Your finance team signed up for a new invoicing tool last Tuesday. Your marketing team has three AI writing apps running on company laptops. You found out about none of it. Shadow IT detection isn't a future problem -- it's active right now, across every department that has a credit card and a browser tab.
This post covers how to find what's running, what most teams get wrong when they go looking, and a checklist you can run today.
How Do You Actually Find Shadow IT in Your Organization?
Shadow IT detection starts with knowing where visibility breaks down, then closing each gap systematically. Most environments have three surfaces where unsanctioned apps appear: network traffic, OAuth grant logs, and endpoint behavior. Start with the one that's easiest to pull -- you'll find something in all three.
Map Your Web Traffic by Application
DNS and web traffic logs are the fastest place to start. Every time an employee visits a new SaaS domain, it leaves a trace. The problem is most teams don't have tooling that correlates those DNS queries to user identities and app categories in real time.
A secure web gateway that runs on the device -- not a cloud proxy -- captures this traffic wherever the laptop goes: home networks, hotel Wi-Fi, customer sites. You get app-level visibility without routing traffic through a data center, and coverage doesn't drop the moment an employee closes the VPN.
Pull Your OAuth Grant Inventory
Apps that connect to Microsoft 365 or Google Workspace through OAuth leave a different footprint entirely. An employee can authorize a third-party app to read their email or access their calendar without any IT involvement -- and that authorization persists long after the person forgot they granted it.
Pull a full OAuth grant report from your identity provider. Look for:
Apps with broad scopes (mail.read, drive.all, calendars.readwrite)
Vendors that appear unrecognized or consumer-tier
Grants made by multiple users to the same unrecognized app
Cross-Reference with Expense Data
Finance data is underused in shadow IT discovery. A SaaS subscription on a team credit card shows up in expense reports before it shows up anywhere in your security tooling. A quick query for recurring charges to software vendors -- especially anything under $500/month that cleared under approval thresholds -- surfaces a surprising number of tools that IT never saw.
What Are Most Teams Getting Wrong with Shadow IT Detection?
Most teams underestimate shadow IT because they're looking in the wrong places. The three most common blind spots are gateway coverage, API-authorized app grants, and the assumption that approved apps eliminate shadow IT risk.
Relying on a Perimeter That Doesn't Follow the Laptop
A firewall at the office edge won't see traffic from a laptop on a home network. If your cloud app control tooling depends on traffic flowing through a central egress point, every remote or hybrid employee is outside its effective range.
Visibility that depends on where the device is located is not real visibility. Shadow IT doesn't stay at the office.
Missing API-Authorized App Grants
The stealthiest shadow IT doesn't bypass your network at all. An employee authorizes a third-party app to connect to their Google Workspace account via OAuth, and that app can now read, write, or export data without any network traffic flowing through your gateway. Standard perimeter tools miss this category entirely.
Detection here requires inspecting what applications have been authorized through your identity platform's API -- not just watching DNS queries or outbound connections.
Assuming Approved Domains Are Safe Domains
Approved apps can host shadow IT. Employees sync client files to personal Dropbox, store sensitive notes in personal Notion workspaces, or paste proposal text into consumer AI tools -- all through domains your policy already allows. A sanctioned domain is not the same as a sanctioned account.
A swg with identity-aware inspection can distinguish between a corporate Google Drive session and a personal one, even when the traffic looks identical at the domain level. Without that, your allow-list is also your blind spot.
Shadow IT Audit Checklist: Where Is It Hiding?
Run this audit quarterly. Each row represents a surface where unsanctioned apps consistently appear, and the finding column reflects what teams most commonly discover.
For each finding, record:
App name and category
Who is using it and how many users
What data the app can access or export
Whether a sanctioned alternative exists
Action taken: blocked, approved, or under review
Anything in the "blocked" column should have a record of when the block was applied and whether the user received an explanation. Silent blocks create helpdesk tickets. Explained blocks usually don't.
Frequently Asked Questions
What is shadow IT detection?
Shadow IT detection is the process of finding applications, services, and devices that employees use for work without IT knowledge or approval. It covers SaaS apps bought on credit cards, OAuth-authorized third-party apps, browser extensions, and AI tools accessed from work devices.
What tools help with shadow IT detection on endpoints?
Endpoint-based detection is more reliable than network-perimeter approaches because it follows the device off the corporate network. Platforms like dope.security run inspection directly on the device, giving IT teams continuous app visibility and one-click blocking of risky or unapproved tools regardless of where the laptop connects.
What is the difference between shadow IT and shadow AI?
Shadow AI is a subset of shadow IT focused specifically on AI tools -- language models, writing assistants, image generators -- that employees access without approval. The risk pattern is the same: sensitive data leaving the organization through channels IT never vetted. Detection methods overlap, but AI tools require dedicated category rules because new ones appear faster than most blocklists update.
What happens if you don't address shadow IT?
Unsanctioned apps accumulate over time. Each quarter without a discovery process adds new tools, new data exposures, and new offboarding gaps. When a compliance audit or an incident surfaces an app IT never knew about, the data has already been accessed, shared, or exported. The window to act closes before you know it's open.
What Ignoring This Actually Costs
Shadow IT doesn't stay static. Every quarter without active discovery, the list of unsanctioned tools grows. New employees bring their existing SaaS habits. AI tools are multiplying faster than any approval process can track. The apps that create the biggest exposure -- the ones carrying customer PII or proprietary documents -- are exactly the ones employees chose because they're fast, free, and require no ticket.
The cost of discovery after a breach is always higher than the cost of visibility before one. By the time a compliance audit or an incident surfaces an unsanctioned app, the question isn't whether data moved -- it's how much.