Shadow SaaS has been a topic at every IT conference I have spoken at since 2022. The conversation has not improved. Most CIOs I talk to still think of it as a procurement problem and run audits that find about 30% of what is actually there. Then they wonder why their SaaS spend keeps growing despite the rationalisation efforts.

The audit approach I have used at two organisations, and that has consistently surfaced around 85% to 90% of actual usage, is not a procurement audit. It is a multi-source reconciliation that takes a few weeks and finds tools the procurement system never saw.

The four data sources that matter

A real shadow SaaS audit reads from four places. The first is the corporate card and AP data, which is what most audits stop at. The second is the SSO directory, which captures everything employees signed up for using their work email and a single sign-on flow. The third is the network egress logs, which capture everything talking to a SaaS endpoint regardless of whether procurement knows about it. The fourth is a structured employee survey that asks specifically about tools by category, not by name.

Each of these sources catches different shadow SaaS. None of them catch all of it. Together they get close.

Where each source finds things

Corporate card and AP data catches the subscriptions paid centrally. This is the table-stakes audit and finds about 30% of the real picture.

The SSO directory adds another 25% to 35%. These are tools employees signed up for using their work email but that procurement never touched. Many of these are individual subscriptions on a personal credit card with the employee expensing it through generic categories.

Network egress logs add another 15% to 20%. These are the tools employees use without registering. The egress shows traffic to the SaaS endpoint even if there is no formal account. This includes a surprising amount of AI tool usage where employees are pasting work content into consumer-tier accounts.

The employee survey closes the remaining gap and catches local tools, browser extensions, and personal accounts being used for work purposes.

What you do with the findings

The output of the audit is not the point. The point is the conversation it enables with the business unit leaders about what is actually happening in their teams. The findings will surprise them. The unit leaders are usually the right people to drive rationalisation, not procurement or IT.

The trap is using the audit findings to drive a heavy-handed lock-down. That just pushes the shadow SaaS further into the shadows. The better approach is to identify what the employees are actually trying to do, which sanctioned tool covers that need, and where the gap is. The gap is usually real, and closing it is the work that reduces shadow SaaS sustainably.

The data governance angle

The shadow AI category specifically has a data governance dimension that the wider shadow SaaS conversation does not. Employees pasting business content into consumer-tier AI tools is a data exfiltration vector that most enterprises have not addressed adequately.

Network egress monitoring catches this. The remediation conversation should not be punitive — it should be about providing sanctioned alternatives that actually meet the employees’ needs. The companies getting this right are the ones offering enterprise-tier AI tools with credible data handling and making them genuinely useful, not the ones blocking consumer tools and pretending the problem is solved.

What the audit cycle looks like

Run it annually. Half-day per data source for the analysis. A week for the survey design and rollout. Two weeks for the synthesis. A month for the business unit conversations.

The first time you run it, the findings will be uncomfortable. By the third year, the conversation has shifted from surprise to ongoing operational hygiene.

That is the destination. Most organisations are not there yet.