How do I detect shadow IT?
Pull the OAuth grants list from your identity provider (Google Workspace or Microsoft 365) — every SaaS app that anyone signed into with a company account will appear there, including tools IT never sanctioned.
Details
OAuth discovery is the single fastest shadow-IT detection method. It requires no agent installation and covers 80% of the SaaS an employee could sign up for using a company email.
The remaining 20% (personal-card purchases, tools that don't offer SSO, expense-reimbursed subscriptions) require a second data source: your corporate card and reimbursement systems. Ramp, Brex, and Airbase all provide vendor-level exports.
SeatMap.AI runs a monthly OAuth scan and cross-references it against your billed-vendor list, so anything newly appearing on OAuth without a matching invoice is flagged as unmanaged.
Steps
- 1For Google: Admin console → Security → API controls → App access control → View list of apps.
- 2For Microsoft: Entra ID → Enterprise applications → All applications, filtered by 'User created'.
- 3Export the list. Every app not on your sanctioned tool inventory is shadow IT.
- 4Cross-check against expense reports for reimbursed subscriptions IT never saw.
- 5Categorize: sanction (add to inventory), consolidate (already have equivalent), block (security risk).
Automate this with SeatMap.AI
The audit path above works. It also takes hours per month per tool. SeatMap.AI runs it on a schedule, stages the reclaim actions for review, and shows you the annualized savings in real dollars.