational point is that discovery alone does not eliminate shadow IT. Access has to be provisioned and removed in the same operational motion, otherwise unmanaged apps keep accumulating users, licenses, and credentials. This is especially important in SaaS, where delegated admin, personal-card purchases, and direct sign-ups bypass central procurement. Lifecycle automation closes part of the gap, but only if the discovered app data is accurate enough to drive action.

Practical implication: use discovery findings to trigger deprovisioning, license reclamation, and app rationalisation workflows.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shadow IT is an identity governance failure, not just a software discovery gap. Discovery matters, but the real risk is unmanaged access to unmanaged applications. When SaaS purchasing happens outside IT, the organisation loses visibility into who can reach what, which means lifecycle controls cannot reliably operate. Practitioners should treat app discovery as the front end of access governance, not the end state.

Shadow IT creates a hidden NHI layer inside SaaS operations. Even when the article focuses on human employees, the unmanaged app estate often includes API tokens, service accounts, and integrations that sit outside normal review cycles. Those non-human access paths inherit the same visibility and revocation problems as the apps themselves. Security teams need to govern the software estate as a compound identity surface, not a list of licences.

Identity visibility is the prerequisite for rationalising SaaS sprawl. If organisations cannot see which apps are in use, they cannot identify dormant access, duplicate subscriptions, or abandoned admin privileges. That is why software optimisation and security governance converge in the same programme. The practical conclusion is that shadow IT reduction should be measured by access removal and entitlement cleanup, not by inventory size alone.

App discovery only becomes control when it feeds lifecycle enforcement. A complete SaaS map is useful only if it can drive onboarding, offboarding, and access reviews across the discovered estate. Otherwise the programme produces reporting without remediation. For IAM leaders, the field-level lesson is that SaaS management and identity governance now sit on the same operating plane.

Ultimate Guide to NHIs: shadow IT often expands the number of unmanaged credentials, tokens, and integrations that never enter formal governance workflows. That makes the boundary between software asset management and NHI control far thinner than many teams assume. Practitioners should plan for the identity consequences of every unsanctioned app.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For the lifecycle view behind this problem, see NHI Lifecycle Management Guide, which connects discovery, rotation, and offboarding.

What this signals

Shadow IT programmes are converging with identity governance because app visibility now determines access visibility. The operational risk is not just unknown software, but unknown who can still log in, approve, or call APIs inside that software. Teams that still treat SaaS discovery as a procurement exercise will continue to miss the lifecycle layer where most control failures occur.

Only 5.7% of organisations have full visibility into their service accounts. That gap is a warning for any team assuming discovery tools alone can keep pace with SaaS sprawl. The practical direction is to align discovery with access reviews, offboarding, and entitlement cleanup so hidden applications do not become permanent identity blind spots. For identity teams, the next control plane is lifecycle enforcement, not bigger reports.

For practitioners

• Correlate discovery across four evidence streams Require your inventory process to reconcile SSO and IdP logs, finance and expense records, direct app integrations, and endpoint activity before declaring a SaaS app fully discovered.
• Tie app discovery to offboarding workflows When a hidden app is found, trigger a removal path for users, admins, and any linked credentials so access does not persist after the business need ends.
• Review shadow IT for delegated access paths Look for app-to-app integrations, personal-card purchases, and local browser-based sign-ups because these often create access that never passes through central review.
• Measure remediation by access cleanup, not inventory size Track how many dormant accounts, unused licenses, and abandoned admin rights are actually removed after discovery instead of celebrating a larger app catalog.

Key takeaways

• Shadow IT becomes a governance failure when SaaS adoption happens outside identity and access controls.
• Discovery is useful only when it leads to entitlement cleanup, offboarding, and admin revocation across hidden applications.
• IAM, IGA, and SaaS management teams should measure success by reduced unmanaged access, not by the size of the app inventory.

Key terms

• Shadow IT: Shadow IT is software, services, or workflows adopted outside formal IT approval and visibility. In identity terms, it is not just an inventory problem. It is an access governance problem because hidden applications can still contain users, admins, integrations, and credentials that need lifecycle control.
• SaaS discovery: SaaS discovery is the process of finding which software services are being used across an organisation. Effective discovery correlates identity, finance, endpoint, and application signals so teams can distinguish sanctioned apps from unmanaged ones and turn visibility into remediation.
• Access lifecycle: Access lifecycle is the full path from account creation to removal, including provisioning, entitlement changes, review, and offboarding. For shadow IT, lifecycle control matters because hidden apps often create access outside standard joiner, mover, and leaver processes.
• Non-human identity: A non-human identity is a machine- or workload-based account, token, key, certificate, or integration that acts independently of a person. In SaaS environments, these identities often live inside app-to-app connections and can remain active long after the business owner forgets them.

Deepen your knowledge

Shadow IT discovery and SaaS lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are mapping hidden applications to access cleanup, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance, 6 Tools for Eliminating Shadow IT that Actually Works. Read the original.