Skip to main content
Conan O’Brien featured in series of 15+ AI security training modules
Blog
Security Awareness

Shadow IT Discovery: How to Find, Assess, and Govern Unauthorized Technology Before It Becomes a Breach

JULY 10, 202628 MIN READ
Adaptive TeamAdaptive Team
Shadow IT Discovery: How to Find, Assess, and Govern Unauthorized Technology Before It Becomes a Breach

Most organizations run far more software than their IT teams can name. Subscriptions appear on expense reports under unrelated categories, employees authenticate into cloud apps through personal accounts, and entire departments adopt tools that never pass through procurement. Each unmanaged application widens the attack surface, and security teams cannot defend what they cannot see.

Shadow IT discovery is the discipline that closes that gap, and the rise of shadow AI, where employees feed sensitive data into public AI tools, has made it urgent. This guide covers:

  • The full spectrum of shadow IT discovery methods, from network traffic analysis and identity provider scanning to expense mining, endpoint monitoring, and email intelligence;
  • A practical system for evaluating discovery tools, classifying risk, and aligning policy with zero-trust principles;
  • How shadow AI breaks traditional discovery and what detection methods close the visibility gap;
  • Why cybersecurity awareness training turns shadow IT discovery from a reactive cleanup into a sustainable reduction in risk.

Unmanaged applications move sensitive data outside security oversight long before anyone notices. Adaptive Security pairs human risk scoring with cybersecurity awareness training so organizations can reduce shadow IT at its behavioral source.

Book a demo

How to Discover Shadow IT: Core Methods and Techniques

Effective shadow IT discovery combines network analysis, identity logs, and at least three detection methods run continuously

Effective shadow IT discovery starts with network traffic analysis as the broadest detection layer, then layers in identity provider logs, financial forensics, endpoint monitoring, email intelligence, cloud access security brokers, and employee self-reporting to build a complete inventory. No single method catches everything, because every discovery technique has a known blind spot that leaves portions of the unsanctioned application footprint invisible. The most reliable programs assemble at least three of these methods, prioritize network analysis and identity provider data as the foundation, and run shadow IT discovery continuously rather than as a one-time audit.

1. Network Traffic Analysis: the Backbone of Discovery

  • Detection scope: Broadest available; covers all cloud services generating DNS or network traffic.
  • Accuracy: Moderate to high for identifying the application; low to moderate for identifying specific users without additional correlation.
  • Pros: Covers all network paths (corporate, guest, VPN); detects free and paid tools equally; independent of procurement or identity systems.
  • Cons: Noisy without good categorization filters; struggles with encrypted traffic (DoH/DoT); leaves gaps for off-network devices without endpoint agents.

Network traffic analysis captures every cloud application that generates a network connection regardless of how it was provisioned or paid for. By monitoring DNS queries, firewall logs, and proxy data, security teams identify every domain employee devices contact, surfacing unsanctioned SaaS tools that never appeared in an expense report or identity provider log.

DNS monitoring produces a rich signal. Employees accessing an unauthorized file-sharing service, an AI writing assistant, or a project management tool all generate DNS resolution requests that log both the domain and the internal IP making the query. In practice, a mid-size organization of 2,000 employees typically generates DNS logs revealing 600 to 1,200 distinct cloud services, often two to three times the number IT officially manages.

The challenge is signal-to-noise ratio, because marketing analytics trackers, CDN calls, and advertising domains all appear alongside genuine SaaS applications. Effective implementations pair DNS monitoring with threat intelligence feeds that categorize domains by function, flagging "Productivity," "AI/ML," and "File Sharing" categories for review while filtering out known advertising and telemetry endpoints.

Proxy and firewall logs add a critical layer by capturing the volume, frequency, and timing of traffic to each service. A tool generating 50 KB of traffic once a month is a forgotten account, while a service pulling 5 GB weekly across dozens of unique internal IPs is an embedded shadow IT platform that warrants immediate attention. The limitation is coverage, since remote and hybrid employees working off-VPN leave no trace in on-premises network logs.

According to Zylo's 2026 SaaS Management Index, large enterprises now average 473 SaaS applications, and IT directly manages only a fraction of them. Cloud-based DNS filtering and endpoint-level DNS agents solve the off-network gap by logging DNS queries from any network, though endpoint agent deployment introduces organizational friction.

Network logs surface the domains employees reach, but never the reason they went around IT to get there. Adaptive Security addresses the behavioral driver with cybersecurity awareness training tied to real risk signals.

Explore the platform

2. Identity-First Shadow IT Discovery via SSO and IdP Logs

  • Detection scope: All SSO-connected and OAuth-granted applications.
  • Accuracy: Very high for identified apps (user and app both confirmed); zero visibility into non-federated accounts.
  • Pros: Lightning-fast deployment querying existing logs; produces per-user attribution out of the box; surfaces OAuth risk.
  • Cons: Completely blind to apps employees access with separate credentials; limited to authentication events rather than usage volume or data exfiltration signals.

Scanning identity provider logs from Okta, Microsoft Entra ID (Azure AD), and Google Workspace surfaces every application employees have authenticated into, including those connected through "Sign in with Google" or "Sign in with Microsoft" shortcuts that bypass IT procurement entirely. This method is fast to implement and produces immediately actionable data, which is why most shadow IT discovery programs start here.

