Shadow IT and SaaS Sprawl: When Staff Sign Up to Tools Without Telling IT.

During a security assessment of a Sligo professional services firm, the IT provider identified 47 cloud applications connected to the firm's Microsoft 365 tenant that the firm's management had never approved. These included file-sharing services, AI writing tools, project management platforms, communication apps, and two services that had since ceased trading — meaning their servers and the firm's data on them were now under unknown ownership.

The firm's official IT stack was thoroughly secured. The 47 shadow applications were not. Several had access to the firm's email, contacts, and calendar data through OAuth permissions granted by individual staff members without IT review.

This is shadow IT. It is present in every Irish SME that has cloud-connected staff, and it is almost always more extensive than management realises.

What Is Shadow IT?

Shadow IT is the use of technology systems, applications, and services by staff or departments without the knowledge, approval, or oversight of the organisation's IT function. In the SaaS era, this primarily means staff signing up for cloud applications using their work email address and granting those applications access to corporate data.

The motivation is almost always benign — a team member discovers a tool that makes their work easier and starts using it. The problem is that the tool may store corporate data in jurisdictions or on infrastructure that does not meet the organisation's security or compliance requirements, and that the organisation has no visibility of the exposure.

Why SaaS Sprawl Has Accelerated

The barrier to adopting a new cloud service is essentially zero. Any staff member with a work email address can sign up to a cloud platform in two minutes. Many SaaS applications offer free tiers specifically designed to encourage adoption from the bottom up — the expectation is that individual users will sign up, find value, and eventually advocate for organisational adoption.

The OAuth integration model — where a new application asks for permission to access your email, contacts, or files — has made this even more pervasive. A staff member signing up to an AI writing assistant and clicking "connect with Microsoft 365" has just granted that application read access to their email, regardless of whether their employer would sanction it.

For an Irish SME whose Microsoft 365 tenant contains client contracts, financial data, HR information, and operational records, the cumulative effect of multiple staff members making individual SaaS decisions is a data exposure that no one has mapped.

Do you know how many cloud applications currently have OAuth access to your Microsoft 365 or Google Workspace tenant? The number is almost always higher than management expects. Book a free 20-minute strategy call — we run shadow IT discovery as part of our standard SME security assessments.

The Specific Risks

Data in unvetted locations. Company data stored in an unsanctioned application may be in a data centre outside Ireland or the EU, processed under terms of service that permit the vendor to use it for AI training, or held by a company with inadequate security controls. GDPR places obligations on data controllers — your business — regarding where and how personal data is processed.

Persistent access after staff departure. When a staff member leaves and their account is disabled, applications connected via OAuth continue to have access until those connections are specifically revoked. A former employee's project management tool may still have read access to your Google Workspace files long after they have left.

Zombie applications. Applications that were used briefly and abandoned but never formally closed may still be active, still retaining data, and still holding OAuth permissions. If the vendor has been acquired or ceased trading, the destination of that data may be unclear.

Credential sprawl. Staff who sign up to unsanctioned tools using their work email typically use a reused personal password — not your managed password manager. This creates credential exposure that sits entirely outside your security controls.

How to Discover and Address Shadow IT

Run an OAuth application audit. In Microsoft 365, navigate to Azure Active Directory > Enterprise Applications. This shows every application that has been granted OAuth access by any user in your tenant. The list will almost certainly contain applications management has never approved. In Google Workspace, the Admin Console shows connected applications in a similar way.

Review each application. For each OAuth connection, determine whether the application is sanctioned, what access it has, and whether the access is still needed. Revoke connections that are not sanctioned or no longer required.

Implement a SaaS request process. Create a simple process — even a brief email to the IT provider — for staff who want to adopt a new tool. The criteria for approval can be minimal: is the data it accesses sensitive, where is it stored, what are the terms of service? Even a lightweight process creates visibility.

Communicate the policy, not the prohibition. Staff who adopt shadow IT tools are solving problems. A policy that simply says "do not use unsanctioned tools" creates frustration and is ignored. A policy that says "bring your tool requests to us and we will evaluate them quickly" creates a workable channel and maintains oversight.

What Next

1. Run the OAuth audit in your Microsoft 365 or Google Workspace tenant this week. The information is there. Looking at it is the first step.

2. Revoke connections to applications you do not recognise, no longer use, or have not sanctioned. This is a low-risk, high-value action — revoking an OAuth connection does not delete data, it removes future access.

3. Create a simple SaaS request process. One sentence in your acceptable use policy: "New cloud tools that connect to company data must be approved by [name] before use." Communicate it at the next team meeting.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Access Control and Least Privilege: Who Really Needs Admin Rights?
• Data Protection and Customer Trust: Using GDPR as a Competitive Advantage
• Third-Party and Supplier Risk: Making Sure Your IT Vendors Aren't Your Weakest Link

[^1]: Data Protection Commission Ireland — Cloud Services Guidance [^2]: NCSC Ireland — Advice for Organisations [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.