Home  ›  Blog  ›  Shadow IT Management
SaaS · Shadow IT · Governance

Shadow IT management — turning unmanaged SaaS into recoverable spend.

Shadow IT represents 30–40% of SaaS spend in most enterprises and is the single largest unmanaged spend category in IT. The temptation is to suppress it; the better strategy is to discover it, classify it, and integrate the useful parts into managed spend while terminating the rest. This is the framework we deploy.

Updated: April 2026 Reading time: 12 min Audience: CIO, CISO, Head of Procurement, IT Asset Manager
Shadow IT Management
The shadow IT reality

Why shadow IT is now the majority of new SaaS spend.

The historical model of IT-mediated software purchasing has collapsed. Self-service SaaS, credit-card purchasing, and free-tier upgrades have moved the majority of new SaaS purchases outside formal procurement. In our experience across 340+ engagements, shadow IT now represents between 25% and 40% of total SaaS spend in the average enterprise — and a higher percentage of new SaaS spend year-over-year.

The instinct to suppress shadow IT is wrong. Suppression drives the purchases underground, where they appear as expense reports rather than procurement records, and the visibility gap widens. The framework that works is discovery, classification, and policy integration — surface the spend, tier it by criticality, and apply proportional governance.

Where shadow IT hides

Expense reports (the largest single source), departmental procurement cards, free-tier conversions to paid plans, browser-based SaaS that never touches IT, and personal-account subscriptions reimbursed through expenses. Each requires a different discovery technique.

Why it persists

Business units acquire SaaS faster than IT can evaluate it. The friction of formal procurement is structurally higher than the friction of expense-report SaaS. Suppression treats the symptom; reducing procurement friction treats the cause.

Need to surface and classify your shadow IT?

Our discovery sprint produces a categorised shadow IT inventory in 4–6 weeks.

Contact Us →
Discovery techniques

How to surface shadow SaaS at scale.

Effective shadow IT discovery combines four data sources, each capturing a different fragment of the unmanaged portfolio. None alone is sufficient; together they typically reconstruct 80–90% of actual shadow spend.

  1. SSO and identity logs. Authentication events identify SaaS in active use, including some not visible in finance data.
  2. Expense report analysis. Credit-card and reimbursement data tagged with software vendors. The largest single source for departmental-tier shadow IT.
  3. CASB or DNS-level monitoring. Captures browser-based SaaS that bypasses SSO. Higher-overhead but most complete.
  4. SaaS Management Platform. Aggregates the above sources and applies vendor classification. Above one hundred contracts, the tooling pays for itself.

Download the SaaS Spend Optimization Guide.

Includes the shadow IT discovery checklist and classification framework.

Get the guide →
Classification and policy

What to do with the discovered shadow IT.

Once discovered, shadow IT should be classified into four buckets, each with a different management response.

Sanction

Genuine business value, used by 20+ users, reasonable security posture. Move into managed procurement, consolidate licences, renegotiate.

Replace

Duplicates existing managed SaaS. Migrate users, terminate the shadow contract. Typical recovery: 10–15% of total shadow IT spend.

Restrict

Security or compliance risk. Block at SSO or network level, communicate the policy, provide an approved alternative.

Terminate

No business value or single-user trials never deprovisioned. Cancel immediately. Often 5–10% of total shadow IT spend.

Need a classification framework for your shadow IT?

We deploy the framework in 6–8 weeks with policy templates and migration plans.

Contact Us →
Governance integration

Making the policy stick after discovery.

The discovery sprint produces a one-time inventory and a one-time recovery. Without governance integration, shadow IT reappears within twelve months. Three policies make the discipline stick — and pairing them with an independent software license compliance assessment keeps the reappearing spend visible before it compounds.

Governance that holds

Shadow IT discovery and governance benefit from independent, buyer-side expertise because internal teams consistently underestimate the volume. Three standing policies keep it from returning after the initial sprint:

FAQ

Common questions answered.

What percentage of enterprise SaaS spend is shadow IT?
25–40% in most enterprises. The percentage is rising as business-unit purchasing accelerates.
Should we block shadow IT outright?
Block only the categories that present security or compliance risk. Blanket blocking fails because the underlying purchasing motivation persists; suppression drives shadow IT underground rather than eliminating it.
How much shadow IT spend is typically recoverable?
15–25% of discovered shadow spend can be terminated outright as duplicates or unused. An additional 20–30% can be renegotiated when consolidated into managed procurement.
What is the role of a SaaS Management Platform?
Discovery and ongoing reconciliation. The SMP is the data layer; classification and policy are separate decisions.
Who owns shadow IT — IT, Security, or Procurement?
Joint accountability with a clear RACI. Security owns risk classification; IT owns inventory; Procurement owns commercial integration.
How do we prevent shadow IT recurring after the sprint?
Lightweight procurement self-service plus expense-report flagging plus quarterly reconciliation. Without all three, shadow IT recurs within twelve months.

Shadow IT inventory missing?
Run the discovery sprint.

Our team has run shadow IT discovery across Fortune 500 estates. We produce categorised inventories with policy templates.

The Compliance Brief

Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.