The identity provider audit log reveals what network logs cannot. Each authentication event records the user identity, the target application, the timestamp, and whether the connection used SAML, OIDC, or OAuth. Security teams can distinguish between an application tried once and abandoned versus one accessed daily by an entire department.

"Shadow IT comes from the desire to do my job, that I am not enabled to do my job, and so I need to either come up with my own workaround, or go and find another solution, because it is not being provided to me," said Daniel Spicer, CSO at Ivanti, in an interview with IT Brew. Those workarounds typically skip SSO.

It also exposes the riskiest pattern: employees granting broad OAuth scopes to third-party applications that can then read email, access files in Google Drive, or pull data from SharePoint without any IT review. These OAuth grants persist indefinitely unless explicitly revoked, creating a long-tail credential risk that outlasts the employee's active use of the tool.

The critical limitation of single sign-on discovery is that it sees only applications employees authenticate into. If an employee creates a standalone account on a SaaS platform without federating it to the corporate identity provider, the log shows nothing. In organizations with mature SSO enforcement, this gap is small; where SSO is not mandated for all cloud applications, it is enormous.

Every non-federated account is an application security teams never see and cannot govern. Adaptive Security closes the behavioral gap that drives employees to bypass single sign-on in the first place.

Take a self-guided tour

3. Following the Money: Expense Reports and Procurement Data in Shadow IT Discovery

  • Detection scope: All paid SaaS subscriptions expensed or invoiced through corporate financial systems.
  • Accuracy: High for identifying the vendor and spend; moderate for identifying all users, since typically only the purchaser is visible.
  • Pros: Catches tools invisible to technical discovery; provides cost data for ROI conversations; surfaces recurring subscriptions representing ongoing risk.
  • Cons: Misses free-tier tools entirely; requires finance team collaboration; manual categorization is labor-intensive without AI-powered financial discovery tools.

Financial forensics catches the shadow IT that technical methods miss. According to Zylo's 2026 SaaS Management Index, up to 51% of software expenses are miscategorized and appear under unrelated categories like "Office Supplies" or "Meals." Those subscription charges remain invisible to network monitoring and identity provider logs unless someone goes looking for them.

Expense report mining integrates with systems like Concur, Expensify, or NetSuite and applies pattern matching against known SaaS vendor names, billing descriptors, and recurring charge amounts. A $12.99 monthly charge from a vendor with "AI" in the merchant descriptor categorized as "Professional Development" is exactly the signal this method surfaces.

Credit card statement analysis extends the reach by capturing any corporate card charge even when the employee never submitted an expense report, and accounts payable records add the final layer of direct invoices from SaaS vendors that bypassed both expense systems and IT procurement.

The same report finds that employee SaaS purchases now comprise 33.5% of the average organization's application stack, and 59.3% of expensed software carries "Poor" or "Low" security risk scores. These tools frequently lack basic security controls such as SAML support, audit logging, or data encryption at rest. Financial discovery is the only method that flags these tools before a breach, because they often never touch the corporate network and are never connected to the identity provider.

4. Endpoint Agents, Browser Extensions, and Direct Observation

  • Detection scope: All browser-based SaaS usage on managed endpoints with an agent or extension installed.
  • Accuracy: Very high for instrumented devices; complete blind spot for unmanaged or personal devices.
  • Pros: Catches off-network and free-tier usage; provides usage telemetry on duration, frequency, and data movement; detects shadow AI data exfiltration.
  • Cons: Requires endpoint deployment or browser policy changes; does not cover non-browser SaaS clients such as desktop apps, mobile apps, and API-based tools; privacy concerns may generate employee pushback.

Endpoint-based shadow IT discovery closes the visibility gap left by network monitoring's off-VPN blind spot and identity provider scanning's non-federated account blind spot. A lightweight endpoint agent or browser extension observes SaaS usage directly on the device, capturing every web application an employee interacts with regardless of network location.

Browser extensions offer the fastest deployment path. They require no operating-system-level installation and push through Chrome Enterprise or Microsoft Edge management policies in minutes. Modern extensions capture the URL, time spent, and form field interactions for every web application, distinguishing between a cursory visit and active tool usage.

The data exfiltration visibility adds a dimension no other method provides. Browser-based discovery detects employees pasting sensitive data, source code, customer lists, or credential files into AI tools like ChatGPT, Claude, or Gemini, an emerging category of risk completely invisible to DNS logs and expense reports.

For organizations grappling with shadow AI specifically, endpoint observation is becoming the most reliable detection method, because employees using free AI chat interfaces generate no expense records, rarely authenticate through corporate SSO, and often access the tools from personal devices during work hours.

5. Email Scanning and Calendar Mining for Shadow IT Discovery

Email-based discovery scans inboxes for SaaS sign-up phrases, turning confirmation emails and invoices into a searchable ledger of shadow IT
  • Detection scope: All SaaS applications that generated email communication to corporate accounts.
  • Accuracy: Moderate to high for application identification; low for continuous usage verification, since a welcome email proves account creation rather than active use.
  • Pros: Historical discovery spanning years; surfaces dormant and orphaned accounts; catches free and paid tools equally; provides per-user attribution via recipient address.
  • Cons: Requires high-privilege API access; generates noise from marketing emails and newsletters; cannot distinguish between a tool tried once and one actively used.

