How to Detect Shadow IT

You cannot govern what you cannot see. These five detection methods, used in combination, surface 80-95% of unauthorized software in a typical organization within four weeks.

60-80%

Network / DNS

40-60%

SSO Gap

30-50%

Spend Audit

25-40%

Browser Ext.

50-70%

Employee Survey

Estimated shadow app coverage per method. Running all five methods yields 80-95% total visibility.

1
🌐

Network and DNS Traffic Analysis

Effort: Medium

DNS filtering and network monitoring tools log every outbound domain request from your corporate network and endpoints. Comparing that traffic against your approved SaaS catalog reveals apps employees are accessing that you have never approved. This method catches browser-based SaaS tools comprehensively but misses apps accessed purely from personal devices.

Tools and solutions

Cloudflare GatewayPaidCisco UmbrellaPaidZscaler Internet AccessPaidPi-hole (lab use)FreeNetflow / ZeekFree

Pro tips

  • Categorize discovered domains by vendor to group related apps (e.g., all Notion traffic)
  • Set a baseline over 30 days before reviewing anomalies to avoid alert fatigue
  • Focus on apps with data egress potential first: file sync, AI writing, analytics
  • Exclude known CDNs and tracking pixels to reduce noise in results
2
🔓

SSO and Identity Gap Analysis

Effort: Low

Export the full list of applications integrated with your identity provider (Okta, Entra ID, Google Workspace). Cross-reference against your approved application catalog. Any SaaS in active use that is not listed in your IdP is running outside SSO, meaning your IT team has no visibility into who has access, cannot enforce MFA, and cannot perform centralized offboarding. This is the fastest starting point and requires no additional tooling.

Tools and solutions

Okta Integration Network auditNativeMicrosoft Entra App RegistrationsNativeGoogle Workspace App AccessNativeBetterCloudPaidToriiPaid

Pro tips

  • Export OAuth-connected apps in Google Workspace Admin and filter by non-IT-approved publishers
  • In Okta, review the App Integration wizard for any apps provisioned outside the IT catalog
  • In Entra ID, use the App registrations section filtered by external tenants
  • Run this analysis after any major offboarding event to catch orphaned app access
3
💸

Financial and Expense Report Audit

Effort: Low

Shadow IT leaves a financial trail. Pull all corporate card transactions and expense reports for the past 12 months and filter by merchant category codes for software (SIC 7372, 7371) and recurring subscriptions. Cross-reference against your approved vendor list. Any SaaS vendor not in your approved catalog represents unauthorized spend. This approach is especially effective for catching team-level subscriptions expensed monthly.

Tools and solutions

ZyloPaidSpendfloPaidRamp Software IntelligencePaidBrex vendor reportsNativeExcel / Sheets + VLOOKUPFree

Pro tips

  • Filter expense descriptions containing 'subscription', 'monthly', 'annual plan', 'SaaS', 'license'
  • Group by vendor name and sum annual spend to prioritize which shadow apps to investigate
  • Ask finance to flag any new recurring vendor that did not go through procurement
  • Run the audit quarterly, not annually, to catch upgrades from free to paid plans early
4
🔌

Browser Extension and App Inventory

Effort: Medium

Browser extensions are a significant shadow IT vector that most organizations ignore. Extensions for grammar checking, screen capture, tab management, email tracking, and AI writing assistants often collect browsing data, send content to external servers, and have broad permissions including reading page content and accessing credentials. MDM solutions and browser management platforms can enumerate all installed extensions across your endpoint fleet and flag those not on your approved list.

Tools and solutions

Jamf ProtectPaidKandjiPaidGoogle Chrome Browser Cloud ManagementNativeMicrosoft IntuneNativeCrowdStrike Falcon DiscoverPaid

Pro tips

  • Focus first on extensions with 'read and change all your data on websites you visit' permissions
  • Check for AI writing assistants that may be uploading customer communications to third-party servers
  • Use Google Chrome Browser Cloud Management to centrally see all extensions across your org
  • Block extension sideloading and require IT approval for non-Web Store sources
5
📋

Employee Shadow IT Survey

Effort: Low

The highest coverage, lowest-cost discovery method is simply asking. A structured, amnesty-framed survey sent to all employees with specific, context-driven questions outperforms most technical discovery tools. Employees using shadow apps generally know they are doing so and will self-report if they trust there will be no punishment. Frame the survey as an effort to understand and support their workflow, not to audit them. Run it annually at minimum and always before a major compliance audit.

Tools and solutions

Google FormsFreeTypeformPaidSurveyMonkeyPaidSlack survey integrationsNativeMicrosoft FormsNative

Pro tips

  • Include an amnesty clause: 'no tool will be removed without a supported alternative being provided'
  • Ask department-specific questions: 'What tools does your team use for project tracking outside Jira?'
  • Include AI tool questions explicitly: 'Do you use any AI writing, coding, or research tools for work?'
  • Follow up results with individual conversations, not mass enforcement emails

Recommended 4-Week Discovery Sprint

Week 1

Enable DNS monitoring or pull network traffic logs. Set a 30-day baseline window.

Week 2

Run the SSO gap analysis and financial expense audit in parallel. Export results to a shared spreadsheet.

Week 3

Deploy browser extension inventory via MDM. Send the employee shadow IT survey with amnesty framing.

Week 4

Consolidate findings into a shadow app registry. Prioritize by data sensitivity, user count, and spend.

Shadow IT Security Risks →

Understand the full financial exposure before you build your governance plan.

Shadow IT Governance Framework →

Once you know what is running, use this framework to govern it effectively.