Shadow IT is one of the most persistent risks in modern IT environments — unauthorised apps, cloud services, and devices that bypass your approval process entirely. This guide explains what shadow IT discovery involves, why unsanctioned tools keep multiplying, how to find them across your network, endpoints, and cloud services, and how to build a practical process for managing what you find without alienating the users who created it.
What Is Shadow IT Discovery?
Shadow IT discovery is the process of systematically identifying hardware, software, and cloud services used within an organisation without IT approval or knowledge. It combines network scanning, endpoint inventory, DNS and proxy log analysis, and financial data review to build a complete picture of unsanctioned technology, so IT can assess risk and bring it under governance.
That definition hides a lot of practical work. Discovery is not a one-off scan; it is a continuous capability that feeds your asset management, security, and service delivery processes. Done well, it turns an invisible risk into a managed inventory. Done badly — or not at all — it leaves you exposed to data leakage, licence non-compliance, and audit findings you cannot answer.
According to Wikipedia's overview of shadow IT, the term covers any system deployed by departments other than central IT to work around perceived shortcomings of official systems. That framing matters: shadow IT is almost never sabotage. It is a demand signal from users whose needs your approved toolset is not meeting quickly enough.

Why Shadow IT Is Getting Harder to Ignore
Shadow IT is not a new problem, but three trends have made it dramatically harder to control in 2026. First, the SaaS explosion: any employee with a browser can adopt a new tool in under five minutes, with no procurement gate and often no visible network footprint. Second, hybrid work: a personal laptop on home broadband syncing company files to a personal cloud drive never touches your firewall. Third, generative AI: employees paste customer data, source code, and internal documents into consumer AI chatbots daily, and that data leaves your control the moment it is submitted.
The risks are concrete and varied:
- Data leakage through unsanctioned cloud services with no data residency or retention controls
- Licence compliance gaps when software is installed without procurement involvement — a direct audit exposure covered in more depth in our guide to IT licence compliance and staying audit-ready
- Security vulnerabilities from unpatched, unmanaged endpoints and applications that never receive updates
- Audit failures when regulators or certifiers ask for a complete software and asset inventory and you cannot produce one
- Operational blind spots that slow incident diagnosis, because the failing component is not in your CMDB
- Duplicate spend, where three departments independently pay for tools that do the same job
Industry analysts such as Gartner have repeatedly estimated that a substantial share of enterprise technology spend — commonly cited at 30 to 40 percent — happens outside the IT budget. Even if your organisation is at the low end of that range, it represents a material governance gap.
The reason shadow IT persists is not malice. Employees adopt unsanctioned tools because approved tools are slow, unavailable, or hard to request. Solving the discovery problem alone is not enough — you also need to fix the underlying friction that drives users to work around IT in the first place. Both halves of that equation are covered below.
How Shadow IT Enters Your Environment
Understanding the entry points makes discovery much more targeted. Shadow IT typically arrives through one of five channels.
Unsanctioned SaaS and Cloud Applications
This is the largest and fastest-growing category. Free tiers, instant sign-up, and credit-card purchasing mean a team can be running a new collaboration or analytics tool within minutes, often without ever touching your network perimeter. The tell-tale signs are OAuth grants against your identity provider, recurring small charges on expense reports, and DNS queries to unfamiliar SaaS domains.
Personally Owned Devices (BYOD Without Controls)
When employees connect personal laptops, phones, or tablets to corporate Wi-Fi or VPN, those devices carry their own installed software, browser profiles, and cloud sync clients. Without endpoint management or a formal BYOD policy, you have no visibility into what is running on them — and no ability to enforce encryption, patching, or data handling rules.
Locally Installed Software
Even on managed devices, users with local administrator rights can install applications without going through a software request process. These installations may not surface in your software inventory if your agent coverage is incomplete or your discovery scans are infrequent. Portable applications that run without installation are a particular blind spot for registry-based inventory methods.
Rogue Hardware
Unauthorised switches, wireless access points, Raspberry Pi devices, network-attached storage, or IoT gadgets plugged into network ports are a physical-layer shadow IT problem. They can introduce open access points, create network segments you are not monitoring, and bypass firewall rules. Techniques for finding them are covered in detail in our guide to network asset discovery.
Shadow AI and Browser Extensions
Browser extensions and consumer AI assistants deserve their own category because they sit inside sanctioned applications. An extension installed in an approved browser on a managed laptop can read page content, capture keystrokes, or sync data to external servers — all while every conventional inventory shows a fully compliant device. Endpoint agents that enumerate browser extensions are the only reliable detection method here.