Corporate email systems contain a forensic record of shadow IT that most organizations never query. Every SaaS sign-up confirmation, welcome email, password reset notification, monthly invoice, and calendar invitation from a third-party tool sits in employee inboxes, forming a searchable ledger of every application anyone in the organization has ever created an account for.

Email-based discovery works by integrating with Microsoft 365 or Google Workspace and scanning the organization's email environment for known SaaS sign-up patterns: "welcome to," "verify your email," "your account has been created," "subscription confirmation," and thousands of other telltale phrases.

Calendar mining surfaces a different category of shadow IT by detecting meeting invitations from conferencing platforms, webinar tools, scheduling apps, and collaboration spaces that employees adopted without IT approval. The inbox also contains OAuth grant confirmations and permission scope notifications that identity provider logs alone may not surface with full context.

This method's unique strength is historical reach. Network logs typically roll after 30 to 90 days, and expense reports reflect only paid tools from the current fiscal year, but email archives stretch back years. An email scan can surface the project management tool a departed employee set up in 2023 that still contains sensitive data and has no active administrator, a dormant risk that every other discovery method misses.

The limitation is that email scanning operates at the organizational level and typically requires global admin privileges or delegated API access, introducing a procurement and security review step before deployment can begin.

6. CASBs and Cloud Discovery Platforms

  • Detection scope: All cloud applications generating traffic within monitored network segments or cloud tenants.
  • Accuracy: Very high for risk-classified applications; dependent on the freshness of the vendor's risk database for newer tools.
  • Pros: Automated risk scoring and categorization; continuous monitoring with alerting; enforcement capability in inline mode; integrates with existing security infrastructure.
  • Cons: Significant cost for enterprise-grade platforms; inline mode requires network architecture changes; smaller or niche applications may lack risk database entries.

Cloud Access Security Brokers and dedicated cloud discovery platforms consolidate signals from multiple sources into a unified shadow IT inventory, applying risk scoring, categorization, and governance workflows on top of raw discovery data. Microsoft Defender for Cloud Apps, Netskope, and similar platforms ingest firewall logs, proxy data, and identity provider integrations. They cross-reference discovered applications against risk databases that score each tool on security posture, compliance certifications, and data residency.

The operational advantage of a CASB is automated triage. Raw discovery produces a firehose of domains that a human team cannot manually review, so a CASB categorizes each application by function, assigns a risk score based on security controls, and surfaces the highest-risk unsanctioned tools first. This transforms shadow IT discovery from a forensic archaeology project into a continuous monitoring function that flags new applications within hours of first detection.

The deployment model matters. Inline CASBs sit in the network path and can block connections to prohibited services in real time, while API-based CASBs connect to cloud services directly and provide deeper visibility into data at rest and sharing permissions but cannot block access.

Log-collector-based deployments are the lightest touch, ingesting existing firewall and proxy logs without any network reconfiguration and trading enforcement capability for deployment speed. Organizations typically start with log collection to establish baseline visibility and graduate to API or inline modes as governance policies mature.

A CASB ranks risk and block connections, yet employees keep finding new tools faster than any database updates. Adaptive Security reduces that demand by changing how employees evaluate software before adoption.

Book a demo

7. Employee Surveys: the Human Signal

  • Detection scope: Only applications employees consciously recall and choose to report.
  • Accuracy: High for reported tools; zero for unreported tools; moderate for usage context and motivation data.
  • Pros: Surfaces user intent and workflow gaps; builds trust when positioned as a partnership; costs nothing to deploy.
  • Cons: Incomplete coverage by design; dependent on employee goodwill and memory; survey fatigue reduces response rates in over-surveyed organizations; cannot detect dormant or forgotten accounts.

Employee surveys are the lowest-tech shadow IT discovery method, but they surface something no technical scan ever will: why employees adopted the tools they did and what gap they were trying to fill. A well-designed survey asks not just what tools employees use but what problem they were solving and which approved tool came closest to meeting that need. The answers often reveal that the sanctioned tool was too slow to provision, lacked a critical feature, or was simply unknown to the employee.

Surveys work best when positioned as a partnership conversation rather than an audit. An improvement framing such as "the goal is to make sure every team has access to the best tools available" produces higher response rates and better data quality than an accusatory demand to confess unauthorized applications. Anonymous submission options further reduce fear of repercussion and increase honesty, though they sacrifice per-user attribution.

The survey method has one structural limitation: employees can only report tools they remember using. Someone signed up for a SaaS tool six months ago for a single project. Another person tried a free AI assistant twice and gave up. A former teammate set up a collaboration platform that's still sitting there. None of these show up in your survey results. However, none of these surface in a survey.

This is why surveys belong at the end of the discovery process. Pairing survey insights with technical data moves discovery toward governance with a roadmap for reducing shadow IT demand rather than just detecting its symptoms. That road to governance narrows quickly when organizations begin mapping discovered applications to employee risk profiles, connecting shadow IT visibility to the broader human risk management picture.

