From discovery to deprovisioning: a practical playbook for getting shadow IT under control and keeping it there.
Eliminating shadow IT doesn't start with a policy. It starts with visibility, because you cannot govern, restrict, or sanction an app you don't know exists.
SaaS apps are the single biggest driver of shadow IT today, and the gap is widening. Signup now takes a work email and a single click in most cases, sometimes not even that with OAuth logins through Google or Microsoft. Freemium pricing means an employee doesn't even need a credit card to start using a tool. Recent research from Netskope found that 97 percent of cloud apps used inside the enterprise are shadow IT, unmanaged and adopted with no formal approval.
The old playbook for controlling shadow IT was built around on-premise software: asset inventories, network firewalls, and IT-led procurement. None of that maps cleanly onto a SaaS environment where a marketing team can be running a dozen unsanctioned tools by lunchtime.
This guide walks through the methods commonly used to identify shadow IT, where each one breaks down, and what an actual elimination process looks like once you have real visibility.
Step One: Identify What You Don't Know You Have
You can't eliminate what you can't see. Identification is the foundation of every shadow IT program, and most organizations get this step wrong by relying on a single method that only catches part of the picture.
Employee Surveys
Asking employees directly what tools they use is the most manual approach available, and it shows. Surveys are time-consuming to run at scale, depend entirely on how honestly and completely employees respond, and go stale the moment they're collected. An employee who forgets to mention a tool, intentionally or not, leaves a permanent blind spot in your data. Running surveys quarterly might catch new patterns eventually, but by the time the data comes back, it's already outdated.
Single Sign-On Logs
SSO gives you a record of which apps employees are logging into through your identity provider, which sounds comprehensive until you realize that not every SaaS app requires or supports SSO. Many employees access shadow apps with separate credentials entirely, which means SSO logs only ever show you a fraction of what's actually in use. SSO is also expensive to extend app by app, since most vendors gate it behind their highest pricing tier, and inconsistent standards across SAML, LDAP, and CAS implementations make broad coverage genuinely difficult to achieve.
Cloud Access Security Brokers (CASB)
CASBs sit between your infrastructure and cloud providers, primarily built to catch security threats at the network layer. They're useful for visibility into IaaS and PaaS, but they were never designed to give granular, identity-level detail about SaaS usage. A CASB might tell you that Slack traffic is flowing through your network, but it won't tell you who owns which of your 100 Slack channels or what license tier each user is on. CASBs are also a single point of failure: if the broker goes down or misses traffic, that visibility gap is invisible until something goes wrong.
IT Asset Management and Software Asset Management Tools
Traditional ITAM and SAM tools were built for hardware and on-premise license tracking, like servers, desktops, and installed software. They can tell you what's running on a company laptop, but they have no native way to see a SaaS subscription an employee signed up for in a browser tab. As SaaS has become the dominant software model, this gap has only grown more consequential, since the bulk of shadow IT now lives entirely outside the hardware and on-prem license world these tools were designed for.
A Multi-Source Discovery Approach
None of these methods, used alone, gets you to complete visibility. The accurate approach combines multiple data sources so the blind spots in one method get covered by another.
Asset Image — overlapping discovery methods covering identity, finance, and usage signals
Zluri's Identity Visibility and Intelligence layer is built around exactly this principle, pulling from eight discovery methods to build a single, accurate picture of every SaaS app and identity in your environment.
SSO and identity providers trace which apps employees are authorized to use through Google Workspace, Okta, Azure AD, and similar providers, capturing directory information, login events, and what data is shared with third-party apps during authentication.
Finance and expense systems catch what SSO misses entirely. By connecting to platforms like QuickBooks, NetSuite, and Zoho Books, this method surfaces apps purchased on a corporate or personal card, along with transaction amounts and dates, mapping spend directly to specific tools.
Direct API integrations with 300-plus SaaS apps provide granular, app-level data: who has access and at what permission level, what license tier each user holds, and what's showing up in access and audit logs.
HRMS and directory data ties every discovered identity back to an actual employee record, so when someone changes roles or leaves the company, their app access is tied to a real, trackable identity rather than an orphaned login.
Desktop agents and browser extensions, both optional, add device-level and browser-level signals like installed apps, sign-in and sign-out activity, and websites visited, rounding out the picture for organizations that want the deepest level of coverage.
Step Two: Decide What to Do With Each App
Discovery only solves half the problem. Once an app surfaces, IT and security teams need a fast, repeatable way to decide what happens next. Three outcomes are typical.
Sanction it. If the app is genuinely useful, low-risk, and not duplicating an existing tool, bring it into the governed environment. Connect it to SSO where possible, document who owns it, and add it to your tracked SaaS inventory.
Restrict it. Some apps are useful but carry real exposure if used unmonitored. In these cases, the right move is to tighten access, often by limiting it to specific teams, enforcing MFA, or reviewing permissions to make sure access matches actual job need rather than defaulting to broad scopes.
Shut it down. Apps that duplicate sanctioned tools, store sensitive data with no security guarantees, or have no clear business justification should be deprovisioned. This is also where most of the financial waste in shadow IT actually gets recovered, since duplicate and abandoned subscriptions tend to be the biggest line items once visibility finally surfaces them.
Step Three: Build Ongoing Governance, Not a One-Time Cleanup
Shadow IT isn't a problem you solve once. New apps get adopted constantly, especially with how fast AI tools are spreading through teams right now. A one-time audit gives you a snapshot, but the picture is stale again within weeks.
This is why discovery needs to feed directly into governance rather than sitting in a spreadsheet. Once Zluri's IVIP layer surfaces an app and its users, that data flows into the IGA layer, where access management, access requests, access reviews, and segregation of duties controls let teams act on what's been found instead of just documenting it. New apps get caught automatically as they're adopted, access gets reviewed on a regular cadence, and offboarding triggers actually reach every system an employee had access to, not just the ones IT already knew about.
The teams that get shadow IT under control aren't the ones running the most thorough one-time audit. They're the ones that built continuous visibility into how identity and access actually work across the organization, so every new app gets caught early instead of years after it's already spread.
Frequently Asked Questions
What's the fastest way to start eliminating shadow IT?
Start with discovery, not policy. Pulling data from SSO logs and finance systems gives a reasonably fast first pass at what's actually in use, even before a full discovery platform is in place. From there, prioritize apps handling sensitive data or used by large numbers of employees first.
Does blocking apps at the firewall level eliminate shadow IT?
No, and it often makes the problem worse. Employees who hit a blocked app tend to find a less visible alternative rather than stopping the behavior entirely, which pushes shadow IT further out of sight instead of eliminating it.
How often should shadow IT discovery be run?
Continuously, where possible. New apps get adopted on an ongoing basis, especially with how quickly AI tools are spreading, so a quarterly or annual audit will always be working from outdated data. Continuous discovery, fed by multiple data sources, keeps the picture current.
Can a CASB alone eliminate shadow IT?
Not on its own. CASBs are useful for network-layer cloud security but lack the granular, identity-level detail needed to fully govern SaaS access. They work best as one input among several rather than a standalone solution.
What's the difference between shadow IT discovery and shadow IT elimination?
Discovery is finding the apps and identities that exist outside IT's visibility. Elimination is the decision layer on top of that: sanctioning, restricting, or shutting down what's been found, and building the governance process to keep doing that as new apps appear.
















