What is Shadow IT?
Shadow IT refers to technology — software, SaaS applications, AI tools, and cloud services — used inside an organisation without IT department knowledge, approval, or governance. It ranges from a team spinning up a free Trello board to a whole department running a business-critical process on an unapproved SaaS app signed up for with a personal email address.
Shadow IT is rarely malicious. It emerges when legitimate business needs outpace the approved toolset or the approval process. Managing it well — rather than attempting to eliminate it — is the practical goal.
Key takeaways
Shadow IT covers unsanctioned software, SaaS, AI tools, and cloud services — not only SaaS.
Industry surveys suggest enterprises typically know about less than half of the SaaS apps actually in use; exact figures vary by methodology.
SSO-only discovery misses Shadow IT by design — if an app is unsanctioned, it probably isn't federated through the IdP.
Three vectors matter: Shadow SaaS (unapproved SaaS subscriptions), Shadow AI (unsanctioned GenAI tools, including embedded AI inside approved apps), and Shadow Cloud (business-unit cloud accounts outside central governance).
The goal is visibility and governance, not prohibition — most Shadow IT represents real business need.
Shadow IT vs Shadow SaaS vs Shadow AI
These terms are often used interchangeably. The precise relationship:
Term | Scope |
|---|
Term | Scope |
|---|---|
Shadow IT | Any technology used without IT knowledge — SaaS, AI, cloud, hardware, services. The umbrella term. |
Shadow SaaS | The SaaS-specific subset — unsanctioned subscriptions, credit-card tools, free-tier sign-ups |
Shadow AI | The AI-specific subset — unsanctioned GenAI tools, plus AI features embedded inside sanctioned apps (e.g. Microsoft 365 Copilot, Salesforce Einstein, Notion AI, Atlassian Intelligence) |
Shadow Cloud | The IaaS/PaaS subset — business-unit cloud accounts and workloads outside central governance |
Most mature governance programmes now treat all four as one continuum — the discovery techniques and the risk framework are similar across them.
Why Shadow IT exists
Shadow IT emerges from friction, not rebellion. The common root causes:
Cause | What it looks like |
|---|
Cause | What it looks like |
|---|---|
Slow procurement | IT approval takes weeks; the business needs a solution today; someone pays on a credit card and expenses it |
Unmet functional needs | Approved tools do not do what the team actually needs |
Personal preference | Users prefer familiar tools over standards |
Freemium entry | Users start on a free tier, get value, upgrade to paid before IT hears about it |
Mergers and acquisitions | Acquired entities arrive with their own SaaS portfolio |
Rapid AI adoption | ChatGPT, Claude, Copilot, and dozens of specialist GenAI tools are adopted faster than policy can be written |
Embedded AI | Features are switched on by default inside apps the organisation already pays for |
Understanding which cause applies is essential — the response to "procurement is too slow" (fix procurement) is different from the response to "users want features we cannot match" (evaluate the new tool) or "AI is advancing faster than policy" (publish an acceptable-use policy and a sanctioned-tool list).
Shadow IT risks
Security risks
Data exposure to unvetted services with unknown data-handling practices
Authentication gaps — apps without SSO, without MFA, with shared credentials
Offboarding failures — ex-employees retain access to apps IT does not know exist
Credential reuse — employees using personal passwords for work accounts
Data exfiltration into GenAI — sensitive data pasted into public AI chatbots
Compliance risks
Data residency violations — data stored in jurisdictions prohibited by regulation
Sector-specific breaches — GDPR, HIPAA, PCI-DSS, financial services regulators
Licence compliance — unlicensed or improperly licensed software
AI-specific regulation — the EU AI Act, now in force, applies to AI tools used by the business regardless of IT's awareness of them
Audit exposure — cannot demonstrate evidence for what cannot be seen
Financial risks
Wasted spend on redundant tools across departments
Unused licences auto-renewing quarter after quarter
Tier inefficiency — paying Enterprise for apps three people use
Lost negotiating leverage — scattered procurement across dozens of small contracts instead of consolidated agreements
The SSO-only visibility gap
Many SaaS Management and SaaS Security tools rely on IdP / SSO (Okta, Entra ID, Google Workspace) as their primary discovery source. For Shadow IT specifically this is structurally insufficient — because by definition Shadow IT apps are the ones not federated through SSO. Relying on SSO-only discovery misses:
Apps signed up for with a work email but not added to the IdP
Apps signed up for with a personal email for work use
Free-tier tools used by teams
AI tools without enterprise SSO support (many are too new or too small)
Embedded AI features inside apps already in use
Credit-card subscriptions never routed through IT
Complete Shadow IT discovery requires three streams running in parallel:
Browser-extension telemetry — every SaaS URL a user actually visits, regardless of SSO or approval
IdP connectors — the sanctioned baseline
Deep SaaS connectors — licence and activity data inside the major apps (where embedded AI features sit)
CerteroX SaaS Management runs all three, reconciled against a 35,000-application catalogue with 200+ deep SaaS connectors.