Surveys reveal intent, but no scan explains why employees keep choosing unsanctioned tools. Adaptive Security uses cybersecurity awareness training to change how employees evaluate technology before they adopt it.

Explore the platform

How to Build a Shadow IT Discovery Policy

A shadow IT policy defines scope, privacy-respecting monitoring, application classification by risk, response protocols, and a continuous review cadence

Building a shadow IT discovery policy starts with defining which technology categories and departments fall under its scope, then establishing privacy-respecting monitoring provisions that clarify what data the program collects. From there, the policy classifies every discovered application as sanctioned, tolerated, or prohibited based on data sensitivity, user scope, integrations, and blast radius, and pairs each classification with a clear response protocol. The policy must also define a review cadence, because shadow IT is not a one-time cleanup; it is a permanent operational reality that demands continuous governance.

1. Defining Scope and Employee Privacy Boundaries

Scope definition answers two questions: what technology categories fall within scope and which environments will be monitored. Technology categories should include SaaS applications, browser extensions, AI tools, cloud infrastructure services, collaboration platforms, and any software that touches corporate data, whether deployed on a managed device or accessed through a personal browser. According to Zylo's 2026 SaaS Management Index, 34% of all SaaS applications originate from employee-led purchases, yet most discovery programs track only a fraction of that surface area.

Departmental scope must reflect real risk distribution rather than assumptions. Marketing leads shadow IT adoption. Every department belongs in discovery scope, but monitoring intensity should weight toward these high-adoption teams.

Privacy boundaries determine whether the policy earns employee trust or triggers resistance. The policy should explicitly state that the discovery program monitors application usage patterns and data flow indicators rather than message content, keystrokes, or personal browsing activity. It should define retention periods for collected telemetry, name who has access to discovery dashboards, and prohibit using discovery data for individual performance evaluation.

This is asset inventory at cloud scale rather than surveillance. Timothy D. Spivey (University of South Alabama) and Timothy R. McIlveene (University of West Florida) argue in the ISACA Journal that transparency and trust encourage employees to disclose shadow IT use and reveal the gaps in existing IT solutions.

2. Risk Classification: Sanctioned, Tolerated, Prohibited

Every discovered application needs a classification label that triggers a specific set of actions, and three tiers cover most organizations.

Sanctioned applications are fully vetted, centrally managed, integrated with the identity provider, and covered by the organization's standard security controls. They appear in the approved software catalog and carry no access restrictions beyond standard role-based permissions.

Tolerated applications are known to IT and accepted for limited use cases but have not met the full bar for sanctioned status. They may lack single sign-on integration, have incomplete data processing agreements, or serve a niche function that does not justify enterprise procurement. Tolerated apps come with guardrails: no sensitive data, no system integrations, and mandatory training acknowledgment from users. They sit on a watchlist with a sunset review date, and if the user base grows beyond a defined threshold, the tool must be formally sanctioned or phased out.

Prohibited applications present unacceptable risk regardless of business justification. Concrete classification criteria include:

Experience the Adaptive platform

Take a free tour
  • Tools that exfiltrate data to unvetted infrastructure.
  • Applications with known CVEs that vendors have not patched within 90 days.
  • Consumer-grade AI tools that train on user inputs.
  • Any software that violates industry-specific regulatory requirements.

Blast radius matters, because a note-taking app used by two marketers is a different problem than a database tool with read access to production customer records. Risk scoring should weigh data sensitivity, user scope, system integrations, and vendor security posture. Assigning numerical scores to each dimension keeps classification decisions repeatable and defensible rather than based on who argues loudest in a review meeting.

3. Freedom Within a Framework: Governance Without Stifling Productivity

Employees adopt shadow IT because sanctioned tools do not meet their needs. According to the 2024 MarTech Composability Survey, 83% of marketers chose an alternative app despite an approved tool being available, citing better functionality as the primary reason. A discovery policy that only says "no" ignores the legitimate productivity drivers behind shadow IT adoption.

The "Freedom within a Framework" model establishes clear boundaries, security requirements, procurement thresholds, and data handling rules within which employees and teams can select their own tools without case-by-case approval. The framework defines what is non-negotiable, such as MFA, data residency, and encryption standards, while leaving room for teams to choose applications that fit their workflows.

Standardizing the software catalog is the operational backbone of this model. When an employee searches for a project management tool, they should find two or three IT-vetted options with clear capability descriptions rather than a blank field and a procurement form. The catalog must be searchable, categorized by function, and updated quarterly, because stale catalogs are the fastest route back to shadow IT. The catalog should include a request workflow for tools not yet listed, with a published SLA for evaluation; if IT consistently misses that window, the policy loses credibility and adoption plummets.

IT must also actively solicit feedback on approved tools. Running quarterly surveys to confirm whether sanctioned applications still meet team needs lets IT replace failing tools before employees find their own replacements. The goal is not zero shadow IT; it is shadow IT that is visible, understood, and governed rather than hidden and dangerous.

