© 2026 Procr
Every company has shadow IT. Most do not know how much.
Shadow IT is not a new problem. But it has changed shape significantly over the last five years. What used to be a rogue server in a developer's closet or an unsanctioned Dropbox account is now a sprawling collection of cloud applications, AI tools, and productivity subscriptions, many of them signed up for by well-meaning employees on company credit cards, with no security review, no contract, no visibility from IT or finance, and no one who remembers signing up for them.
This guide covers what shadow IT is, why it happens at mid-market companies specifically, what it costs, and how to find it in your organisation.
Shadow IT refers to any hardware, software, cloud service, or application that employees use for work purposes without the knowledge or approval of the IT or procurement function.
The term comes from the idea that these tools operate in the shadows of official technology management. They are not in your IT asset register. They are not covered by your security policy. They are often not in any contract. They are, in many cases, being paid for by departmental credit cards or expense accounts that finance reconciles quarterly but does not scrutinise at the tool level.
Shadow IT exists across every company of every size. According to Gartner, 41% of employees acquired, modified, or created technology outside of IT's visibility in 2022, and Gartner expects that figure to reach 75% by 2027. Research from Productiv found that shadow IT accounts for approximately 42% of applications within a typical company. Companies believe they are managing roughly 91 cloud services; actual usage averages over 1,200 services.
For mid-market companies specifically, the problem is acute because the informal procurement processes that allow shadow IT to flourish, departmental credit cards, direct vendor sign-ups, team-level SaaS subscriptions, exist without the enterprise governance controls that larger organisations use to detect and manage them.
Shadow IT is almost never malicious. It is almost always a productivity problem.
The approval process is too slow or too opaque. A marketing manager needs a design tool by next Tuesday. The official procurement process takes three weeks and requires IT approval, a security review, a legal review, and sign-off from finance. The team signs up for a free trial and puts the paid subscription on the company card when the trial expires. The tool works well. No one follows up on the approval process.
The approved tool does not solve the problem. IT has licensed one project management platform. The design team prefers a different one. The engineering team uses a third. Each team signs up independently because the officially approved tool does not fit their workflow.
The tool started free and grew. Many SaaS products use freemium models to drive adoption. A team starts using a tool in its free tier, finds it valuable, and upgrades to paid. Because the original adoption required no procurement process (it was free), the upgrade gets charged to a card without going through any formal review.
Remote and hybrid work. When employees are working from home, the informal oversight that prevented some shadow IT adoption in office environments disappears. The combination of remote work and a wave of SaaS tooling built for distributed teams accelerated shadow IT adoption significantly from 2020 onward.
AI tools specifically. Shadow AI has emerged as a distinct category of shadow IT. Research from Microsoft and LinkedIn's 2024 Work Trend Index found that 78% of AI users bring their own AI tools to work. More than 80% of workers use unapproved AI tools in some contexts. For mid-market companies without formal AI governance, this creates data security and compliance exposure that is difficult to quantify without visibility into which tools employees are using.
The cost of shadow IT is less well understood than the security risk, but it is significant and underestimated.
Direct licensing waste. When multiple departments independently sign up for tools that solve the same problem, you pay for overlapping functionality. Research estimates $34 billion in yearly licensing waste in the US and UK attributable to shadow IT-related duplicate subscriptions. At the company level, industry benchmarks suggest organisations average 4.3 duplicate tools per function.
Untracked spend that does not get renegotiated. Software purchased through the official procurement process gets reviewed at renewal. Software purchased on a credit card frequently does not. It auto-renews. It escalates in price. Nobody calls the vendor to negotiate. Over a three-year period, a $200/month tool that increases by 8% per year costs $7,945 with zero savings versus what negotiation might have achieved.
Compliance exposure. Tools used for work without security review may store company data in environments that do not meet your regulatory requirements. For healthcare, financial services, or any company subject to GDPR, the use of unsanctioned AI tools that process personal or sensitive data creates material compliance liability. Gartner predicts that by 2030, approximately 40% of enterprises will face a security or compliance incident related to shadow AI.
Security incidents. Data loss and downtime attributable to shadow IT security breaches cost an estimated $1.7 trillion annually across enterprises. More specifically to mid-market, the average breach cost from a shadow IT-related incident runs $4.2 to $4.5 million according to various industry studies. While the breach likelihood at any single company is low, the tail risk is significant.
Offboarding gaps. When an employee who has been using shadow IT tools leaves the company, their access often persists. There is no offboarding process for tools that IT does not know about. Former employees may retain access to company data stored in unsanctioned platforms for months or years after departure.