How to manage Shadow IT (without trying to eliminate it)
Every mature governance framework treats Shadow IT as a signal, not a failure:
1. Discover continuously
Find what exists, across SaaS, AI tools, and cloud — not as a one-off audit but as a continuous feed.
2. Classify by risk
Not every shadow app is equal. A team using Canva is a different risk profile from a team using a GenAI tool that ingests customer PII. Classification typically considers: data sensitivity, regulatory exposure, vendor security posture, volume of use.
3. Sanction, integrate, or retire
For each discovered app: is it a candidate to sanction (add to approved list, integrate with SSO), integrate (negotiate enterprise terms, fold into ITAM/SAM/SaaS Management), or retire (replace with an approved equivalent, deprovision)?
4. Publish policy
A clear, published Acceptable Use Policy (AUP) — especially for AI tools — gives employees a framework to work inside. A sanctioned-tool list tells them what is already approved. A request path gives them a legitimate way to ask for something new.
5. Fix the friction
If procurement takes six weeks, employees will keep finding shortcuts. Shortening the approval loop reduces the demand for Shadow IT more than any policy.
How CerteroX helps with Shadow IT
CerteroX SaaS Management and CerteroX AI Management are part of the CerteroX product family. They discover Shadow IT across SaaS, AI tools, and cloud services using a three-method stack — not just SSO.
What CerteroX discovers
Shadow SaaS
Credit-card and expense-report integration for purchase detection
Browser-based usage discovery (every SaaS URL a user visits)
SSO and non-SSO application inventory reconciled against a 35,000-application catalogue
Shadow AI
Standalone GenAI tools (ChatGPT, Claude, Gemini, Perplexity, and many more)
Embedded AI features inside sanctioned apps (Microsoft 365 Copilot, Salesforce Einstein, Notion AI, Adobe Firefly, Atlassian Intelligence, ServiceNow Now Assist, Zoom AI Companion)
Usage monitoring, risk assessment, AUP alignment
Shadow Cloud
Cloud accounts and workloads outside central governance (AWS, Azure, GCP, OCI)
Cost and utilisation via CerteroX Cloud Management
Typical results
Customers using CerteroX routinely reclaim a meaningful share of SaaS spend in the first renewal cycle — the specific share depends on the starting point; ranges commonly reported by customers sit in the 20–30% region, with outliers higher.
Recognition
#1 rated on Gartner Peer Insights
Four-time Gartner Customers' Choice (2019, 2020, 2021, 2024)
97% of customers recommend Certero
Frequently asked questions
What is the difference between Shadow IT, Shadow SaaS, and Shadow AI?
Shadow IT is the umbrella term for any technology used without IT knowledge. Shadow SaaS is the SaaS-specific subset (unapproved SaaS subscriptions). Shadow AI is the AI-specific subset (unsanctioned GenAI tools plus embedded AI features in approved apps). Shadow AI is the fastest-growing category because AI adoption is outpacing most governance programmes.
How do you discover Shadow IT that isn't linked to SSO?
SSO-only discovery misses Shadow IT by design — the apps are not federated through the IdP because they are unsanctioned. Complete discovery requires three methods in parallel: browser-extension telemetry (every SaaS URL a user visits), IdP connectors (the sanctioned baseline), and deep SaaS connectors (licence and activity data from inside the major apps, which is where embedded AI features sit). CerteroX runs all three against a 35,000-application catalogue.