4. Response Protocols and Communication Templates

How the organization responds to discovered shadow IT determines whether employees hide or report their next unsanctioned tool, so the default communication stance should be educational rather than disciplinary.

When a prohibited application is detected, the response follows a standardized workflow: an automated notification explaining why the tool is prohibited and citing the specific risk rather than a generic policy reference, a window to export and migrate data to a sanctioned alternative, then access revocation. IT should provide a direct link to the approved alternative in the same notification. If the user has a legitimate business case that no sanctioned tool addresses, the notification includes a fast-track review request link, because compliance should never be harder than circumvention.

For tolerated applications crossing a usage threshold, the protocol shifts from monitoring to engagement. IT reaches out to the primary users, explains that the tool is approaching a usage level requiring formal review, and initiates the sanctioning evaluation. The framing should be a positive signal, that the team found something valuable and the security team's job is to make it safe, rather than an accusation.

Communication templates must be prewritten and approved by legal, HR, and security leadership before they are ever needed. Three templates cover most scenarios: initial discovery notification for prohibited apps, tolerated-to-sanctioned transition invitation, and post-remediation confirmation. Every template includes a named contact in IT rather than a generic mailbox, because employees who feel they have a human ally in IT report shadow tools at higher rates than those who receive automated enforcement emails from an unmonitored address.

5. Aligning Shadow IT Discovery Policy with Zero-Trust Principles

Shadow IT discovery policy and zero-trust architecture share a foundational assumption: no application, device, or user should be implicitly trusted just because it operates inside the network perimeter. NIST SP 800-207 defines zero trust as an architecture where access decisions are made per session based on continuous verification, and that verification is impossible when applications exist outside IT's visibility.

The policy should require that every application accessing corporate data authenticates through the organization's identity provider. Applications that cannot support SAML or OIDC integration are automatically classified as tolerated at best, regardless of their business utility. Discovery telemetry should feed directly into the continuous monitoring layer of the zero-trust architecture, so that an application never seen in discovery suddenly initiating API calls to core infrastructure becomes a high-severity signal.

Sanctioned applications must undergo periodic access reviews, because zero trust demands continuous verification rather than one-time approval. Every 90 days, application owners must re-certify user access lists and confirm that integration scopes have not drifted, and tools that fail this recertification cycle move from sanctioned to tolerated status until remediated.

Discovery finds the apps, classification assigns the risk tier, zero-trust enforcement gates access, and periodic recertification keeps the inventory current. Without this integration, shadow IT discovery is an inventory exercise with no enforcement teeth; with it, the policy becomes an operational control that directly reduces the attack surface and feeds the risk signals that drive role-specific cybersecurity awareness training.

A discovery inventory without enforcement is a list of risks nobody acts on. Adaptive Security connects shadow IT signals to targeted cybersecurity awareness training that changes employee behavior.

Book a demo

How Shadow AI Is Reshaping the Discovery Challenge

When employees use ChatGPT, Claude, Gemini, or any of the dozens of other publicly available AI tools without organizational knowledge or approval, those tools become invisible attack surfaces that no conventional IT asset inventory can detect. The result is a discovery failure that leaves security teams blind to where sensitive data is flowing and unable to govern what they cannot see. According to IBM's Cost of a Data Breach Report 2025, organizations with high levels of shadow AI incurred an additional $670,000 in average breach costs, and 63% of breached organizations either had no AI governance policy or were still developing one.

Samsung's widely publicized 2023 incident revealed the structural scale of the problem. Engineers pasted proprietary source code and confidential meeting transcripts into ChatGPT three separate times in under 20 days. Each instance was a rational work behavior, debugging code, optimizing a test sequence, generating meeting notes, yet each permanently externalized trade secrets into a public model with no retrieval path. That discovery gap now defines shadow AI as the most urgent subset of shadow IT.

Shadow AI vs. Shadow IT: what's different and why it matters

Shadow IT traditionally refers to employees using unauthorized SaaS applications, personal cloud storage, or unapproved hardware. These tools leave recognizable footprints: installed executables, network traffic to known SaaS domains, or license records in expense systems. Shadow AI shares the same unauthorized-use DNA but operates through fundamentally different mechanisms that render traditional shadow IT discovery techniques inadequate.

The critical distinction is data flow direction and persistence. When an employee uses an unapproved project management tool, data sits within a cloud tenant the organization can, in principle, discover and later reclaim. When that same employee pastes a customer contract into ChatGPT, the data enters a public large language model where it may contribute to future model training and cannot be retrieved, deleted, or governed after the fact. According to a 2024 analysis by IBM, 38% of employees acknowledge sharing sensitive work information with AI tools without employer permission.

The velocity gap compounds the problem. According to Cyberhaven's Q2 2024 AI Adoption and Risk Report, the amount of corporate data employees put into AI tools increased 485% between March 2023 and March 2024. Traditional shadow IT discovery cycles, the quarterly SaaS audits and annual network scans, were designed for a world where new tools entered the enterprise over months, but shadow AI tools entered over lunch breaks.

