The 5 Stages of Shadow IT Grief

Shadow IT? It's not an organizational priority...or is it?

Shadow IT: You’ve heard the term more times than you can count, and maybe you’ve even thought about taking action. But honestly, does managing shadow IT fall on IT’s shoulders? Name aside, isn’t this something for SecOps to worry about? And how urgent is it, really? After all, you’ve got bigger priorities on your plate…right? Good grief!

Good shadow IT grief, that is—where those seemingly minor oversights can turn into major risks, leaving uncertainty and exposure in their wake. If you’re like most CIOs, you’re likely experiencing shadow IT grief as you try to navigate this growing problem.

Diagnosing Shadow IT Grief  

Diagnosing shadow IT grief begins with that unsettling moment when you realize just how many unsanctioned SaaS apps are floating around in your company. It’s like discovering a whole new ecosystem operating without your approval — and worse, without any security oversight. The signs are always there: rogue Zoom accounts, random file-sharing platforms, forgotten test accounts, and employees enthusiastically onboarding themselves to tools you didn’t even know existed. By the time you notice, shadow IT has already multiplied, forcing you to come to terms with the fact that control is slipping through your fingers. If any of this sounds uncomfortably familiar, it might be time to diagnose where you are in the five stages of shadow IT grief.

Stage 1: Denial

You’re confident there’s no need to worry about shadow IT. After all, you’ve got third-party risk management (TPRM) assessments baked into your SaaS procurement process and corporate policies firmly in place for reviewing and adopting new apps. Plus, you’re already covered with an SSPM, monitoring network traffic, and regularly auditing your firewall and SWG logs. On top of that, your organization is SOC2 and ISO27001 compliant, and you’re following all the NIST guidelines to a T. Shadow IT? No big deal—you’re sure you’ve checked that box already...right?

Stage 2: Anger

No matter how hard you try to ignore it, shadow IT keeps popping up in your news feed—it’s like the universe won’t let you escape. Everywhere you turn, you’re hit with unsettling stats from reputable sources like Gartner, reporting that 41% of employees are acquiring SaaS outside of IT’s visibility. Then there’s the Identity Defined Security Alliance, reminding you that 84% of enterprises suffered an identity-related breach last year, and almost all of them could have been prevented with proper security measures. To top it off, you’re forced to confront the uncomfortable truth: your legacy security tools, the ones you invested in years ago, weren’t designed to tackle today’s shadow IT risks. Annoyance turns to anger as you realize shadow IT might be a bigger problem than you thought, and worse—it’s your responsibility to figure out just how deep it runs in your organization. This wasn’t supposed to be your job. You thought you’d moved on to bigger and more strategic initiatives, only to be dragged back to deal with this mess.

Stage 3: Bargaining

You start convincing yourself that you’re too busy for this. Your focus should be driving innovation, aligning tech with corporate goals, and fueling business growth—shadow IT is a natural outcome and just a distraction, right? You attempt to sidestep the problem by requiring stakeholders to report their SaaS in use, but no one’s biting—reporting is inconsistent and flawed at best. So, you try a different approach. Armed with a case of beer, you casually stroll over to your CISO’s team. “Hey...how’s my favorite SecOps team doing? Got a minute to chat about something ‘small’...like our shadow IT problem? (said with a half-convincing smile and your best Michael Scott impersonation) Well, you know... it’s kinda under control... probably... maybe...."

Stage 4: Depression

Reality sinks in: it’s you and your CISO against the relentless sprawl of shadow SaaS, and the weight of managing all the risks feels daunting. You start digging into the problem, only to be met with a mountain of confusing and contradictory information. Your SSPM claims to detect shadow SaaS...but hold on—it only secures the apps that you already know about and are connected to the platform. If unsanctioned SaaS is piggybacking on those, maybe you’ll catch a glimpse. (Fingers crossed…?) But what about the smaller, rogue apps used by niche teams that never even made it to your SSPM or your IdP, for that matter? The more you think about it, the bigger the problem gets.  Is it 5:00 yet?

Stage 5: Acceptance

You’ve finally faced the hard truth: shadow IT is a real problem that’s been quietly building under your nose, and it’s on you to rein it in. Employees will keep finding their own tools, and you’ve accepted that you don’t have full visibility into all of them. Worse, you’ve come to realize that some of these apps may be leaking proprietary information or putting your compliance standards (like HIPAA, SOX, GLBA, and PCI-DSS, to name a few) in jeopardy from unsecured access to sensitive data. You now see the gaps in your current discovery tools and understand the need to adjust your approach in order to secure your tech environment comprehensively. It’s time to confront the issue head-on, so you task your CISO with finding a solution to tackle your growing “SaaS risk creep” problem.  

Recovering from Shadow IT Grief  

We get it. You’ve got a lot on your plate, and tracking down shadow IT wasn’t exactly in the job description. In your defense, you thought you had it covered—after all, you’ve got your SSPM, firewalls, and security logs in place. But here’s the thing: just as you’ve moved on from your Palm Pilot and Blackberry, the tools you once relied on for SaaS security haven’t kept pace with how employees adopt and use SaaS today, in a world where data is stored everywhere and accessed from anywhere.

That’s where Grip’s SaaS Security Control Plane comes in. Instead of relying on outdated, surface-level visibility or reactive security measures, Grip takes a smarter, proactive approach by centering everything around user identity. With advanced email analysis and identity system integrations, Grip uncovers all SaaS in use—federated and unfederated—without needing proxies or agents. Grip shows you exactly who's using what, how users are accessing their apps, and prioritizes identity risks based on severity, impact, and context, like app data sensitivity and user privileges.

This level of granular control allows you to discover, evaluate, and mitigate identity risk at the source, whether it’s shadow SaaS flying under your radar, sanctioned tools with risky OAuth scopes, forgotten and abandoned accounts ripe for exploitation, or weak authentication methods that could be strengthened with SSO or MFA.  

Grip was designed for the reality of SaaS usage today, offering visibility into the apps you didn’t know existed, empowering your team to take back control, and providing automated workflows to mitigate risks. You can finally leave behind the grief of shadow IT and confidently focus on what matters most: driving innovation and growth without worrying about unseen SaaS risks lurking in your tech stack.

Shadow IT support group: Our team would love to hear about your SaaS security challenges, offer actionable advice, and show you the level of shadow SaaS in your organization. Take the first step: book your free shadow SaaS assessment now.

‍