Notifications
Clear all
Topic starter
10/06/2026 9:12 pm
TL;DR: Shadow IT grows when employees buy SaaS outside IT, leaving no reliable visibility into app use, access, or offboarding, according to Zluri’s analysis of discovery and SaaS management tools. The governance problem is not just software sprawl, but unmanaged identity sprawl across apps, licenses, and entitlements.
NHIMG editorial — based on content published by Zluri: Security & Compliance, 6 Tools for Eliminating Shadow IT that Actually Works
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern shadow IT without overrelying on software inventory tools?
A: Treat software discovery as the first step in access governance, not the final control.
Q: Why does shadow IT create risk for both human and non-human identities?
A: Because unmanaged SaaS often contains both employee access and machine-to-machine access inside the same application boundary.
Q: What breaks when offboarding does not include hidden SaaS applications?
A: Leaver processes miss accounts that were created outside IT, so access survives even after the business relationship ends.
Practitioner guidance
- Correlate discovery across four evidence streams Require your inventory process to reconcile SSO and IdP logs, finance and expense records, direct app integrations, and endpoint activity before declaring a SaaS app fully discovered.
- Tie app discovery to offboarding workflows When a hidden app is found, trigger a removal path for users, admins, and any linked credentials so access does not persist after the business need ends.
- Review shadow IT for delegated access paths Look for app-to-app integrations, personal-card purchases, and local browser-based sign-ups because these often create access that never passes through central review.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of the nine SaaS discovery methods and how each one contributes different visibility signals.
- Product-level detail on how SSO, finance, direct integrations, desktop agents, and browser extensions are used in practice.
- A walkthrough of onboarding and offboarding automation for discovered applications and groups.
- Implementation notes on tracking app usage, licenses, and access and audit logs across the SaaS estate.
👉 Read Zluri's analysis of tools for eliminating shadow IT →
Shadow IT discovery tools: are your access controls keeping up?
Explore further
10/06/2026 10:02 pm
Shadow IT is an identity governance failure, not just a software discovery gap. Discovery matters, but the real risk is unmanaged access to unmanaged applications. When SaaS purchasing happens outside IT, the organisation loses visibility into who can reach what, which means lifecycle controls cannot reliably operate. Practitioners should treat app discovery as the front end of access governance, not the end state.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do organisations know whether shadow IT controls are actually working?
A: They should look for shrinking gaps between discovered apps and remediated access, not just a larger inventory. Useful signals include fewer unmanaged sign-ins, lower numbers of abandoned licenses, faster removal of unknown admins, and better alignment between expense data and authorised application records.
👉 Read our full editorial: Shadow IT discovery is really a SaaS identity governance problem