Discovery Blind Spots: Why Traditional Methods Miss AI tools

Most AI tools are browser-based, requiring no installation, no local agent, and no client-side executable. ChatGPT, Claude, Gemini, Perplexity, and hundreds of specialized AI assistants operate entirely within a browser tab. An employee opens the chat interface, pastes a spreadsheet, and closes the tab, and the security team sees standard HTTPS traffic to a known CDN, indistinguishable from millions of other benign web requests.

Traditional discovery methods fail on three fronts. Endpoint detection and response agents see no binary execution to flag. SaaS management platforms that track OAuth grants and SAML logins miss AI tools accessed through personal accounts. Network traffic analysis tools that match destination IPs against known-application databases frequently classify AI tool traffic as generic cloud or content delivery traffic, because the underlying infrastructure such as Cloudflare and AWS is shared with countless non-AI services.

According to Cisco's 2025 Cybersecurity Readiness Index, 60% of organizations cannot see the specific prompts employees submit to AI tools, and a further 60% lack confidence in their ability to identify unapproved AI tools in use. The tools exist, the traffic is flowing, and the visibility is not.

Data Exposure Risks Unique to AI Tool Usage

Shadow AI exposes prompt-based data leakage, with 27.4% of corporate data entered into AI tools now classified as sensitive

Shadow AI introduces exposure vectors with no equivalent in traditional shadow IT, and the most immediate is prompt-based data leakage. An employee troubleshooting a production database issue copies a query containing customer PII, pastes it into ChatGPT for debugging help, and unknowingly externalizes regulated data. According to Cyberhaven's 2024 AI Adoption and Risk Report, 27.4% of the corporate data employees put into AI tools qualifies as sensitive, up from 10.7% a year earlier.

The model training risk amplifies the damage. When data enters a public AI model, it may be retained, used for future training, and surfaced in responses to other users. That risk prompted Samsung, Amazon, and other major enterprises to restrict or ban employee access to public AI tools, turning a one-time copy-paste error into a permanent governance liability.

The governance failure is not that employees use AI. Shadow AI often keeps employees focused and productive, and the underlying problem is that organizations fail to build the frameworks that make that use visible and governable in the first place. According to Harmonic Security's 2025 analysis of enterprise AI prompts, more than 4% of corporate generative AI prompts contain sensitive data, with the majority of leaks occurring on free-tier platforms that use input data for model training.

Adapting Shadow IT Discovery for the AI Era

Closing the shadow AI visibility gap requires discovery methods built for how AI tools are actually accessed. Browser extension-based monitoring is the most direct approach. A lightweight extension deployed to managed browsers detects when an employee visits known AI tool domains, captures the interaction context, and flags instances where sensitive data patterns such as PII, credentials, or source code are submitted through the browser. Unlike network-layer detection, browser-level monitoring can distinguish between a harmless query and a prompt containing a customer database extract.

Network traffic analysis must evolve to monitor for AI API endpoints specifically, because tools like ChatGPT, Claude, and Gemini expose recognizable API patterns that can be identified even when wrapped in standard HTTPS. Organizations that combine API endpoint detection with DNS query logging can build a real-time inventory of AI tool usage without requiring endpoint agents on every device.

Expense report mining provides a complementary signal, since corporate card charges to OpenAI, Anthropic, Google AI, and similar services surface individual subscriptions that security teams would otherwise never discover.

The governance gap that makes all of this urgent is structural. Data loss prevention and cloud access security broker tools were architected for file-based data movement, the documents attached to emails and files uploaded to cloud storage. They were never designed to parse the prompt-and-response interaction pattern of generative AI tools, where sensitive data moves as unstructured text pasted into a browser text field.

As shadow AI adoption accelerates, organizations that rely exclusively on legacy controls cede visibility over the fastest-growing attack surface in the enterprise, and closing that gap demands both new tools and a fundamentally different approach to governing how employees interact with AI.

Legacy data loss controls were never built to see prompts, and shadow AI exploits exactly that blind spot. Adaptive Security teaches employees to recognize AI data risk before sensitive information ever leaves the building.

Take a self-guided tour

How Cybersecurity Awareness Training and Shadow IT Governance Intersect

Technical discovery tools reveal what employees have already deployed, but they cannot address why employees bypass IT in the first place. Sustainable shadow IT reduction demands a behavioral layer: employees who understand what qualifies as shadow IT, why unsanctioned tools create risk, and how to choose safe alternatives stop creating the problem at its source. Most employees are not malicious. According to the Cloud Security Alliance's State of SaaS Security 2023 Survey Report, 67% of employees at Fortune 1000 companies use unapproved SaaS applications, and the overwhelming driver is productivity rather than sabotage. Cybersecurity awareness training redirects that intent instead of punishing it.

Why Technical Discovery Alone Can't Solve Shadow IT

Discovery tools operate in reactive mode. They flag an unsanctioned Notion workspace, an unapproved ChatGPT account, or a personal Dropbox sync after data has already moved outside the organization's visibility envelope. According to Nudge Security, the average organization uses over 1,000 cloud apps, and by the time a CASB or network monitor surfaces a new SaaS subscription, sensitive data may have been resident on an unvetted third-party server for weeks.

