Shadow IT in SaaS discovery is still outpacing IAM controls

At a glance

What this is: This is a SaaS shadow IT guide arguing that conventional discovery methods miss too much of the enterprise app surface, and that multi-method SaaS discovery is required.

Why it matters: It matters because unmanaged SaaS use creates hidden access, licensing, and governance risk across human, NHI, and lifecycle controls that IAM and IGA teams must reconcile.

By the numbers:

• 97% of cloud apps used in the enterprise are shadow IT, unmanaged, and often freely adopted.

👉 Read Zluri's blog post on eliminating SaaS shadow IT with multi-source discovery

Context

Shadow IT becomes an identity governance problem when employees and teams adopt SaaS tools outside central oversight. The issue is not only software sprawl, but the hidden accounts, permissions, and data-sharing paths created when apps are bought and used without IT knowledge.

For IAM and IGA programmes, the practical gap is visibility. Discovery methods that were designed for on-premise software or perimeter control often miss the way SaaS is actually adopted, which leaves access reviews, license governance, and offboarding incomplete.

That is why SaaS discovery has to be treated as part of identity surface management, not as a separate procurement concern. A useful starting point is the Ultimate Guide to NHIs, which frames how non-human and machine access must be governed across the lifecycle.

Key questions

Q: How should security teams discover shadow IT in SaaS environments?

A: They should combine identity-provider data, finance records, direct app integrations, directory data, and endpoint or browser signals. No single source sees the full SaaS estate, so discovery must be correlation-based. That gives IAM, procurement, and security teams enough evidence to assign ownership, decide whether an app is sanctioned, and remove unused subscriptions.

Q: Why do SSO and CASB miss so much SaaS usage?

A: SSO only sees apps that are federated through the identity layer, while CASB often provides incomplete SaaS detail and can miss who is actually using or administering an app. That means both tools are useful, but neither is a complete inventory source. Organisations need additional evidence to govern access accurately.

Q: What breaks when shadow IT is handled only as a procurement issue?

A: Access review, offboarding, and license reclamation all break because the organisation never creates a governance path for the app. If the tool exists outside procurement visibility, it can also exist outside identity controls, leaving users, data sharing, and subscriptions unmanaged.

Q: How can organisations decide whether a SaaS app should be sanctioned?

A: They should judge usage, business purpose, data sensitivity, and ownership together. An app that is widely used but lacks a control owner, clear contract trail, or identity integration should be treated as a governance candidate, not automatically approved. Sanctioning should follow evidence, not convenience.

Technical breakdown

Why SaaS shadow IT is hard to detect

SaaS shadow IT exists because application adoption is now fast, low-friction, and often outside procurement workflows. Users can sign up with email, a card, or a freemium tier in minutes, so the access trail may never pass through central IT. Traditional discovery methods struggle because they depend on surveys, login aggregation, or infrastructure points that do not capture every application or every account. The result is partial inventory, fragmented ownership, and weak governance over who can access what. In identity terms, the problem is not only application discovery but the ability to connect app usage to accountable users, licenses, and entitlements.

Practical implication: build discovery around multiple evidence sources, not a single control plane.

How SSO and CASB each miss part of the picture

Single sign-on and CASB both help with visibility, but each has blind spots. SSO only sees apps that are integrated into the identity layer, so any login path outside federation stays hidden. CASB can surface cloud activity, but it is often stronger in IaaS and PaaS than in SaaS usage detail, and it may not reveal who actually owns or administers an app. When either control becomes the primary source of truth, discovery quality depends on a narrow slice of user behaviour. That is a governance weakness because access review, offboarding, and license reclamation need a more complete app picture than one control can provide.

Practical implication: compare SSO, CASB, and direct app data before trusting any one source.

Why SaaS management platforms change the discovery model

A SaaS management platform shifts the discovery problem from point-in-time inventory to ongoing application intelligence. Instead of relying on one control, it can combine identity provider logs, finance data, app integrations, directory sources, and optional endpoint or browser signals to infer where SaaS is actually in use. That changes the governance model from reactive cleanup to continuous oversight of sanctioned and unsanctioned tools. The technical value is not just count accuracy. It is the ability to tie each app to users, departments, spend, and usage so that ownership, review, and remediation become operational rather than manual.

Practical implication: connect discovery to entitlement, spend, and ownership data so app governance can be acted on.