Shadow IT Discovery: Practical Techniques
Discovery is a multi-layered effort. No single tool or technique catches everything, so a mature approach combines several methods and reconciles their output into one inventory.
Network-Level Scanning
Active and passive network scanning identifies every device connected to your infrastructure. Active scanning probes IP ranges for open ports, services, and device fingerprints; passive scanning observes traffic to detect new MAC addresses, DHCP requests, and unusual DNS queries. Network discovery is particularly effective for rogue hardware and unmanaged endpoints, and it is the fastest way to answer the baseline question: how many devices are actually on our network versus how many we think we have?
Odysseus asset discovery performs continuous network scanning to surface devices that have never been registered in your asset database. When a new device appears, it is flagged immediately — the difference between catching a rogue access point in hours and finding it six months later at the next audit.
Endpoint Agent Data
For managed devices, a lightweight agent installed on each endpoint reports installed applications, running processes, browser extensions, and connected peripherals. This catches locally installed software and portable apps that never touch a network share or external service.
Agent-based discovery is more granular than network scanning but only covers devices where the agent has been deployed. The practical rule: use network scanning to find devices, then use the gap between scanned devices and agent-covered devices as your agent deployment worklist. Combining both methods closes the loop. If you are evaluating tooling for this layer, our comparison of IT asset discovery tools and how to choose the right one walks through the selection criteria.
DNS and Proxy Log Analysis
Reviewing DNS query logs or web proxy traffic reveals which external domains and SaaS platforms your users are reaching. A spike in traffic to an unfamiliar file-sharing or video-conferencing domain is a strong signal that a team has adopted an unsanctioned service. This technique requires no endpoint agent and works even for personal devices on corporate Wi-Fi. To keep it manageable, filter for file storage, messaging, AI, and productivity SaaS categories first — they carry the highest data-leakage risk — and investigate any unapproved domain with sustained traffic from more than a handful of users.
Identity Provider and OAuth Grant Review
One of the highest-signal, lowest-effort techniques is reviewing your identity provider's application dashboard. Every time a user signs into a third-party service with their corporate account, or grants an app OAuth access to email, calendar, or files, a record is created. A monthly review of new OAuth grants often surfaces unsanctioned SaaS adoption weeks before it shows up anywhere else — complete with the names of the users involved, which makes the engagement conversation straightforward.
Expense and Procurement Data Mining
Finance data is an underused discovery channel. Recurring charges to software vendors on corporate cards and expense claims reveal paid shadow IT that may not generate obvious network signals. Ask finance for a quarterly export of technology-category expenses and reconcile it against your approved vendor list. This technique is especially effective for catching department-level subscriptions that have quietly become business-critical.
Cloud Access Security Broker (CASB) Integration
For organisations with significant cloud usage, a CASB sits between users and cloud services to identify, risk-score, and optionally block unsanctioned applications. Most CASBs ship with catalogues of tens of thousands of SaaS applications, each rated for security posture and compliance certifications, which accelerates the classification stage considerably. A CASB is a more advanced control layer that complements rather than replaces the discovery techniques above — it sees cloud traffic in depth but knows nothing about rogue hardware or locally installed software.
Regular Software Inventory Reconciliation
Comparing your discovered software inventory against your approved software catalogue on a scheduled basis highlights new or unexpected installations. The reconciliation process is most effective when your approved catalogue is kept current and your discovery runs frequently enough to catch changes between audit cycles — weekly reconciliation is a realistic target for most organisations, with monthly as the minimum for anything claiming to be under control. The same reconciliation discipline underpins a healthy configuration management practice, as described in our guide to CMDB best practices.
How to Run Your First Shadow IT Discovery Exercise
If you are starting from zero, a structured first pass takes four to six weeks and follows a repeatable sequence.
- Define scope and get sponsorship. Agree with leadership which networks, sites, and user populations are in scope, and — critically — agree upfront that the goal of the first exercise is visibility, not punishment. Announcing an amnesty period dramatically improves cooperation.
- Establish your baseline. Export your current CMDB, software inventory, and approved application catalogue. This is the reference everything discovered will be compared against.
- Run network discovery across all in-scope ranges. Capture every responding device, its open services, and its fingerprint. Expect the device count to exceed your CMDB by 15 to 30 percent on a first pass — that gap is normal and is precisely the point of the exercise.
- Pull 30 days of DNS or proxy logs and extract the top SaaS domains by unique user count. Flag everything not in your approved catalogue.
- Review identity provider OAuth grants and finance expense data for the same period, and merge the findings into a single worksheet.
