In a physical office environment, IT procurement was gatekept. Software was installed on company desktop computers by designated administrators. But in the era of remote work, procurement has decentralized. Any employee with a corporate credit card (or even a personal card slated for expense reimbursement) can purchase, configure, and store corporate data in a new SaaS tool in under two minutes.
This is **Shadow IT**—software tools and platforms used within an organization without explicit approval or oversight from the IT department.
While employees purchase these tools to solve immediate problems (e.g. converting a PDF, scheduling social media posts, or managing project timelines), Shadow IT exposes the business to serious liabilities:
Rather than locking down employee cards, IT teams must implement a system of continuous discovery:
Standard SSO checks won't show apps that employees log into via personal passwords. CFOs must scan credit card logs for merchant names matching SaaS categories. The Spend Shift does this automatically by integrating with ERP ledgers like QuickBooks and Xero.
Many SaaS sign-ups send automatic confirmation emails (e.g., "Welcome to Slack" or "Thanks for signing up for Monday"). Auditing corporate inbox headers for common SaaS registration signatures is an effective way to catalog shadow tools.
Once a shadow tool is found, don't just ban it. Speak to the department using it to understand their needs. Often, they bought it because the approved corporate suite was too slow or lacked features. If a tool is necessary, integrate it into the corporate SSO for security monitoring.
Automatically scan company transactions to discover Shadow IT in your company before the next security audit.