Origin
This came from a conversation with an IT manager at one of our customers. He'd been in operations for eleven years and had just run his first inventory scan at a new company. The number surprised him. He asked us not to use his name, but the words are his. What follows is in his voice.
The scan came back on a Tuesday afternoon.
I'd been the IT manager at this company for two years. I knew the stack, or I thought I knew the stack. I knew our SSO, our MDM, our ticketing system. I knew what we'd provisioned, what we'd approved, what showed up in the renewals list every year. I could tell you which apps were connected to Okta, which teams were using what, which vendors had sent invoices in the last quarter.
The scan found 130 applications.
I had detailed knowledge of 26 of them.
That gap has a name inside our industry, and it's not a good one. Shadow IT. The term carries an implication of rogue behavior, of employees sneaking tools past a watchful IT team. That framing misses what's actually happening.
The other 104 apps weren't adopted in the shadows. They were adopted in the open. A product manager found a better project planning tool and put it on the company card. An engineer set up a monitoring integration directly in GitHub. Someone in finance started using a data visualization tool that got passed around the team and became standard in six weeks. The design team switched from one annotation tool to another because the new one was free and the old one wasn't, and never thought to file a ticket, because why would they.
None of this is rogue behavior. It's how software gets adopted at a company that's moving fast and has a lean IT team. People solve their own problems when the alternative is a two-week ticket queue. The tools they adopt are real tools, used for real work, by real employees with real access. They just aren't in the governance system.
The name I use for this isn't shadow IT. It's the ungoverned stack.
The ungoverned stack has a profile. It's not random.
It tilts toward collaboration tools, the ones that spread person to person because sharing is the point. Figma, Miro, a project tracker someone in product started using, a niche analytics tool a single team brought in. Someone shares a board and now six people have accounts. Those six each share something and now there are thirty. IT never provisioned any of them.
It includes the tools that predate the current identity stack. If your company was founded six years ago and got serious about SSO two years ago, there's a layer of software underneath that predates the governance architecture entirely. Those apps never got migrated in. They've been running quietly, unconnected, ever since.
And it includes integrations: tools connected directly to other tools via Google OAuth, direct API keys, or service accounts, rather than going through your SSO. These don't show up in Okta. They often don't show up anywhere until something breaks and someone traces the chain.
When IT managers see the full number for the first time, there's a beat of disbelief. Then recognition. Then a specific kind of dread as the provisioning and offboarding implications come into focus.
If 104 apps exist outside your governance system, then every new hire's access to those apps is manual. If it happens at all. Every departure leaves access open in those apps until someone manually revokes it. If it happens at all. Every access review you run is complete for 26 apps and silent on the other 104.
The compliance report says governance: in place. It is not wrong. It is describing a different stack than the one your company actually runs.
The scan doesn't create the problem. The problem existed before the scan. What it does is convert an invisible gap into a visible one. Which matters, because invisible problems don't get fixed.
You can't govern what you can't see. That's not a consolation. It's the only available starting point.
When the scan comes back with 130 apps and you can account for 26 of them, the question isn't how to feel about the number. It's what you govern now that you can see it. The answer, when you have the right tooling, is: all of it. The 26 apps inside your SSO and the 104 that aren't. Provisioned together. Offboarding running all the way to the edge of the stack instead of stopping 26 apps in.
The number comes back and the room goes quiet. Then you get to work.