- Deduplicate and classify. Consolidate findings into one list of unique applications, services, and devices, each tagged with user count, data sensitivity, and business function.
- Report and transition to a process. Present the findings by department, agree ownership for each item, and move from one-off exercise to the continuous management process described next.

Building a Shadow IT Management Process
Discovery tells you what exists. A management process tells you what to do about it. Without a defined process, discovery findings pile up without resolution, and the same unauthorised tools reappear after each audit.
A practical shadow IT management process has five stages.
- Discover: run continuous or frequent discovery across network, endpoint, identity, finance, and cloud channels to maintain an up-to-date picture of your environment
- Classify: categorise each discovered item as approved, tolerated, under review, or prohibited based on security risk, data handling, licensing implications, and business value
- Engage: contact the team or individual using the tool to understand the business need before making any removal decision
- Resolve: either bring the tool into your approved catalogue with proper procurement and security review, migrate users to a sanctioned alternative that meets the same need, or remove the tool with a clear explanation and a stated alternative
- Prevent recurrence: address the underlying friction — improve your service catalogue, speed up software request approvals, or provide better-supported alternatives
For the classification stage, simple and consistent criteria beat elaborate scoring models. Three questions cover most cases: does the tool handle sensitive or regulated data, does it overlap with an approved tool we already pay for, and would we approve it if asked today? A tool handling customer data with no security certification is prohibited; a harmless niche utility used by two people may simply be tolerated and recorded.
The engagement step is where many IT teams stumble. Blocking or removing tools without understanding the business need creates resentment and drives users to find workarounds that are even harder to detect. A better outcome is to treat shadow IT findings as demand signals that tell you where your approved toolset has gaps. If four departments independently adopted the same whiteboarding app, the finding is not four policy violations — it is a missing item in your service catalogue.
Integrating Findings into Your CMDB and ITAM Processes
Every shadow IT item that is approved through your review process should be added to your CMDB and software inventory immediately, with an owner, a licence record, and a support arrangement. Items that are removed should be documented as well, with the reason recorded. This creates an audit trail and lets you verify whether removal decisions are actually being respected in subsequent discovery runs.
Linking shadow IT findings to your change management process also helps. If a team wants to adopt a new SaaS tool, the proper path is a service request or change record — not a personal credit card and a free trial that quietly becomes business-critical. The relationship between service management and asset management practices, and why you need both working together, is explored in our guide to ITSM versus ITAM and why you need both.
Metrics That Show Whether You Are Winning
A handful of measures tell you whether the programme is working:
- Discovery coverage: percentage of known network segments and endpoints covered by at least one discovery method — target above 95 percent
- Unknown device ratio: devices found by discovery that are absent from the CMDB — should trend steadily downwards after the first quarter
- Mean time to classify: how long a newly discovered item waits before it is classified and assigned an owner — aim for under ten business days
- Recurrence rate: proportion of removed tools that reappear within 90 days — a high rate means the engage and prevent stages are failing
- Sanctioned alternative adoption: users migrated from unsanctioned tools to approved equivalents, which measures whether resolution is sticking
Reducing Shadow IT Through Better IT Service Delivery
The most durable fix for shadow IT is making the approved path easier than the unapproved one. When your service catalogue is comprehensive, your request process is fast, and your approved tools genuinely meet user needs, the incentive to go rogue diminishes significantly. This is consistent with ITIL 4 guidance from Axelos on focusing on value and co-creating services with the people who use them, rather than policing them.
Practical steps to reduce shadow IT at the source:
- Publish a clear, searchable software catalogue so users know what is already available before they search externally — our guide to building an IT service catalogue that actually gets used covers this in detail
- Set realistic SLA targets for software request fulfilment — two to five business days for standard software requests is an achievable and credible benchmark
- Create a lightweight fast-track review for low-risk SaaS tools so teams are not waiting weeks for approval of a simple productivity app; reserve the full security review for tools handling sensitive data
- Offer a pre-approved tools list for common needs — diagramming, transcription, survey tools, AI assistants — so the sanctioned answer is one click away
- Train managers to recognise shadow IT risks and to route tool requests through IT rather than approving team spending independently
- Share discovery findings with department heads quarterly so they understand the risk picture in their own areas and see IT as a partner rather than an obstacle
A self-service portal is the natural front door for all of this — the faster and clearer the request experience, the fewer reasons users have to bypass it, as covered in our post on self-service portal best practices.
Frameworks reinforce the same point from the governance side. Asset inventory is a foundational control in the NIST Cybersecurity Framework's Identify function — NIST treats knowing what you have as the prerequisite for protecting it — and ISO/IEC 27001 from ISO requires an inventory of information assets with assigned owners. If your organisation certifies against either, shadow IT discovery is not optional housekeeping; it is evidence you will be asked to produce.
