Become a TechRadar Insider
For years, shadow IT has been framed as a governance failure: the outcome of weak controls, poor visibility, or non-compliant employees operating outside sanctioned systems. The response has been consistent: root it out and shut it down.
Unfortunately, the assumptions underlying this strategy are not just outdated, they’re counterproductive. Shadow IT isn’t a failure of control. It is the natural byproduct of how modern organizations operate. Any strategy built on eliminating it is fundamentally flawed and doomed to a losing game of whack-a-mole.
Vice President for SaaS Management at Calero.
Picture shadow IT as weeds in a garden. The weeds crop up not because something is broken, but because growth is constant. You can spend all your time pulling weeds, or you can build a system that manages growth continuously and prevents them from taking root.
The mistake most organizations make is treating the weeds as an anomaly instead of a natural outcome of a living system. The same is true for SaaS.
Shadow IT is the system, not the exception
The rise of SaaS, decentralized buying, and frictionless procurement has fundamentally changed how technology enters the enterprise. Business units can adopt tools in minutes, often with nothing more than a corporate credit card and an email address. This is now the default behavior.
"Research reinforces this shift. Gartner estimates that organizations are typically aware of only ~40% of applications in use and projects that by 2027, 75% of employees will acquire, modify or create technology outside of IT’s visibility.
This isn’t because employees are trying to bypass governance – it’s because the operating model has changed. Decision-making has moved closer to the business, and technology is easier to buy, implement, and manage.
None of this is inherently bad. But governance frameworks have remained centralized and periodic, creating growing risk and expense.
Instead of treating shadow IT as a deviation in the system, it’s far more productive to recognize it as the system itself.
The failure of centralized, periodic governance
Traditional IT governance was designed for a different era – one defined by long procurement cycles, centralized ownership, and relatively static technology stacks. In that world, periodic reviews worked. Annual true-ups, quarterly audits, and approval workflows were sufficient to maintain control.
That world no longer exists.
Today’s SaaS landscape is dynamic, consumption-based, and constantly evolving. Applications can be adopted, scaled, and abandoned in weeks. AI-driven tools introduce variable, event-based cost structures that don’t align with fixed governance cycles and can introduce significant financial risk.
Technology decisions are now frequent, distributed, and continuous. In this environment, the question is no longer “Do we know what’s happening?” but “Can we influence what happens next?”
Yet most organizations are still applying old governance models to this new reality, relying on periodic checkpoints to manage a continuous flow of decisions. They detect, report, and analyze – but all after the fact. You’re not guiding decisions; you’re cleaning up after them.
As not just humans, but also non-human agents, begin making technology decisions faster and more frequently, that delay is exactly why shadow IT continues to grow even as visibility investments increase.
Visibility is not the problem OR the solution
Most organizations have responded by investing heavily in discovery and visibility tools. They aim to answer questions like: What applications are in use? Who owns them? Who is using them? How much do they cost?
These are necessary questions, but they are asked far too late. By the time shadow IT is discovered, the decision has been made. The contract is signed. The data is flowing. The risk is introduced. The spend is committed. Shadow IT persists not because of a lack of data, but because of a lack of real-time governance.
When organizations are looking to solve their SaaS problem, they almost always already have the data they need. Between SSO logs, expense systems, endpoint telemetry, and CASB tools, they can construct a fairly complete picture of their SaaS environment, especially once given the tools to unify those disparate sources.
The problem isn’t visibility; it’s turning insight into timely, scalable action.
From visibility to systems of decision-making
More often than not, the employee signing up for a tool, the team integrating an application, or the manager approving spend is a good corporate citizen acting rationally in the context of their work.
Chasing down those decisions after the fact doesn’t change the fact that risk has already been introduced, but it does inhibit organizational decision making and slows down the business.
This is where most SaaS management approaches fall short: they are designed to inform, not to act. They surface insights but rely on humans to interpret and respond – often too late and at too small a scale to make a difference.
The alternative isn’t unchecked shadow IT. It’s shifting from systems that observe to systems that act by moving governance to the point of decision. If technology decisions happen in real time, governance must meet them there.
Not in a report. Not in a quarterly review. Not after a renewal or security breach. But at the key moments of purchase, access, integration, and usage.
Governance at the point of decision requires systems that can 1) interpret signals as they happen, 2) Apply policy in context and 3) Trigger action automatically. In other words, they must operate at the speed of business. This doesn’t require tighter control, it requires redefining control.
The future of shadow IT governance
If shadow IT is inevitable (and all evidence suggests it is) then the goal cannot be elimination. It must be integration. Rather than treating it as a mistake, organizations must treat Shadow IT as a signal to be governed.
That requires a shift from:
- Detection - Decisioning Use detection to trigger decisions about what should happen next.
- Periodic reviews - Continuous governance Replace audits and fire drills with real-time monitoring, policy, and automated action.
- Centralized control - Guided autonomy Allow business units to move independently, with guardrails that guide decisions and enforce accountability without sacrificing speed.
Modern SaaS governance systems built on policy-driven, event-based models enable this shift by prioritizing action over reporting, which enables organizations to:
- Detect financial and usage signals at the point of purchase
- Automatically route new SaaS purchases for lightweight review
- Trigger access governance workflows when apps integrate with identity systems
- Enforce renewal decisions based on utilization, ownership, and contract terms – not just dates
When governance systems align with how people actually work – fast, decentralized, and outcome-driven – they become enablers of innovation instead of obstacles.
The organizations that succeed in this new era of SaaS and AI won’t be the ones with the most visibility. They’ll be the ones that can act the fastest and most intelligently on what they see, because they’ve built governance that operates where it matters most: at the moment decisions are made.
We've featured the best business intelligence platform.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit