Shadow IT in 2026: why it is getting harder to track and what to do about it

Shadow IT is not what it used to be

Five years ago, shadow IT meant a department head buying a project management tool on a personal credit card without telling IT. The tool was visible if you knew where to look: it showed up in browser traffic, users talked about it, and eventually someone asked IT to integrate it with SSO.

In 2026, shadow IT has evolved. The new patterns are harder to detect, faster to proliferate, and often invisible to the tools that were built to find the old kind.

Three trends are driving this shift: expense card purchasing, free-tier upgrades, and AI tool adoption.

The new shadow IT: three patterns to watch

1. Expense card purchases through Brex, Ramp, and Amex

Corporate expense cards have made it trivially easy for any employee to purchase software. A marketing manager signs up for a design tool at $15 per month. A sales rep subscribes to a prospecting platform at $49 per month. A product manager pays for a user research tool at $99 per month.

Each purchase is small enough to fly under procurement thresholds. The expense is categorized as "software" or "business expense" and approved by a manager who does not think to check whether IT already provides a similar tool.

The result: dozens of SaaS subscriptions that live entirely on expense cards, outside of any contract management system, invisible to IT, and invisible to your SaaS management platform.

This is not malicious. Employees are solving real problems with real tools. But the aggregate effect is significant. Mid-market companies routinely discover $100,000 to $300,000 in annual SaaS spend sitting on expense cards when they finally look.

2. Free-tier upgrades that bypass procurement

Most SaaS products offer a free tier. Employees sign up with their work email, use the free version, and eventually hit a limitation. The upgrade path is a credit card form inside the application. No procurement process, no IT ticket, no contract.

This pattern is especially common with:

• Collaboration tools (Miro, Loom, Notion) where free tiers are generous but paid tiers unlock team features
• Developer tools (GitHub Copilot, Postman, cloud IDE platforms) where individual developers upgrade for productivity
• Data and analytics tools (Airtable, Retool, lightweight BI platforms) where teams upgrade to unlock integrations or row limits

The free tier itself is not a problem. The problem is when 15 people across three departments independently upgrade to paid plans, each paying retail pricing, for a tool the company could have negotiated at volume.

3. AI tools adopted without IT knowledge

This is the fastest-growing shadow IT category. Since 2024, employees across every function have adopted AI tools for writing, code generation, image creation, data analysis, meeting transcription, and workflow automation.

The pattern:

• An employee discovers an AI tool that saves them two hours per week
• They sign up with their work email
• They upload company data (documents, code, customer information) to the tool
• They tell their teammates, who also sign up
• Within weeks, 20 to 50 employees are using a tool that IT has never evaluated for security, data handling, or compliance

The data exposure risk here is qualitatively different from traditional shadow IT. A rogue project management tool contains task lists and timelines. An AI tool that employees are feeding with customer data, proprietary code, or financial information creates compliance and IP exposure that most organizations are not equipped to assess.

Why traditional discovery methods miss the new shadow IT

Traditional SaaS discovery relies on three signals:

1. SSO and identity provider logs. If a tool is behind SSO, you see it. But shadow IT by definition is not behind SSO.
2. Network traffic analysis. Browser extensions or CASB tools that monitor web traffic can detect SaaS usage. But many modern tools use standard HTTPS endpoints that blend in with normal traffic, and remote work makes network-level monitoring less reliable.
3. Agent-based discovery. Software installed on managed devices can be detected. But SaaS runs in the browser and leaves no local footprint.

None of these methods catch expense card purchases, free-tier upgrades, or AI tool adoption until the usage is already established. By the time the tool is discovered, there are users, data, and workflows depending on it.

Practical steps to close the gap

The goal is not to eliminate shadow IT. Employees adopt tools because they need them. The goal is to discover, assess, and govern the tools before they create financial waste or data exposure.

Step 1: Connect your expense systems

This is the highest-impact, lowest-effort step most companies skip.

Connect your expense management platform (Brex, Ramp, Expensify, Concur) to your SaaS management workflow. Every transaction categorized as "software," "subscription," or with a SaaS vendor name should surface automatically.

This does not require a new tool. It requires a data feed from your expense platform into whatever system tracks your software inventory. The connection reveals the tools that no other discovery method catches.

StackIQ's business context layer connects expense data alongside SSO and contract data to build a complete picture of your software estate, including the tools that only exist on corporate cards.

Step 2: Run a quarterly SSO audit

Your identity provider (Okta, Entra, Google Workspace) knows about the applications that are integrated. But it also knows about applications that are not integrated. Users who authenticate with "Sign in with Google" or "Sign in with Microsoft" leave a trail in the OAuth consent log.

Every quarter, pull the OAuth application consent list from your identity provider. This shows you every application that employees have authorized with their work credentials, whether or not IT set up the integration.

Step 3: Reconcile contracts against actual tools in use

Your contract management system (or spreadsheet) lists the tools you are paying for through procurement. Your SSO, expense data, and OAuth consent logs show the tools employees are actually using. The gap between these two lists is your shadow IT inventory.

This reconciliation also works in reverse: contracts for tools that nobody is using represent waste that should be canceled at the next renewal window.

StackIQ's document intelligence ingests contract PDFs and matches them against actual usage data, surfacing both ungoverned tools and unused contracts in the same view.

Step 4: Create a lightweight intake process for AI tools

AI tool adoption is moving too fast for traditional procurement cycles. By the time a formal evaluation is complete, employees have already adopted a different tool. Instead, create a lightweight intake process:

• A simple form that employees fill out when they start using a new AI tool: tool name, what data they plan to use with it, and whether they are on a free or paid plan
• A 48-hour review by IT or security to assess data handling policies
• A curated list of pre-approved AI tools that employees can adopt without going through the full procurement process

This does not need to be heavy. The goal is visibility, not gatekeeping. Employees who have an easy path to approval will use it. Employees who face a 6-week procurement process will not.

Step 5: Set up ongoing monitoring, not one-time audits

Shadow IT is not a problem you solve once. New tools enter the environment every month. The discovery process needs to run continuously, not annually.

Set up automated alerts for:

• New SaaS charges appearing on expense cards above a threshold (for example, $50 per month)
• New OAuth application consents in your identity provider
• New vendors appearing in accounts payable

The cost of ignoring shadow IT in 2026

The financial cost of shadow IT is real but manageable. Most mid-market companies discover 20 to 40 percent more SaaS spend than they thought they had when they finally get complete visibility. That is money that can be recovered through consolidation, volume negotiation, and cancellation.

The larger risk is data exposure from ungoverned AI tools. A single employee uploading a customer database to an AI platform that does not have a BAA or DPA in place can create a compliance incident that dwarfs the cost of the subscription.

Key takeaways

• Shadow IT in 2026 is driven by expense card purchases, free-tier upgrades, and AI tool adoption. Traditional discovery methods miss all three.
• Connecting expense systems to your SaaS management workflow is the single highest-impact step for closing the visibility gap.
• Quarterly SSO and OAuth consent audits surface tools that employees authorized with work credentials but IT never set up.
• AI tool adoption requires a lightweight, fast intake process. Heavy procurement cycles guarantee employees will bypass them.
• Shadow IT is an ongoing pattern, not a one-time audit. Continuous monitoring is the only sustainable approach.

If your SaaS discovery depends entirely on SSO integration and you have not looked at expense card data, you are missing a significant portion of your software estate. See how StackIQ connects business context across SSO, expense, and contract data to surface the tools that other platforms miss.