Signals of shadow IT

Signals are observable hints that shadow IT might exist - they’re not proof. For example, an expense line for Dropbox could mean employees are storing company files externally, but it might just as well be an external partner billing us for a shared project space. Likewise, OAuth consent to a new app could indicate a risky integration - or simply a developer testing something legitimate. Treat signals as starting points for a lightweight investigation that aims to understand the use case, data sensitivity, and risk, then either onboard the tool properly or route users to a sanctioned alternative.

The categories below highlight the most common signals that shadow IT leaves behind across different domains.

Finance

Unapproved spend and duplicate SaaS subscriptions
Surprise renewals slipping through unnoticed
Invoices, vendor domains, and credit card descriptors reveal shadow subscriptions

Identity

Accounts created outside SSO/MFA
Password reset emails to personal inboxes
Mismatched login providers leading to orphaned access

Data

Sensitive files stored in unsanctioned tools
Public links exposing information externally
Unusual download spikes from unknown apps

Behavior

Many users installing the same unsanctioned extension
Survey results indicating widespread off-channel adoption
Ticket keywords pointing to shadow usage

Technical

Atypical TLS SNI or new SaaS endpoints in traffic
High request volumes to unfamiliar SaaS services
Rogue browser extensions or callbacks to unknown servers

From signal to action

The steps below outline how to move from detecting a potential signal to deciding on the right response, ensuring each case is handled with consistency and context.

1

Detect

Surface a signal - expense, IdP, proxy/DNS egress, API calls(example signals).
2

Validate

Is it real? Confirm domain/app, map to an owner/team if known.
3

Assess

What data? Who has access? Any integrations? Note severity & impact.

Decide

Enable with guardrails, migrate, contain, or block

Impact	Low severity	Medium	High
Few users / no sensitive data	Allow with guardrails	Time-boxed exception	Contain, plan migration
Department-wide OR sensitive data	Guardrails + owner	Migrate to sanctioned tool	Contain/block and accelerate migration
Org-wide OR critical data	Migrate	Migrate + compensating controls	Block (temporary) + incident process

5

Act

Notify stakeholders, implement controls, start migration if needed.
6

Follow-up

Capture a decision record, review after 30-60 days, update inventory.

Signal examples

Sort and filter to find the most relevant signals. Click column headers to sort. Use the chips and search to filter.

Category:

Severity:

Search:

Visible: -