Shadow IT Is a Finance Problem, Not an IT Problem

Why shadow IT exploded in 2023–2025

Three forces converged. First, corporate cards (Brex, Ramp, Mercury) made it trivial for any manager to subscribe to a tool without a procurement conversation. Second, AI tools (ChatGPT, Claude, Cursor, Perplexity) created an entire new category of useful, cheap, individually-purchased tools that lived outside the IT app catalog by default. Third, remote and hybrid work pushed more team-level tooling decisions to the team, away from central IT review. The cumulative effect: shadow-IT footprints at typical 200-person companies grew from ~20 unsanctioned tools in 2021 to ~50 in 2025.

The compliance angle moved in parallel. SOC 2 Type II auditors increasingly ask for an authoritative list of every system processing customer data; ISO 27001 auditors want documented data flows for every vendor. AI tools used for customer-support summarization, sales call analysis, or code generation often fall inside the audit boundary even when they were purchased on a $20/month corporate-card transaction. The cost of getting this wrong scales from a finding in the audit report to a material weakness.

The four-source data motion

• AP ledger — the truth source for what's actually being paid for. Filter by 'Software', 'SaaS', 'Subscription' tags.
• IdP catalog — the truth source for what's been sanctioned. Compare against AP to find the delta.
• HRIS termination list — the truth source for who shouldn't have any seats anymore. Cross-reference against IdP active assignments.
• Email metadata — the lagging-but-rich source. Search the company-wide inbox for 'invoice', 'receipt', 'subscription confirmation', 'renewal'. New shadow-IT signals here precede AP by 30–60 days.

Every IT team we work with assumes their app catalog is complete. Every finance team we work with finds 30–60 unsanctioned tools in the AP ledger within an afternoon. The mismatch isn't a failure of IT — it's a structural feature of how SaaS gets purchased today, and it makes finance the better-positioned function to surface and contain it.

Why shadow IT lands in AP first

The classic shadow-IT path: a manager hits a workflow problem, signs up for a $20/month tool with a corporate card, expenses it, and never tells IT because there was no procurement workflow to trigger. By month four, the team is on a $400/month plan billed annually — and IT only finds out when someone asks for SSO. The data trail in order:

1. Card swipe in Brex, Ramp, or Mercury — the first signal.
2. Recurring transaction tagged 'Software' — month 2.
3. Annual invoice from the vendor — month 3 or 4.
4. Slack mention or feature request to IT — month 6+.
5. SSO/SAML conversation, if it ever happens — month 9+.

The four signals finance should monitor

• Recurring card transactions tagged 'Software' under $500/month — the median shadow-IT footprint.
• Vendors invoicing the same email domain repeatedly — multiple individual managers expensing the same tool.
• AP entries for vendor names that don't appear in the IdP catalog.
• Renewal-notice emails landing in personal-style inboxes (sales@, founder@) instead of procurement@.

What to do when you find it

Don't lead with shutdown. Most shadow IT exists because someone had a real workflow problem and IT was either too slow or too restrictive. Lead with three questions:

1. Is this a category we already have a sanctioned tool for? If yes, consolidate at the next renewal.
2. Is this a category we should standardize on? If yes, run a 30-day evaluation with the team that's already using it as the lead user.
3. Is this genuinely one-off? Sanction it, route the contract through procurement, get SSO and seat-control in place.

Anti-patterns we see

• Hard-blocking the corporate card on 'Software' MCC codes. Spend rerouts to personal cards and reimbursements; the visibility gets worse, not better.
• Naming and shaming managers who introduced shadow IT. The next wave of shadow IT just gets hidden more carefully.
• Treating shadow IT as a one-time cleanup. It's a continuous-detection problem; the next quarter's shadow-IT introductions are already happening.
• Skipping the compliance review. Some shadow-IT tools are SOC 2 / ISO 27001 / GDPR risk multipliers — surfacing them is a security win, not just a cost win.

A worked example

A 320-person fintech ran their first AP-vs-IdP reconciliation in Q2 2024 ahead of a SOC 2 Type II audit. Going in, IT had 73 sanctioned applications in Okta. The AP ledger surfaced 118 distinct SaaS vendors with recurring transactions in the prior 12 months. The 45-vendor delta included:

Total annualized spend on the 45 surfaced vendors: $164K. Total recovered or consolidated within 90 days: $71K (43% of the surfaced spend). The compliance angle was material: two of the AI tools had to be disclosed in the SOC 2 audit and required updated DPAs with the vendor, which the auditor confirmed was the largest scope expansion they'd had to manage that quarter.

Sources and further reading

• BetterCloud 2024 State of SaaSOps Report — average shadow-IT footprints at mid-market.
• AICPA SOC 2 audit guidance — system boundary definitions and unauthorized-application disclosure.
• Internal RenewalPad data: 51 AP-vs-IdP reconciliations across 2023–2025.

Frequently asked questions