Most organisations think they’re running 30 to 40 cloud applications. The actual number, once you look, is typically over a thousand.
That gap isn’t negligence. It’s the cumulative result of individuals solving real problems with available tools: a quick file share, a free project tracker, a productivity browser extension, an AI assistant that integrates with the email client. Each decision makes sense in isolation. Together they create a shadow IT environment that IT has no visibility into and no ability to govern.
In 2026 the problem has a new dimension: AI. AI features increasingly embed directly into applications people already use — email clients, productivity suites, CRM systems. There’s no obvious “I’m now using an AI tool” moment. The employee is just using Outlook, or Salesforce, or whatever else, and a co-pilot feature activates in the background with access to business data.
Why the old approach doesn’t work
Blocking unsanctioned tools used to be a viable strategy. It’s less viable now, for two reasons.
First, cloud services are woven through everyday work. Blocking aggressively means blocking things people need to do their jobs, which creates either workarounds (worse) or resentment (counterproductive).
Second, AI features can’t always be individually blocked. If Microsoft 365 Copilot is enabled in your tenant and a user has a licence, AI is active across their entire Microsoft 365 environment. The question isn’t whether to allow AI — it’s whether your data governance is good enough to make AI safe to use.
How to actually find what’s running
Start with what you can already see. Your identity logs, endpoint telemetry, and network traffic contain most of what you need. Before running a dedicated discovery tool or announcing a policy review, look at what’s already in your monitoring data:
- What third-party applications have users granted OAuth access to via Microsoft Entra ID?
- What browser extensions are installed across managed devices?
- What domains are your users regularly hitting that aren’t in your approved list?
Map usage, not just presence. Finding an application exists is the start. Understanding how it’s being used — who’s using it, what data they’re putting into it, whether it’s accessing corporate accounts or personal ones — is what informs the actual decision.
Score and prioritise. Not every unsanctioned application is equally risky. A free Pomodoro timer is different from an AI writing tool that users are pasting client data into. Score applications by data sensitivity, sharing configuration, identity controls, and whether AI features are active.
What to do with what you find
You don’t need to block everything you discover. You need a consistent decision framework:
- Sanction applications that provide real value, handle data appropriately, and can be managed through your identity provider.
- Restrict lower-risk tools — allow use, but only for non-sensitive data.
- Replace applications where a sanctioned alternative already exists that users simply haven’t adopted.
- Block tools with unacceptable risk profiles or no legitimate business use.
The goal isn’t to minimise the list. It’s to make the list visible, deliberate, and governed — so that when something does go wrong, you know what you’re dealing with.
Shadow IT isn’t a sign of a bad security culture. It’s a sign that people are trying to do their jobs and the official tools aren’t always keeping up. A discovery process that’s framed as “help us understand what you need” rather than “we’re looking for violations” tends to surface far more than one that isn’t.
If you’d like help running a cloud app discovery or building a governance framework for your environment, get in touch.