Apr 16, 2025
Apr 16, 2025
Shadow IT has shifted from an outlying concern to a core risk. Grip’s 2025 SaaS Security Risks Report uncovers exactly where shadow IT is thriving—and it’s not where you’d expect.
Shadow IT has shifted from an outlying concern to a core risk. It’s no longer just a handful of rogue apps—shadow IT has become a pervasive, deeply rooted issue affecting various departments and impacting every industry.
Grip’s 2025 SaaS Security Risks Report uncovers exactly where shadow IT is thriving—and it’s not where you’d expect. SaaS applications used by teams such as IT and Security are much more likely to go through procurement and be subjected to governance protocols; however, a different dynamic unfolds elsewhere in the organization. SaaS is adopted quickly and easily, often without IT involvement and rarely with oversight. When Grip's data team analyzed tens of thousands of SaaS apps by department, a surprising pattern emerged: some of the most risk-prone usage wasn’t originating from where security teams typically focus.
Shadow IT flourishes in environments that prioritize speed and autonomy over established processes. Departments facing pressure to deliver quickly, innovate rapidly, or meet aggressive targets often bypass procurement protocols for immediate functionality. In these cases, traditional security policies aren’t rejected; they're merely overlooked.
Additionally, the rise of low-friction procurement—think free trials, monthly credit card billing, and browser-based apps—further fuels this behavior. The barrier to entry is low, and so is the perceived risk. However, behind every signup lies a new potential vulnerability: weak passwords, applications without SAML or MFA, and the risk of sensitive data flowing through apps not managed by the organization’s identity provider. Shadow IT thrives not because employees are negligent, but because existing controls were never designed to support how modern teams operate. Users don’t intend to create risk or harm to an organization; they simply want to get their job done and improve their outcomes.
According to the 2024 MarTech Composability Survey, 83% of marketers chose an alternative app despite a sanctioned tool already being available. They cited better functionality (67%) and more intuitive user experience (31%) as their main reasons. In today’s SaaS-first workplace, user preference is overtaking policy, and this shift is fueling the rise of shadow IT.
Who are the biggest users of shadow IT? According to Grip’s data, here are the departments that are most likely to introduce risk without even realizing it:
Marketing leads the pack—and it’s not surprising. Marketers are naturally early adopters, always testing new tools to enhance performance, personalization, and analytics. They frequently turn to niche applications with specialized features, most of which are low-friction and easy to implement without IT involvement. The result? A staggering 94% of marketing SaaS apps are unmanaged, representing the highest concentration of shadow IT in any department. Only 6% of the apps used by marketing teams are centrally managed.
At first glance, operations and facilities may not appear to be significant drivers of shadow IT, but the data tells a different story. With only 6% of their SaaS applications being centrally managed, this department parallels marketing in its number of unmanaged tools. Why is this the case? Most likely because operations teams frequently depend on a broad array of logistics, vendor management, maintenance, scheduling, and procurement platforms, many of which are adopted locally or at the site level rather than through centralized IT. Facilities managers might implement tools for overseeing physical assets, workspace reservations, or building access, often without recognizing that these applications can hold sensitive data about infrastructure, vendors, or employee movement. The widespread existence of unmanaged SaaS in this department likely stems from a combination of shadow IT and sanctioned tools that are simply left ungoverned.
Despite handling some of the most sensitive data in the organization, finance significantly lags in SaaS governance, with 93% of applications unmanaged and only 7% centrally managed. Finance teams adopt SaaS tools for budgeting, forecasting, and financial reporting, often independently of IT. When those tools access confidential financial records or PII without the necessary security controls, it leads to a growing compliance (and security) risk that remains largely invisible until it’s too late.
Sales teams relentlessly pursue greater productivity by adopting tools that save time, streamline outreach, and improve conversion rates. However, efficiency should not compromise security. One emerging risk is AI-powered notetakers. When these tools aren’t properly vetted—or when organizations fail to establish clear guidelines for usage—they can capture and share sensitive information without user awareness. For example, a salesperson using Otter.ai accidentally sent a complete transcript—including casual post-call discussions—to all meeting participants, exposing internal conversations that were intended to remain private. According to Grip’s data, only 12% of sales-related SaaS is centrally managed, leaving 88% unmanaged.
This isn’t a department; it’s a category. However, we’ve included it here because task management platforms are among the most widely used SaaS tools across organizations, regardless of teams, roles, or functions. Their ease of use and flexibility make them a preferred solution for everything from project tracking to cross-functional collaboration.
However, these tools are rarely governed. With dozens of options available—Trello, Asana, Monday.com, ClickUp, Notion, and more—teams often choose the application they prefer without consulting IT. This results in not only shadow IT but also SaaS sprawl, where various platforms serve the same function, increasing SaaS costs. In many instances, companies are paying for multiple task management tools—some managed and many not—with overlapping features and unclear ownership.
From a security perspective, the risks can be just as concerning. These apps often contain project roadmaps, customer deliverables, internal documentation, and even shared credentials, making them prime targets for attackers if access isn’t properly controlled. Without centralized oversight, users are often added on an ad hoc basis, external collaborators may retain access for extended periods, and former employees are seldom removed.
On average, task management SaaS applications are managed just 10% of the time.
If you’re measuring your SaaS footprint based on what is provisioned through your identity provider, you may be underestimating it by as much as eight times. Okta’s Businesses at Work 2025 report found that the average organization uses 114 SaaS apps, while Grip's research indicates an average of 835—nearly eight times more. The difference of 721 applications consists of unmanaged and shadow SaaS applications, highlighting just how much is flying under the radar.
Addressing the challenges of shadow IT requires a strategic, organization-wide approach that balances innovation with security—and Grip can help:
Shadow IT is no longer a trivial issue; it has quickly become a significant security blind spot with serious consequences. The very teams driving growth and innovation are often the same ones introducing unmanaged tools and bypassing governance, turning progress into exposure. Closing that gap starts with recognizing that shadow IT isn’t the exception. It’s the norm. And without a proactive strategy, it will only worsen.
Want to dive deeper into the data?
Download the full 2025 SaaS Security Risks Report
This report includes eye-opening statistics on unmanaged SaaS, shadow AI, abandoned accounts, and the rising cost of unused licenses. If you’re responsible for securing your organization’s SaaS ecosystem, this is a must-read playbook for the year ahead. Get your free copy now.
Fill out the form and watch webinar's video.
