Shadow IT in SaaS: the visibility gap IAM teams still face

At a glance

What this is: This is a SaaS shadow IT analysis showing four common entry paths and the discovery methods used to surface them.

Why it matters: It matters because unmanaged SaaS use creates identity, access, and compliance blind spots that affect human accounts, service access, and the wider control surface.

👉 Read Zluri's analysis of the four common SaaS sources of shadow IT

Context

Shadow IT is unsanctioned software use that sits outside normal IT oversight, and in SaaS environments it usually appears when employees adopt tools faster than governance can track them. In identity terms, the core issue is not just application sprawl, but uncontrolled access paths that bypass approved accounts, policy, and review.

Zluri frames the problem around four common SaaS sources of shadow IT: project management, communication, video conferencing, and storage tools. That is a useful reminder for IAM and IGA teams that SaaS discovery is an identity problem as much as a procurement problem, because the control gap starts the moment an app is used without being known.

Key questions

Q: How should security teams discover shadow IT in SaaS environments?

A: Use layered discovery. SSO and IDP logs show approved access, finance systems expose unsanctioned purchases, and direct integrations plus endpoint telemetry reveal actual usage. The goal is to correlate identity, spend, and behaviour so you can distinguish approved apps from unmanaged tools before they become audit or data-loss problems.

Q: Why does shadow IT create an identity governance problem?

A: Because the organisation often cannot see who owns the account, who approved it, or when it should be removed. That breaks joiner, mover, leaver discipline and makes access reviews incomplete. Shadow IT turns every unmanaged app into an access lifecycle exception.

Q: What do organisations get wrong about SaaS shadow IT?

A: They treat it as a software inventory issue instead of a governance issue. The real risk is uncontrolled access paths, duplicate tools, and hidden data sharing. If discovery stops at the app name, the organisation still lacks enough evidence to govern the identities using it.

Q: How can teams reduce risk from unmanaged SaaS tools?

A: Standardise on central discovery, assign owners to every app, and fold discovered services into certification, offboarding, and renewal workflows. Once a tool is known, it should be governed like any other business system, including access scope, data sharing, and connected machine identities.

Technical breakdown

How SaaS shadow IT enters through approved and unapproved access paths

Shadow IT in SaaS usually arrives in two ways: an employee adopts an unapproved tool for work, or an approved tool is accessed through an unmanaged identity. Both patterns break normal visibility because IT may know the service exists but not who is actually using it, under what account, or for what business purpose. That is why SaaS shadow IT quickly becomes an identity governance issue, not just a software inventory issue. The discovery challenge is compounded when usage is fragmented across departments, personal accounts, and ad hoc purchases.

Practical implication: tie SaaS discovery to identity sources, not just application lists, so unsanctioned access paths are visible.

Why SSO and IDP data only show part of the SaaS picture

Single sign-on and identity provider logs surface authorised apps, login events, and some sharing activity, but they do not capture everything employees subscribe to outside central control. Zluri’s article correctly points out that finance systems and direct integrations fill part of that gap because they reveal spend, usage, and audit activity that SSO alone misses. In practice, this is the difference between knowing what the organisation has approved and knowing what the workforce is actually using. For governance teams, that gap determines whether reviews are based on evidence or assumption.

Practical implication: combine SSO, finance, and direct app telemetry before certifying SaaS access or tool usage.

What desktop agents and browser extensions add to SaaS discovery

Desktop agents and browser extensions can reveal app installation, sign-in activity, tab visits, and usage duration, which helps identify shadow IT that never passes through traditional approval flows. These signals are especially useful when employees access SaaS tools directly in the browser or from unmanaged endpoints. The important distinction is that these tools observe behaviour at the device edge, where unsanctioned adoption often begins. Used correctly, they create a fuller picture of actual application use without relying on user self-reporting.

Practical implication: use endpoint and browser telemetry to confirm where SaaS usage is happening outside sanctioned procurement and IAM paths.

NHI Mgmt Group analysis

Shadow IT in SaaS is a visibility failure before it is a spending problem. The article shows that employees adopt tools because they are easy to access and inexpensive, which means governance breaks at the point of first use rather than at the point of procurement. That makes SaaS discovery a control issue for IAM, IGA, and compliance teams, not just a cost-optimisation exercise. Organisations that treat shadow IT as a finance-only problem will keep missing access paths that sit outside policy.

