Shadow IT represents 30–40% of SaaS spend in most enterprises and is the single largest unmanaged spend category in IT. The temptation is to suppress it; the better strategy is to discover it, classify it, and integrate the useful parts into managed spend while terminating the rest. This is the framework we deploy.
The historical model of IT-mediated software purchasing has collapsed. Self-service SaaS, credit-card purchasing, and free-tier upgrades have moved the majority of new SaaS purchases outside formal procurement. In our experience across 340+ engagements, shadow IT now represents between 25% and 40% of total SaaS spend in the average enterprise — and a higher percentage of new SaaS spend year-over-year.
The instinct to suppress shadow IT is wrong. Suppression drives the purchases underground, where they appear as expense reports rather than procurement records, and the visibility gap widens. The framework that works is discovery, classification, and policy integration — surface the spend, tier it by criticality, and apply proportional governance.
Expense reports (the largest single source), departmental procurement cards, free-tier conversions to paid plans, browser-based SaaS that never touches IT, and personal-account subscriptions reimbursed through expenses. Each requires a different discovery technique.
Business units acquire SaaS faster than IT can evaluate it. The friction of formal procurement is structurally higher than the friction of expense-report SaaS. Suppression treats the symptom; reducing procurement friction treats the cause.
Our discovery sprint produces a categorised shadow IT inventory in 4–6 weeks.
Effective shadow IT discovery combines four data sources, each capturing a different fragment of the unmanaged portfolio. None alone is sufficient; together they typically reconstruct 80–90% of actual shadow spend.
Includes the shadow IT discovery checklist and classification framework.
Once discovered, shadow IT should be classified into four buckets, each with a different management response.
Genuine business value, used by 20+ users, reasonable security posture. Move into managed procurement, consolidate licences, renegotiate.
Duplicates existing managed SaaS. Migrate users, terminate the shadow contract. Typical recovery: 10–15% of total shadow IT spend.
Security or compliance risk. Block at SSO or network level, communicate the policy, provide an approved alternative.
No business value or single-user trials never deprovisioned. Cancel immediately. Often 5–10% of total shadow IT spend.
We deploy the framework in 6–8 weeks with policy templates and migration plans.
The discovery sprint produces a one-time inventory and a one-time recovery. Without governance integration, shadow IT reappears within twelve months. Three policies make the discipline stick — and pairing them with an independent software license compliance assessment keeps the reappearing spend visible before it compounds.
Shadow IT discovery and governance benefit from independent, buyer-side expertise because internal teams consistently underestimate the volume. Three standing policies keep it from returning after the initial sprint:
Our team has run shadow IT discovery across Fortune 500 estates. We produce categorised inventories with policy templates.
Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.