TL;DR: Shadow IT remains a governance problem because employees adopt unapproved SaaS tools faster than IT can inventory, review, and retire them, while MSPs can centralise discovery, controls, and lifecycle workflows, according to Josys. The real issue is not just visibility, but whether access, approval, and offboarding processes can keep pace with unsanctioned usage.
NHIMG editorial — based on content published by Josys: How MSPs Can Tackle Shadow IT
By the numbers:
- One MSP managing 50 client environments adopted Josys and saw immediate improvements, including identifying 30% more SaaS tools than initially known.
- One MSP managing 50 client environments adopted Josys and saw immediate improvements, including identifying 30% more SaaS tools than initially known.
Questions worth separating out
Q: How should MSPs discover shadow IT across client environments?
A: MSPs should use multiple discovery sources, including traffic scanning, SSO telemetry, finance records, and application inventories.
Q: Why does shadow IT create an identity governance problem?
A: Shadow IT becomes an identity governance problem when accounts, licenses, and permissions are created outside approved processes and then persist without review.
Q: What do security teams get wrong about shadow IT?
A: Teams often focus on finding unapproved apps and stop there.
Practitioner guidance
- Build multi-source SaaS discovery Combine traffic scanning, SSO logs, finance records, and admin inventories so hidden apps surface from more than one telemetry path.
- Tie app discovery to offboarding workflows Route every unapproved app into a defined review and deprovisioning path so accounts, licenses, and data access do not persist after use ends.
- Set approval paths for sanctioned alternatives Publish an approved software path for common business use cases so teams are less likely to bypass IT when they need a fast option.
What's in the full article
Josys's full blog post covers the operational detail this post intentionally leaves for the source:
- Multi-tenant SaaS discovery workflows using traffic scanning, SSO data pulls, and finance system insights
- Automation steps for onboarding and offboarding SaaS tools across client environments
- Platform views for app usage, licence status, risk posture, and compliance status
- Examples of how MSPs use reports to show reduced shadow IT activity and faster configuration times
👉 Read Josys's post on how MSPs can tackle shadow IT →
Shadow IT in MSP environments: what teams need to control?
Explore further
Shadow IT is an identity governance problem before it is a software discovery problem. The article correctly places visibility at the front of the control stack, but the lasting risk is unmanaged account lifecycle, not just unknown app presence. Once access is provisioned outside formal approval, the environment inherits an offboarding gap, an ownership gap, and a compliance gap. Practitioners should treat unsanctioned SaaS as a governance exception that must be tied back to identity state.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How should organisations measure whether SaaS governance is working?
A: They should measure how quickly discovered apps move through review, classification, and shutdown, and how many exceptions remain open after that process. If discovery is high but remediation is slow, the programme is informative but not yet controlling risk.
👉 Read our full editorial: Shadow IT governance for MSPs: visibility, control, and lifecycle