Shadow IT: how to find and assess unsanctioned software
Procurement · 6-min read · Assess a vendor → · updated June 2026
Your real vendor list is bigger than your official one — teams sign up for tools faster than security can review them. Shadow IT isn’t malice; it’s unmanaged risk. Here’s how to surface it and bring it under control.
The process
Pull signals from SSO/IdP logs, expense and card reports, browser/DNS or CASB data, and OAuth-grant lists in Google/Microsoft. Each surfaces tools that never went through review.
Collapse the signals into a clean list of distinct vendors and the data each touches. This becomes your real third-party inventory — usually bigger than the official one.
Tier by data sensitivity and reach. A tool with OAuth access to email or files is high-risk; a standalone utility is low. Triage tells you what to assess first.
Run a security questionnaire and verify the software independently (known vulnerabilities, active exploitation, end-of-life). Bring the risky tools under proper assessment.
For each, approve it (and onboard it properly), migrate to a sanctioned alternative, or remove access. Record the decision so it doesn’t resurface as "shadow" again.
Where to look first
| Source | What it reveals |
|---|---|
| SSO / identity provider | Apps people log into with work identity |
| OAuth app grants (Google/Microsoft) | Tools granted access to email, files, calendars — often the riskiest |
| Expense & card reports | Paid subscriptions that skipped procurement |
| Browser / DNS / CASB | Web apps in active use across the org |
Turn this into action. Teams adopt tools faster than security can review them. How to surface shadow IT, triage it by risk, and bring it under assessment.
Assess a vendor — free →Frequently asked questions
What is shadow IT?
Shadow IT is software, SaaS or services adopted by teams without going through security or procurement review. It’s common, often well-intentioned, and risky precisely because no one assessed the vendor or the data it touches.
How do I discover shadow IT?
Combine signals: SSO/identity-provider logs, expense and corporate-card reports, browser/DNS/CASB telemetry, and OAuth app-grant lists in Google Workspace or Microsoft 365. Together they reveal tools that never went through review.
What do I do once I’ve found it?
Deduplicate into a vendor list, triage by data sensitivity and access, assess the high-risk ones (questionnaire + independent software verification), then decide to sanction, replace or retire each — and record it.
How does IsItPatched help with shadow IT?
Once you’ve surfaced a tool, you can run a free vendor assessment on it — pairing a security questionnaire with independently-verified vulnerability, exploitation and end-of-life data for the software — and keep the record.
This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.