The average company uses over 100 different apps to get work done, and that number has been growing year over year. This leads to SaaS sprawl, one of the fastest-growing security challenges facing organizations today.
With AI tools accelerating unsanctioned adoption, also known as shadow IT, the problem isn’t going away anytime soon. In fact, 90% of SaaS apps and 91% of AI tools remain completely unmanaged.
For IT teams, every unsanctioned app is an unmonitored access point, a potential compliance gap, and a credential security risk. This guide breaks down what SaaS sprawl is, why it happens, and the specific steps your team can take to detect shadow IT, audit your SaaS environment, and lock down access before attackers find the gaps.
What is SaaS sprawl (and why should IT teams care)?
SaaS sprawl refers to the unchecked growth of software-as-a-service apps across an organization, often without centralized procurement, oversight, or governance. Employees sign up for tools using a work email, start a free trial, or connect an AI plugin to their browser, and IT never knows it happened. IBM reports that roughly half of all SaaS licenses go unused and forgotten, creating both a financial drain and a widening attack surface.
Shadow IT is a closely related concept. It describes any technology, hardware, or software that employees use without explicit IT approval. Nowadays, shadow IT is overwhelmingly SaaS. According to Gartner, shadow IT accounts for 30% to 40% of IT spending in large enterprises.
The result is a compounding visibility problem. IT can’t secure what it can’t see, and every unmanaged app is a potential entry point for credential theft, data exfiltration, or compliance violations.
What causes SaaS sprawl?
SaaS sprawl rarely starts with bad intentions. It usually starts with employees trying to solve real problems faster than IT can respond. Several factors make it worse:
- Frictionless sign-up models. Most SaaS tools offer free trials or freemium tiers that require nothing more than an email address. Employees can start using a new tool in under a minute without involving procurement or IT.
- Remote and hybrid work. Distributed teams rely on cloud-based tools by default, and the shift to remote work has normalized self-service software adoption. For example, 83% of IT staff admit to using unsanctioned tools at work.
- AI tool proliferation. The explosion of generative AI tools has added a new layer of urgency. Torii's 2026 SaaS Benchmark Report found that AI now accounts for the majority of newly unmanaged apps. Employees connect AI plugins to Google Drive, Slack, and CRM systems with a few clicks, often without understanding the permissions they’re granting.
- Slow IT procurement cycles. When formal request processes take weeks, employees route around them. Only 12% of IT departments follow up on staff requests for new technologies, creating a culture where self-service feels like the only option.
- Departmental silos. Marketing, sales, HR, and engineering often purchase tools independently. Without a centralized procurement policy, duplicate functionality proliferates and oversight breaks down.
The security risks of SaaS sprawl and shadow IT
SaaS sprawl isn’t just a budget problem; it’s a security problem. AppOmni found that 75% of organizations experienced a SaaS security incident in the last 12 months, with a significant share tied to unauthorized apps. Here’s where the risk concentrates:
- Credential blind spots. When employees create accounts on unsanctioned tools, those credentials exist entirely outside IT's visibility. The Dashlane OmnixTM platform was built to address exactly this gap. On average, 50% of SaaS services are unprotected by SSO, and every one of those missed apps is a credential security risk.
- Password reuse across unmanaged apps. Employees who create accounts on unsanctioned tools frequently reuse passwords from their corporate accounts. If any one of those tools is breached, attackers gain a credential that may unlock corporate systems. Password reuse is a leading driver of credential stuffing attacks.
- Data leakage through SaaS-to-SaaS integrations. Many SaaS tools request broad API permissions to function. An AI summarization tool connected to Google Drive may have read access to every file in an employee's account. If that tool is compromised, the attacker inherits those permissions.
- Compliance exposure. Unsanctioned apps that store customer data, financial records, or health information can create violations under GDPR, HIPAA, SOC 2, and other regulatory frameworks. The SEC fined Wall Street firms $1.1 billion over “widespread and longstanding failures” related to shadow IT communication tools.
- Orphaned accounts and offboarding gaps. When an employee leaves, IT can only deprovision accounts it knows about. Shadow IT accounts remain active indefinitely, creating a persistent access risk.
How to detect unsanctioned SaaS apps
Discovery is the first step toward control. IT teams that can’t see the full scope of their SaaS environment are making security decisions based on incomplete information.
Here are the primary detection methods:
- Email domain analysis. Every SaaS sign-up generates a confirmation or welcome email. Integrating with your corporate email provider (Google Workspace, Microsoft 365) and scanning for SaaS-related messages is one of the most comprehensive discovery methods available.
- Network traffic analysis. Reviewing DNS logs, firewall data, and proxy logs can reveal connections to unknown SaaS domains. This approach works well for on-network traffic but has limited visibility for remote employees.
- Expense report and credit card audits. Finance teams can flag recurring SaaS charges, free trial conversions, and departmental software purchases that never went through IT procurement.
- Browser extension monitoring. Browser extensions are a major vector for unsanctioned SaaS and AI tool adoption. Monitoring installed extensions across your workforce can surface tools IT never approved.
- Employee surveys and department interviews. Sometimes the simplest approach works. Asking teams what tools they rely on daily often surfaces apps that technical discovery methods miss.
- SaaS management platforms. Dedicated SaaS management tools (Torii, Nudge Security, BetterCloud) aggregate discovery data from multiple sources to build a comprehensive inventory.
