Shadow IT in MSP environments: what teams need to control

TL;DR: Shadow IT remains a governance problem because employees adopt unapproved SaaS tools faster than IT can inventory, review, and retire them, while MSPs can centralise discovery, controls, and lifecycle workflows, according to Josys. The real issue is not just visibility, but whether access, approval, and offboarding processes can keep pace with unsanctioned usage.

NHIMG editorial — based on content published by Josys: How MSPs Can Tackle Shadow IT

By the numbers:

• One MSP managing 50 client environments adopted Josys and saw immediate improvements, including identifying 30% more SaaS tools than initially known.
• One MSP managing 50 client environments adopted Josys and saw immediate improvements, including identifying 30% more SaaS tools than initially known.

Questions worth separating out

Q: How should MSPs discover shadow IT across client environments?

A: MSPs should use multiple discovery sources, including traffic scanning, SSO telemetry, finance records, and application inventories.

Q: Why does shadow IT create an identity governance problem?

A: Shadow IT becomes an identity governance problem when accounts, licenses, and permissions are created outside approved processes and then persist without review.

Q: What do security teams get wrong about shadow IT?

A: Teams often focus on finding unapproved apps and stop there.

Practitioner guidance

• Build multi-source SaaS discovery Combine traffic scanning, SSO logs, finance records, and admin inventories so hidden apps surface from more than one telemetry path.
• Tie app discovery to offboarding workflows Route every unapproved app into a defined review and deprovisioning path so accounts, licenses, and data access do not persist after use ends.
• Set approval paths for sanctioned alternatives Publish an approved software path for common business use cases so teams are less likely to bypass IT when they need a fast option.

What's in the full article

Josys's full blog post covers the operational detail this post intentionally leaves for the source:

• Multi-tenant SaaS discovery workflows using traffic scanning, SSO data pulls, and finance system insights
• Automation steps for onboarding and offboarding SaaS tools across client environments
• Platform views for app usage, licence status, risk posture, and compliance status
• Examples of how MSPs use reports to show reduced shadow IT activity and faster configuration times

👉 Read Josys's post on how MSPs can tackle shadow IT →

Shadow IT in MSP environments: what teams need to control?

Explore further

View Full Forum →  |  NHI Foundation Course →