NHI Mgmt Group analysis

Shadow IT is now an identity surface problem, not a software inventory problem. The article correctly frames SaaS adoption as a governance issue because every unsanctioned app creates an unmanaged access path, a data-sharing path, and a lifecycle problem. That means the control failure is not simply that IT does not know the app exists. It is that the organisation cannot govern the identity, permission, and offboarding consequences that follow. Practitioners should treat SaaS discovery as part of identity security, not a side activity.

SSO visibility is necessary but structurally incomplete. The article shows why identity-provider data cannot be the only discovery source: it captures only the applications that flow through federation. That creates an assumption gap for IGA teams that believe login telemetry equals application inventory. It does not. Any programme that uses SSO as the sole source of truth will undercount SaaS, miss shadow procurement, and leave access review decisions anchored to partial evidence.

Multi-source discovery is the only credible model for SaaS governance. The strongest insight in the article is that no single control type can map the SaaS estate fully, because finance, directories, app integrations, CASB, and identity data each expose different parts of the same problem. That aligns with the NIST Cybersecurity Framework 2.0 idea that identification and protection depend on integrated visibility, not isolated tooling. The practitioner takeaway is straightforward: governance has to reconcile multiple signals into one operating view.

SaaS governance and NHI governance are converging at the operational layer. Shadow IT is not limited to human users buying apps. It also creates the environment in which API keys, service connections, and delegated app access proliferate outside policy. The same lifecycle discipline that IAM teams apply to human access increasingly has to cover app-to-app and workload access. The implication is that separate tool silos for SaaS, IAM, and NHI will keep producing blind spots.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility.
• If your SaaS estate is expanding faster than governance, the next step is to review the NHI Lifecycle Management Guide for the operating model that keeps discovery tied to ownership.

What this signals

Shadow IT will keep outpacing manual governance until discovery is treated as an identity workflow. The practical shift for IAM and IGA teams is to connect app discovery directly to onboarding, recertification, and offboarding, rather than handling it as a periodic cleanup exercise. That is where the control plane starts to match how SaaS is actually adopted.

The bigger signal is that SaaS sprawl is no longer separate from machine and delegated access. Once business users create unsanctioned apps, they also create hidden service connections, tokens, and shared workspaces that sit outside standard reviews. Teams that already rely on the OWASP Non-Human Identity Top 10 should treat SaaS discovery as one of the upstream inputs to NHI governance.

App ownership is becoming the deciding governance variable. The organisations that can map each app to a business owner, usage signal, and offboarding path will be able to reduce both risk and software waste. Those that cannot will keep discovering shadow IT only after it has already become embedded in day-to-day work.

For practitioners

• Map SaaS discovery to governance owners Assign a named owner for every discovered SaaS application, including business-owned tools that entered through expense cards or freemium sign-ups. Tie ownership to access review, spend approval, and offboarding so the app cannot remain in use without accountability.
• Use multiple discovery sources, not one control Correlate identity provider logs, finance records, app integrations, directory data, and endpoint signals before deciding whether a tool is sanctioned. This reduces the risk of treating SSO or CASB as a complete inventory when they are only partial views.
• Review shadow app access in lifecycle cycles Fold unsanctioned SaaS into joiner-mover-leaver processes, recertification, and offboarding so accounts and subscriptions are removed when the business need ends. If the app was never centrally approved, it still needs a removal path.
• Track usage against spend and business purpose Compare app activity with expense data and declared business purpose to identify idle subscriptions, duplicated tools, and unmanaged accounts. This gives IGA and procurement teams a practical basis for remediation and rationalisation.

Key takeaways

• Shadow IT in SaaS is an identity governance problem because unmanaged applications create unmanaged accounts, permissions, and data paths.
• One discovery source is never enough because SSO, CASB, finance, and app telemetry each reveal different parts of the SaaS estate.
• The practical fix is to tie SaaS discovery to ownership, lifecycle controls, and remediation so discovery leads to action.

Key terms

• Shadow IT: Technology used without central approval or visibility. In identity programmes, shadow IT matters because it creates accounts, permissions, data-sharing links, and lifecycle obligations that no one is formally governing. The security problem is not the app alone, but the access and accountability it creates outside policy.
• SaaS Discovery: The process of identifying which cloud applications are in use, who uses them, and how they were acquired or connected. Effective SaaS discovery correlates identity, finance, endpoint, and app data so teams can distinguish sanctioned tools from unmanaged ones and apply governance where it is missing.
• Access Lifecycle: The full path of access from creation to review, change, and removal. For SaaS and related identities, lifecycle management determines whether accounts, subscriptions, and delegated permissions are retired when business need ends. Without it, shadow IT persists as active access long after the tool is forgotten.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SaaS Management How to Eliminate Shadow IT. Read the original.