A step-by-step SaaS audit process
Once you have detection methods in place, the next step is a structured audit. Here’s a practical framework IT teams can follow:
- Build a complete app inventory. Combine data from email analysis, network logs, SSO records, expense reports, and employee surveys into a single SaaS inventory. For each app, record the tool name, department, number of users, data access level, and whether it has IT approval.
- Classify each app by risk tier. Not all shadow IT carries equal risk. Categorize apps into tiers: High risk (stores customer data, PII, financial records, or has broad API permissions), Medium risk (internal productivity tools with limited data access), and Low risk (standalone tools with no integration or sensitive data).
- Evaluate credential hygiene for each app. For every discovered app, determine how employees are authenticating. Are they using unique passwords? Reusing corporate credentials? Has the app been connected to SSO? A credential manager like Dashlane gives admins visibility into Password Health scores across the organization, including for apps outside of SSO.
- Identify redundancies and consolidation opportunities. Multiple teams often pay for tools with overlapping functionality. Flag duplicate apps and recommend consolidation. This reduces both cost and attack surface.
- Establish a sanctioned app catalog. Create a go-to list of approved tools for common use cases (project management, design, communication, AI). Make it easy for employees to find approved alternatives before they go searching on their own.
- Set a review cadence. SaaS environments change constantly. Schedule quarterly audits to catch new unsanctioned apps, review underused licenses, and update the sanctioned catalog as needs evolve.
How to evaluate SaaS access management solutions
After completing an audit, most IT teams realize they need better tooling to manage ongoing SaaS access. Here’s a framework for evaluating solutions:
- Discovery beyond SSO. Your solution should identify apps that employees use outside of SSO and identity provider coverage. If it only sees what SSO sees, it has the same blind spots you already have.
- Credential visibility. Look for tools that give admins visibility into credential health across the entire workforce, not just within managed apps. Dashlane's admin console provides an organization-wide Password Health score, Dark Web Monitoring to flag compromised credentials regardless of where they were used, and a host of other features that give admins the visibility they need.
- Automated provisioning and deprovisioning. The solution should integrate with your identity provider using SCIM provisioning and support automated onboarding and offboarding. When an employee leaves, every managed account should be deactivated immediately.
- Employee-friendly adoption. Tools that employees resist using are tools that drive more shadow IT. Prioritize solutions with low-friction onboarding, browser-based access, and intuitive interfaces that even non-technical staff will actually use.
- Proactive nudges and alerts. The best solutions don't wait for admins to pull reports. They proactively alert employees about weak, reused, or compromised passwords through smart alerts directly in the browser, turning employees into active participants in credential security.
- Zero-knowledge security architecture. Any tool that manages credentials must use a zero-knowledge architecture in which the vendor can’t access your data. Dashlane's patented zero-knowledge encryption ensures that no one, including Dashlane, can decrypt your passwords.
How Dashlane helps IT teams regain control
SaaS sprawl is ultimately a credential security problem. Every unsanctioned app is an unmanaged credential, and every unmanaged credential is a potential breach. The Omnix proactive credential security platform was built to close this gap by extending credential visibility and protection beyond the limits of SSO and traditional identity providers.
Here’s what Dashlane provides for IT teams dealing with SaaS sprawl:
- Visibility into every credential. Dashlane's Credential Risk Detection surfaces weak, reused, and compromised passwords across your entire workforce, including those used on apps outside of SSO.
- Dark web monitoring. Dashlane's Dark Web Insights & Monitoring continuously scans for employee credentials that have appeared in breaches or on dark web marketplaces, giving your team the time to respond before credentials are exploited.
- Seamless SSO and SCIM integration. Dashlane integrates with all major identity providers through Confidential SSO and SCIM, automating provisioning and deprovisioning so that managed accounts are always accounted for.
- Proactive alerts. Smart alerts automatically notify employees about risky credentials directly in the browser or in Slack, reducing the admin burden and building a culture of shared security.
- AI phishing protection. As employees adopt AI-powered SaaS tools, phishing risk increases. Dashlane's AI phishing alerts protect employees at the browser level, where most SaaS-related attacks happen.
- Secure password sharing. When teams share credentials for SaaS tools through Slack or email, they create a credential theft risk. Dashlane's secure sharing lets employees share access through encrypted channels instead.
SaaS sprawl will not solve itself. But with the right tools and a proactive audit process, IT teams can move from reactive firefighting to strategic security governance.
References
Torii, 2026 SaaS Benchmark Report, 2026.
IBM, What Is SaaS Sprawl?, November 2025.
Centraleyes, The SaaS Sprawl of 2025: Tackling the Unseen Security Risks, November 2025.
BetterCloud, The Big List of 2026 SaaS Statistics, 2026.
Security Boulevard, SaaS Sprawl Has Become the New Shadow IT, March 2026.
Nudge Security, Shadow IT Discovery: A Complete 2026 Guide, January 2026.
CIO Dive, App Sprawl Bogs Down Operations, Fuels Shadow IT Growth, 2026.
Dashlane, Omnix Password Management, 2026.
Dashlane, How Admins Can Simplify Provisioning, 2024.
Dashlane, Deployment Guide for Admins, 2026.
Sign up to receive news and updates about Dashlane