Identity data alone does not produce SaaS governance. SSO logs, IDP records, finance systems, and endpoint telemetry each illuminate a different part of the stack, but none is sufficient on its own. The governance lesson is that access intelligence must be assembled from multiple signals before teams can decide whether an app is sanctioned, unmanaged, or simply under-observed. Practitioner takeaway: build discovery around correlated evidence, not a single source of truth.

Unmanaged SaaS creates privilege without lifecycle control. Once a business unit or individual employee adopts an application outside central approval, the organisation inherits a live access relationship without joiner, mover, leaver discipline. That means offboarding, review, and license right-sizing all start from incomplete records. Practitioner takeaway: treat shadow IT as a lifecycle governance defect, not a tooling preference.

Shadow IT is where human IAM and NHI governance begin to converge. The same discovery challenge that exposes employee SaaS use also matters for service accounts, tokens, and other non-human identities that connect to those applications. If teams cannot reliably see the application, they cannot reliably govern the identities attached to it. Practitioner takeaway: align SaaS discovery with broader identity surface management, not a single identity class.

Identity surface sprawl is the right named concept for this problem. The issue is not just the number of apps in use, but the expanding surface of accounts, permissions, and data pathways created whenever a new SaaS tool is adopted outside formal control. That surface can grow quietly across departments, vendors, and endpoints. Practitioner takeaway: measure the identity surface, not only the application count.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• For the broader governance pattern behind discovery gaps, see 52 NHI Breaches Analysis, which shows how hidden access relationships become incident fuel.

What this signals

Identity surface sprawl: the next governance problem is not only finding shadow SaaS, but continuously reconciling the identities attached to it. When employees can create access relationships outside central control, the programme must watch for account drift, redundant tools, and unmanaged data-sharing paths across the full SaaS estate.

The practical response is to shift from periodic application inventories to ongoing access intelligence. That means connecting discovery, recertification, and offboarding so the organisation can remove tools and identities that no longer belong in the environment, including tokens and service accounts linked to newly sanctioned apps.

Teams that already operate a formal NHI programme should extend the same discipline to SaaS adoption paths. Discovery is strongest when it is treated as a control fabric across human access, machine access, and third-party connections, not as a one-off cleanup exercise.

For practitioners

• Correlate SaaS discovery across multiple sources Combine SSO, IDP, finance, direct integration, desktop agent, and browser telemetry before deciding whether an app is sanctioned, tolerated, or unknown.
• Map unsanctioned apps to identity owners Record who created, pays for, and uses each app so shadow IT can be assigned to a business owner and brought into review cycles.
• Review access lifecycles for shadow apps Apply joiner, mover, leaver controls to every discovered SaaS app, including accounts created outside IT, so offboarding and certification do not rely on memory.
• Right-size redundant SaaS subscriptions Compare usage data across duplicate tools in project management, communications, conferencing, and storage before renewal decisions are locked in.
• Extend governance to connected non-human access When a shadow SaaS app is legitimised, inventory any tokens, API keys, or service accounts attached to it so machine access is not left outside control.

Key takeaways

• Shadow IT in SaaS is fundamentally a visibility and governance failure, not just a spending issue.
• SSO data, finance records, and endpoint telemetry each expose different parts of the SaaS control gap, so no single source is enough.
• Teams that discover unmanaged SaaS should immediately fold it into lifecycle, offboarding, and access review processes.

Key terms

• Shadow IT: Shadow IT is the use of software, devices, or services outside formal IT approval or oversight. In SaaS environments, it often appears when employees adopt tools directly or use approved tools through unmanaged accounts, creating hidden access and data-sharing paths.
• SaaS Discovery: SaaS discovery is the process of finding which cloud applications are actually in use across the organisation. Effective discovery combines identity, finance, endpoint, and integration data so teams can distinguish sanctioned software from unmanaged tools and govern both access and spend.
• Identity Surface: The identity surface is the full set of accounts, credentials, permissions, and connected access relationships attached to applications and services. In shadow IT scenarios, it expands whenever a new SaaS app is adopted outside normal control, making governance harder to sustain.
• Lifecycle Governance: Lifecycle governance is the discipline of managing access from creation to removal through joiner, mover, leaver, certification, and offboarding processes. For SaaS shadow IT, it means bringing discovered apps and their accounts into the same control model as approved systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: 4 Common SaaS Sources of Shadow IT. Read the original.