PLG to enterprise transitions: what IAM teams should rethink

TL;DR: Dropbox’s path from viral consumer adoption to 18M paying customers shows how products become enterprise infrastructure before IT approval, with shared billing, SSO, audit logs, and authentication emerging only after shadow use took hold, according to WorkOS. The governance lesson is that identity controls must catch up to user-led deployment before access, visibility, and accountability become fragmented.

NHIMG editorial — based on content published by WorkOS: When PLG Meets Enterprise, Drew Houston on Building Dropbox from Viral Growth to $2.5B in Revenue

Questions worth separating out

Q: How should security teams govern self-serve applications that spread before approval?

A: Security teams should treat widely adopted self-serve applications as governed systems once business use is visible.

Q: Why do PLG products create identity governance problems for enterprises?

A: PLG products create governance problems because users establish access and collaboration patterns before IT defines policy.

Q: What breaks when audit logs and SSO arrive after users have already adopted a tool?

A: When auditability and SSO arrive late, the enterprise loses the ability to reconstruct ownership, distinguish sanctioned from informal use, and enforce clean offboarding.

Practitioner guidance

• Identify self-serve tools that have become business dependencies Inventory applications adopted without central approval, then rank them by internal usage, data sensitivity, and the number of distinct corporate identities involved.
• Bind enterprise controls to real adoption signals Trigger SSO, audit logging, ownership assignment, and access review when usage crosses an internal threshold, not when procurement finalises the contract.
• Treat billing consolidation as a governance checkpoint When teams ask for shared billing, use that moment to verify account ownership, admin privileges, and offboarding responsibilities.

What's in the full article

WorkOS's full article covers the operational detail this post intentionally leaves for the source:

• The ERC 2025 conversation between Drew Houston and Michael Grinich, including the founder perspective behind Dropbox's enterprise transition.
• The specific growth mechanics behind referral loops, onboarding optimisation, and why the team measured friction across the sign-up funnel.
• The CEO-level lessons on company scaling, founder development, and how Dropbox approached the shift from consumer adoption to business controls.
• The AI-era context that connects Dropbox Dash, search, and context management to the next phase of work software.

👉 Read WorkOS's recap of Dropbox's PLG-to-enterprise transition →

PLG to enterprise transitions: what IAM teams should rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →