Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow IT in MSP environments: what teams need to control


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Shadow IT remains a governance problem because employees adopt unapproved SaaS tools faster than IT can inventory, review, and retire them, while MSPs can centralise discovery, controls, and lifecycle workflows, according to Josys. The real issue is not just visibility, but whether access, approval, and offboarding processes can keep pace with unsanctioned usage.

NHIMG editorial — based on content published by Josys: How MSPs Can Tackle Shadow IT

By the numbers:

  • One MSP managing 50 client environments adopted Josys and saw immediate improvements, including identifying 30% more SaaS tools than initially known.
  • One MSP managing 50 client environments adopted Josys and saw immediate improvements, including identifying 30% more SaaS tools than initially known.

Questions worth separating out

Q: How should MSPs discover shadow IT across client environments?

A: MSPs should use multiple discovery sources, including traffic scanning, SSO telemetry, finance records, and application inventories.

Q: Why does shadow IT create an identity governance problem?

A: Shadow IT becomes an identity governance problem when accounts, licenses, and permissions are created outside approved processes and then persist without review.

Q: What do security teams get wrong about shadow IT?

A: Teams often focus on finding unapproved apps and stop there.

Practitioner guidance

  • Build multi-source SaaS discovery Combine traffic scanning, SSO logs, finance records, and admin inventories so hidden apps surface from more than one telemetry path.
  • Tie app discovery to offboarding workflows Route every unapproved app into a defined review and deprovisioning path so accounts, licenses, and data access do not persist after use ends.
  • Set approval paths for sanctioned alternatives Publish an approved software path for common business use cases so teams are less likely to bypass IT when they need a fast option.

What's in the full article

Josys's full blog post covers the operational detail this post intentionally leaves for the source:

  • Multi-tenant SaaS discovery workflows using traffic scanning, SSO data pulls, and finance system insights
  • Automation steps for onboarding and offboarding SaaS tools across client environments
  • Platform views for app usage, licence status, risk posture, and compliance status
  • Examples of how MSPs use reports to show reduced shadow IT activity and faster configuration times

👉 Read Josys's post on how MSPs can tackle shadow IT →

Shadow IT in MSP environments: what teams need to control?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Shadow IT is an identity governance problem before it is a software discovery problem. The article correctly places visibility at the front of the control stack, but the lasting risk is unmanaged account lifecycle, not just unknown app presence. Once access is provisioned outside formal approval, the environment inherits an offboarding gap, an ownership gap, and a compliance gap. Practitioners should treat unsanctioned SaaS as a governance exception that must be tied back to identity state.

A few things that frame the scale:

A question worth separating out:

Q: How should organisations measure whether SaaS governance is working?

A: They should measure how quickly discovered apps move through review, classification, and shutdown, and how many exceptions remain open after that process. If discovery is high but remediation is slow, the programme is informative but not yet controlling risk.

👉 Read our full editorial: Shadow IT governance for MSPs: visibility, control, and lifecycle



   
ReplyQuote
Share: