How Large the Problem Has Become
Research from multiple sources consistently finds that the actual SaaS footprint in enterprise environments exceeds IT-approved applications by a factor of three to five. A medium-sized organization with 50 IT-sanctioned SaaS tools is typically running 150 to 250 additional applications that individual teams or employees have adopted without formal approval or security review. The consequence is a data exposure and compliance landscape that the security team has no visibility into and no control over.
The proliferation of no-code and low-code tools, AI writing assistants, productivity applications, and specialized vertical SaaS has accelerated this dynamic in 2024 and 2025. Teams adopt tools because they solve real problems quickly. The security and compliance implications are considered later, if at all.
What Is Actually at Risk
Data Residency and Compliance
SaaS applications adopted without security review are often configured with default settings that do not meet organizational data residency or retention requirements. Customer data uploaded to an unapproved application to enable a specific workflow may now reside in a jurisdiction that violates regulatory requirements or customer contracts. HIPAA-covered entities whose employees use consumer file sharing tools to exchange patient information have created compliance exposures that are difficult to remediate retroactively.
Credential Sprawl
Unsanctioned SaaS creates credential sprawl that security teams cannot govern. When users create accounts in unauthorized applications using corporate email addresses, those credentials are not managed, not federated to the corporate identity provider, and not subject to MFA policy enforcement. A breach at one of those applications exposes corporate credentials that may be reused across other systems.
OAuth Permissions
Many SaaS applications request OAuth permissions to access corporate data in Microsoft 365, Google Workspace, or other authorized platforms. Users frequently grant these permissions without understanding what data access they are authorizing. An unsanctioned application with OAuth access to corporate email and calendar data creates a data exposure that persists until the permissions are explicitly revoked.
You cannot secure what you do not know exists. The first step in any shadow IT governance program is discovery. Most organizations are surprised by how large the gap is between their known and actual SaaS footprints.
Building a Practical Governance Framework
Shadow IT governance that focuses primarily on prohibition typically fails because it drives unsanctioned usage further underground rather than eliminating it. Effective governance focuses on discovery, risk assessment, and a streamlined approval process that makes the path to sanctioned use faster and easier than unsanctioned use.
- Deploy a CASB or SaaS security posture management tool to discover what applications are actually in use
- Establish a lightweight application review process with clear criteria and defined timelines
- Create an approved application catalog that is accessible to all employees and regularly maintained
- Audit OAuth permissions granted by users in Microsoft 365 and Google Workspace and revoke permissions from unapproved applications
- Monitor for new SaaS adoption continuously rather than through point-in-time assessments