Not all shadow IT carries the same risk or cost profile. These are the categories where mid-market companies encounter it most frequently:
Communication and collaboration: Messaging apps, video tools, and collaboration platforms adopted by individual teams when the officially approved tool does not fit. Common examples: personal Slack workspaces, WhatsApp groups for work communication, unauthorised Notion workspaces.
File storage and sharing: Personal Google Drive or Dropbox accounts used to share files when company storage solutions are too slow, too restricted, or too unfamiliar. Research from Forcepoint found that 71% of remote workers use personal cloud storage as shadow IT.
AI tools: As noted above, this is the fastest-growing category. ChatGPT, Gemini, Claude, Midjourney, coding assistants, and browser extensions are being used for work tasks at companies that have not formally approved, assessed, or governed their use. The data security implications depend entirely on what employees are pasting into these tools.
Project management: Parallel project management tools adopted by teams that prefer a different interface to the officially approved option. A company may be paying for Asana at the enterprise level while three departments use Monday.com, Notion, and Trello independently.
Marketing and design: Canva, Adobe Express, social scheduling tools, and content production platforms signed up for by marketing teams without procurement involvement.
HR and recruitment: ATS tools, background check platforms, reference checking services, and skills assessment tools procured by HR or hiring managers independently of IT and legal review.
For a mid-market company without a dedicated IT asset management function, finding shadow IT requires pulling from three sources that most companies manage separately:
Your SSO or identity provider: Okta, Azure AD, and Google Workspace all log application integrations. Every app that employees have connected using their company credentials (including personal apps connected with "Sign in with Google") appears in these logs. This is your most reliable source for cloud SaaS shadow IT, though it only captures apps that employees chose to integrate, not those they access directly.
Your expense management system and credit card records: Pull 12 months of transactions from your expense management platform and corporate card statements. Filter for recurring charges. Look for software company names, SaaS subscription identifiers, and amounts that suggest annual billing. Match these against your known vendor list. The gap is your shadow IT spend.
Your accounts payable system: Shadow IT procured at department level sometimes makes it to invoice status before being flagged. An AP audit looking for software vendor categories will surface tools that passed through some payment process but never went through formal procurement.
Browser extension and network traffic analysis: For larger or more security-conscious organisations, DNS log analysis or CASB (Cloud Access Security Broker) tools provide visibility into web traffic, showing which services employees are accessing regardless of whether they integrated them with SSO.
For most mid-market teams, the SSO log plus 12 months of card statements is sufficient to surface the significant majority of shadow IT spend.
Finding shadow IT is the first step. The response needs to be proportionate and practical rather than punitive.
Categorise by risk and cost. Not all shadow IT warrants the same response. A team using a $15/month design tool is different from a team using an unsanctioned AI tool that processes customer data. Start with tools that carry compliance risk or significant cost, not with tools that are low-risk and low-cost.
Build a rationalisation framework. For each shadow IT tool found, determine: is this tool duplicating functionality we already pay for? If yes, consolidate. Is this tool providing value that justifies bringing it into formal procurement? If yes, run it through your standard approval process retroactively. Is this tool creating security or compliance risk without sufficient value? Shut it down with clear communication about why.
Do not just ban, replace. The reason employees adopted shadow IT is usually that the approved tool was not meeting their need. If you remove a shadow IT tool without providing an approved alternative that meets the same need, you will encounter resistance and the shadow IT will reappear in a different form.
Build a lightweight intake process. The most effective long-term response to shadow IT is reducing the friction that causes it. A simple intake process for new tool requests, one that takes days rather than weeks and is clearly communicated to the team, reduces the incentive to route around the process.
Establish an AI tool policy. Given the pace of AI adoption, mid-market companies that do not yet have an explicit AI tool policy should establish one. The policy does not need to prohibit all AI use. It needs to define which tools are approved, what data can be entered into them, and what the process is for requesting approval of additional tools.
From a vendor spend management perspective, shadow IT represents a category of spend that is invisible by definition. It does not appear in your vendor list. It does not get reviewed at renewal. It does not benefit from any negotiation. It renews automatically, often at increasing prices, until someone finds it.
The compounding effect matters. A tool that costs $200/month in year one, auto-renews at $216 in year two and $233 in year three, and was never negotiated, costs $7,788 over three years. If five similar tools exist in your organisation, that is $38,940 in unmanaged spend from just five shadow subscriptions.
Bringing shadow IT into your formal vendor management process does not require a procurement department. It requires a defined process for discovery, a consistent approach to approval, and a renewal calendar that captures every tool that your company pays for, not just the ones that went through official procurement.
Procr
See what Procr does with your real vendor portfolio.