TIKTING supports this loop by combining a self-service portal and service catalogue with ITSM workflows for software requests, change approvals, and asset tracking, while Odysseus handles the continuous discovery side — when it surfaces a new unknown device or application, that finding feeds directly into a TIKTING ticket for classification and resolution, keeping the whole process in one place rather than spread across spreadsheets and email threads.

Key Takeaways
Shadow IT is a symptom of friction in your IT service delivery as much as it is a governance problem. Addressing it effectively requires technical discovery and process improvement working together.
- Shadow IT enters through SaaS sign-ups, BYOD devices, locally installed software, rogue hardware, and — increasingly — AI tools and browser extensions
- Effective shadow IT discovery combines network scanning, endpoint agents, DNS log analysis, identity provider OAuth review, finance data mining, and scheduled inventory reconciliation
- A first discovery exercise takes four to six weeks; expect to find 15 to 30 percent more devices than your CMDB records
- A management process needs five stages: discover, classify, engage, resolve, and prevent recurrence
- Engage users before removing tools — understand the business need and use findings as demand signals to improve your service catalogue
- Integrate approved findings into your CMDB and link removals to change records for a complete audit trail
- Track coverage, unknown device ratio, time to classify, and recurrence rate to prove the programme is working
- Reducing the friction of the approved path is the most sustainable way to reduce shadow IT over time
Continuous discovery paired with a structured ITSM workflow gives IT teams the visibility and process discipline to stay ahead of shadow IT rather than reacting to it after the fact.
Frequently Asked Questions
What is shadow IT discovery?
Shadow IT discovery is the systematic identification of hardware, software, and cloud services being used in an organisation without IT approval. It combines network scanning, endpoint inventory agents, DNS and proxy log analysis, identity provider reviews, and expense data mining to build a complete inventory of unsanctioned technology so it can be risk-assessed and brought under governance.
How do you detect shadow IT in an organisation?
Use multiple overlapping methods: scan the network for unknown devices, deploy endpoint agents to inventory installed software and browser extensions, analyse DNS or proxy logs for unsanctioned SaaS domains, review OAuth grants in your identity provider, and reconcile finance expense data against your approved vendor list. No single method catches everything — the overlap is what closes the gaps.
Is shadow IT always a bad thing?
No. Shadow IT is a risk, but it is also a demand signal showing where approved tools fall short. Some discovered tools solve genuine problems well and simply need proper security review, licensing, and support to become sanctioned. The mistake is either ignoring shadow IT entirely or banning everything on discovery — both approaches drive usage further underground.
How often should shadow IT discovery run?
Continuously where possible. Network discovery and endpoint agent reporting should run continuously or daily, DNS and OAuth reviews monthly, and finance expense reconciliation quarterly. Annual audits alone are inadequate: a SaaS tool adopted the week after an audit gets eleven unmonitored months to become business-critical before the next one.
Who is responsible for managing shadow IT?
IT owns the discovery capability and classification process, but responsibility is shared. Security assesses risk, procurement handles licensing for approved tools, department heads own adoption within their teams, and executive leadership sets the policy tone. Making one team solely responsible — especially in a purely enforcement role — is the most common reason programmes fail.
What is the difference between shadow IT and BYOD?
BYOD (bring your own device) is the use of personal hardware for work, which can be fully sanctioned under a formal policy with enrolment and security controls. Shadow IT is any technology used without IT approval, whatever hardware it runs on. An unmanaged personal laptop on the corporate network is both; an enrolled personal phone under a BYOD policy is neither.
What is shadow AI and why does it matter?
Shadow AI is the unsanctioned use of AI tools — consumer chatbots, browser extensions, transcription services — with company data. It matters because data pasted into these tools leaves your control immediately and may be retained or used for model training. It is currently the fastest-growing shadow IT category, and providing an approved AI alternative is the most effective countermeasure.

Further Reading
- Shadow IT on Wikipedia — background on the term, causes, and documented examples of unsanctioned systems in organisations
- NIST — home of the Cybersecurity Framework, whose Identify function makes asset inventory the foundation of security programmes
- ISO — publisher of ISO/IEC 27001, which requires organisations to maintain an inventory of information assets with assigned owners
- Axelos — steward of ITIL 4, whose service value and continual improvement guidance underpins the friction-reduction approach to shadow IT


















