Even when discovery works perfectly, blocking without explanation backfires. Employees circumvent blocks through personal devices, secondary accounts, or browser-based workarounds, and the same ingenuity that makes them productive also defeats technical controls applied without context. The tool disappears from the dashboard while the behavior persists underground.

This is why governance frameworks that pair technical detection with human-layer cybersecurity awareness training produce measurably different outcomes. Detection identifies the what, and training addresses the why. Without the second layer, every sanctioned-app list becomes a game of whack-a-mole that IT inevitably loses.

Teaching Employees to Self-Identify Risky Tool Choices

Most employees cannot name three characteristics that make a SaaS tool risky. They evaluate tools the way consumers do, weighing ease of use, feature set, and whether colleagues recommended it. Security considerations such as data residency, encryption standards, access controls, and compliance certifications simply do not enter the decision calculus, because nobody taught them to ask those questions.

Effective security awareness training closes this gap by teaching employees a practical mental model for evaluating any tool before adoption. The framework is straightforward: where does data live, who can access it, and what happens if the vendor is breached. A finance analyst considering a free invoice generator learns to ask whether client payment data will sit on an unencrypted server, and a marketing manager exploring an AI copywriting tool learns to check whether prompts become training data for the vendor's next model. These are immediate, role-relevant risk judgments rather than abstract compliance lessons.

The training must also address the most dangerous blind spot: free-tier SaaS and AI tools. According to the National Cybersecurity Alliance's Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2025–2026, 52% of employed participants reported they have received no training on the security or privacy risks of AI tools, despite 65% now using AI and 43% admitting to sharing sensitive work information with AI tools. When employees understand that "free" often means "paid for with organizational data," the appeal of unsanctioned tools diminishes sharply.

Building a Reporting Culture: from Gotcha to Growth

Shadow IT reporting fails in most organizations for one reason: employees expect punishment. When a finance team member uses an unapproved expense tracker and self-reports it, a security team that responds with reprimand has trained that employee, and everyone they talk to, to stay silent next time, leaving the unauthorized tool active and invisible to IT indefinitely.

A reporting culture that actually works replaces "gotcha" with "growth." Employees who self-report shadow IT usage receive acknowledgment rather than blame, and the security team responds by either approving the tool with appropriate guardrails or offering a pre-vetted, functionally equivalent alternative. When the outcome of reporting is that the employee gets a secure version of what they actually need, reporting rates climb and shadow IT inventory shrinks organically.

Clear communication of the rationale behind IT policies is equally essential. Employees who understand why a policy exists are far less likely to circumvent it; when a file-sharing tool fails SOC 2 requirements, the rationale connects to real customer trust and regulatory exposure rather than an arbitrary block. When employees internalize that the policy protects customer data they genuinely care about, compliance shifts from obligation to instinct.

The practical mechanism is a simple internal portal where employees can request tool reviews, paired with a visible commitment that requests receive a decision within 48 to 72 hours, because when the sanctioned path is faster than the shadow path, the shadow path loses.

Connecting Shadow IT Risk to Unified Human Risk Scoring

The employee who uses five unsanctioned SaaS tools is often the same employee who clicks phishing simulations. Both behaviors share a common root, a low baseline awareness of how technology choices create organizational risk, and treating shadow IT and phishing susceptibility as separate problems misses the unified behavioral signal they represent.

A unified human risk score that incorporates shadow IT adoption alongside phishing simulation click rates, training completion patterns, open-source intelligence exposure, and credential hygiene gives security teams a far richer picture than any single metric. The marketing director who runs a high phishing click rate and maintains three unauthorized AI tool accounts is not two separate problems; that is one person with a consistent risk pattern demanding one targeted intervention.

This approach enables precision intervention. A department averaging many unauthorized tools per employee receives role-specific cybersecurity awareness training on SaaS evaluation rather than generic phishing modules. An individual whose risk score spikes after adopting several new shadow AI tools in a quarter triggers automated microlearning on data handling requirements, delivered within hours rather than at next year's annual refresh. The feedback loop is continuous: detection feeds scoring, scoring triggers training, training changes behavior, and the cycle repeats with measurable reduction at each pass.

Shadow IT and phishing susceptibility are the same behavioral signal split across two dashboards. Adaptive Security unifies them into one human risk score that turns detection into targeted cybersecurity awareness training.

Explore the platform

Reduce Shadow IT Risk by Strengthening the Human Layer

Adaptive Security addresses behavioral drivers behind shadow IT, training employees to choose secure procurement paths before adoption

Security teams that rely on technical discovery alone keep finding shadow IT after sensitive data has already moved, because detection tools surface unsanctioned tools only once they are in use. Adaptive Security shifts that timeline forward by addressing the behavioral drivers behind shadow IT discovery gaps, combining cybersecurity awareness training with dynamic human risk scoring so employees learn to choose secure procurement paths before adopting a risky tool.

The result is a workforce that understands why unsanctioned applications create risk and how to evaluate any tool against data residency, access, and breach-impact criteria. Adaptive Security connects the risk signals from discovery directly to role-specific training, so the employees most likely to introduce shadow IT receive the most relevant guidance, delivered when it matters rather than once a year.