How do I measure Shadow IT in my organisation?
Three measures are useful: (1) total unique apps discovered vs apps known to IT — the gap is a rough Shadow IT baseline; (2) share of SaaS spend that is shadow — commonly 25–40% at first discovery, shrinking over time; (3) shadow-AI count — how many GenAI tools and AI features are in use outside the sanctioned list.
How do you discover embedded AI inside apps we already own?
Embedded AI — Copilot, Einstein, Notion AI, Atlassian Intelligence, Now Assist, Zoom AI Companion — is a distinct discovery problem from standalone AI tools. The app itself is sanctioned; the AI feature may or may not be. Discovery needs feature-level visibility, which means deep in-app connectors pulling admin configuration and usage. App-level discovery alone does not surface this.
Is Shadow IT always bad?
No. Shadow IT often represents real innovation and legitimate business need. Eliminating it wholesale is neither realistic nor desirable. The goal is visibility and governance — know what exists, classify by risk, sanction or retire case by case, and fix the friction that causes it.
How should our Acceptable Use Policy (AUP) handle Shadow IT and AI?
Effective AUPs share five elements: (1) a sanctioned-tool list that is easy to find and actually kept current; (2) a request path for new tools that completes faster than a credit card; (3) explicit rules for AI-specific risks — data input restrictions, customer-data handling, model training opt-outs; (4) offboarding obligations for tools used outside the sanctioned list; (5) a published enforcement approach — what triggers review, who decides, what the consequences are.
What regulations apply to Shadow IT?
The biggest three regimes: GDPR (personal data, especially on unsanctioned EU citizens' data); sector-specific (HIPAA, PCI-DSS, financial regulators); and — newly — the EU AI Act, which applies to AI tools used by the business regardless of IT's awareness. Shadow AI specifically is where the EU AI Act creates the most unexpected exposure, because GenAI features can be switched on inside apps the organisation does not realise are AI providers.
How does Shadow IT affect offboarding?
When an employee leaves, IT needs to deprovision every account they had access to — not just the SSO-federated ones. Shadow accounts are the biggest risk because IT does not know they exist. A SaaS Management tool produces the full per-employee account list, automates deprovisioning via SCIM or API where supported, and creates tickets for apps that need manual removal.
How does Shadow IT affect software audit exposure?
Shadow IT can include unlicensed or improperly licensed software and unsanctioned uses of existing entitlements. Audits increasingly ask for evidence across the full estate, including SaaS and cloud, not just installed software. A Shadow IT discovery programme closes the evidence gap and feeds accurate deployment data into the Effective Licence Position (ELP).
What is the difference between Shadow IT and BYOD?
BYOD (Bring Your Own Device) is a specific policy that sanctions use of personal devices for work. Shadow IT is the unsanctioned use of any technology. BYOD is intentional and governed; Shadow IT is informal and ungoverned. A well-designed BYOD policy actually reduces Shadow IT because it removes one of the reasons employees go outside IT.
Where does the ROI of a Shadow IT programme come from?
Four sources: (1) reclaimed unused seats in discovered apps; (2) tool consolidation — retiring duplicate apps once the full portfolio is visible; (3) negotiation leverage — folding scattered contracts into enterprise agreements; (4) avoided breach / regulatory cost — harder to quantify but the largest risk-side return for Shadow AI specifically.
What metrics should we track on Shadow IT over time?
Five practical metrics: app count (total unique), known-to-IT share (rising over time is the goal), Shadow AI count, offboarding completion rate (accounts deprovisioned within 24 hours of leaver event), and Shadow-IT-related policy violations. Improvement is measured as the gap closing — not zero, which is unrealistic.
About Certero
Certero is an independent software vendor specialising in IT Asset Management, Software Asset Management, SaaS Management, Cloud Management, and AI Management. The CerteroX product family shares an asset record across all products so Shadow IT surfaced in SaaS discovery automatically enriches the ITAM and SAM records. Certero is the only four-time Gartner Customers' Choice for SAM Tools (2019, 2020, 2021, 2024), #1 rated on Gartner Peer Insights, an Oracle Certified Partner, and a FinOps Foundation member with FinOps Certified Platform designation.
Related resources
Last updated: April 2026