Over time, organizations using Adaptive Security see shadow IT reduction become self-sustaining as reporting rates climb and unsanctioned adoption falls. Discovery surfaces the problem, and Adaptive Security gives security teams the visibility to measure it and the behavioral tools to change how employees make technology decisions.

Detection alone keeps security teams one step behind every new unsanctioned tool. Adaptive Security closes the loop by turning shadow IT discovery signals into cybersecurity awareness training that prevents the next risky adoption.

Book a demo

Frequently Asked Questions About Shadow IT Discovery

What Is Shadow IT Discovery and Why Does It Matter?

Shadow IT discovery is the structured process of identifying, cataloging, and assessing any hardware, software, or cloud service used without IT department approval. It matters because organizations routinely underestimate their technology footprint by a wide margin, leaving the majority of applications handling corporate data outside security oversight.

Undiscovered shadow IT creates unpatched vulnerabilities, compliance exposure when regulated data flows through unsanctioned systems, and financial waste from duplicate subscriptions. According to the Josys 2024 Shadow IT report, more than 20% of breaches involved shadow IT. Without discovery, security teams cannot protect what they cannot see.

How Does an Organization Detect Shadow IT?

No single technique provides complete coverage in shadow IT discovery. A layered approach combining network traffic analysis, which monitors DNS queries and firewall logs for cloud service connections, with identity provider log scanning through SSO platforms like Okta or Azure AD provides the broadest coverage. Expense report mining surfaces unsanctioned subscriptions, endpoint agents and browser extensions detect SaaS usage directly on devices, and email scanning identifies sign-up confirmations and invoices for unapproved services.

CASB integrations and employee surveys round out the picture. According to the FBI Internet Crime Complaint Center's Internet Crime Report 2025, phishing and spoofing generated 191,561 complaints, the highest number of any reported crime type, underscoring why continuous multi-method discovery matters more than periodic audits.

What Are the Best Shadow IT Discovery Tools Available Today?

The best tool depends on the organization's environment. SaaS Management Platforms excel for SaaS-heavy organizations by surfacing spend, license utilization, and app risk scores. CASBs such as Microsoft Defender for Cloud Apps, which maintains a catalog of over 31,000 apps assessed across more than 90 risk factors as detailed by Microsoft, provide deep security analysis for cloud-first enterprises.

Identity-first platforms offer discovery anchored to the identity layer, catching apps accessed outside SSO, while SaaS security posture management tools add posture visibility alongside discovery. According to CloudEagle research, 69% of IT executives rank shadow IT as a top concern, making integration depth with existing identity and SSO infrastructure the most important evaluation criterion when selecting any platform.

How Is Shadow AI Different From Traditional Shadow IT in Discovery?

Shadow AI is harder to detect because it leaves a different footprint. Traditional shadow IT involves installing software or signing up for SaaS, actions that generate logs, expense records, and network signals that discovery tools can intercept. Shadow AI tools such as ChatGPT and Claude operate through browser interfaces and API calls with no installation required, making them invisible to endpoint agents and software inventory scans.

The risk profile differs sharply too, because users paste sensitive data, PII, or source code directly into prompts. According to Nudge Security, shadow AI introduces data exposure risks traditional discovery methods were not designed to detect, which is why network traffic analysis for AI API endpoints and browser extension monitoring have become essential supplemental methods.

What Percentage of Enterprise SaaS Applications Are Shadow IT?

Research consistently places the figure between 42% and 52% of all SaaS applications. According to research compiled by Josys, 42% of applications within a typical company qualify as shadow IT, equating to roughly 78 of 187 average applications. According to JumpCloud's 2024 SaaS research, 52% of the 270 to 364 SaaS apps used by the average enterprise are unsanctioned.

Nudge Security adds further context, finding that 80% of employees use non-approved applications to complete their work. These figures underscore that shadow IT represents a significant portion of every organization's technology estate that requires systematic shadow IT discovery before governance can take hold.

Key Takeaways

  • Shadow IT discovery is no longer optional, because the average organization runs far more unmanaged applications than IT can name, and every unmanaged tool widens the attack surface.
  • No single method delivers complete coverage; effective shadow IT discovery layers network analysis, identity provider logs, expense mining, endpoint monitoring, email scanning, CASBs, and surveys.
  • A shadow IT discovery policy must classify every application as sanctioned, tolerated, or prohibited, pair each tier with a response protocol, and align with zero-trust verification.
  • Shadow AI is the fastest-growing and hardest-to-detect subset of shadow IT, and traditional methods miss browser-based AI tools entirely.
  • Technical detection identifies what employees deployed, but cybersecurity awareness training addresses why they bypass IT, making it the lever for sustainable reduction.
  • Connecting shadow IT discovery signals to a unified human risk score turns scattered detections into targeted cybersecurity awareness training interventions.

Discovery without behavior change leaves security teams chasing the same unsanctioned tools quarter after quarter. Adaptive Security pairs shadow IT discovery insight with cybersecurity awareness training that reduces risk at its source.

Take a self-guided tour

Adaptive Team

Adaptive Team

As experts in cybersecurity insights and AI threat analysis, the Adaptive Security Team is sharing its expertise with organizations.

Get started with Adaptive Security

Get started

Human security for the AI era.