Shadow SaaS turns standard offboarding into a compliance gap. Here's the anatomy of the risk — and a 5-step playbook to close it.
Most offboarding fails predictably. Here's the timeline.
IT revokes the obvious accounts: Google, Slack, GitHub, the apps in Okta. SCIM-provisioned apps disconnect automatically. So far, so good.
Every app the employee signed up for individually — Notion personal workspace, ChatGPT, Figma side-project, that AI note-taker they tried in October — is still live. None of these went through IT. None are in the offboarding checklist.
If the departure was amicable, nothing happens. If it wasn't, this is the window: the ex-employee still has their session cookies, OAuth tokens, and personal-email-linked accounts that touched company data. Most don't act maliciously. Some do.
SOC 2, ISO 27001, and HIPAA all require timely access revocation across every system processing in-scope data. 'We didn't know that app existed' is not a defense the auditor accepts.
The seat still bills monthly. Multiply by every ex-employee in the last 12 months and the typical mid-market company is paying $2k–$10k/year for ghosts.
The Notion side-project, the Figma personal account that holds the redesign mockup, the ChatGPT account paid by personal card and expensed. Standard SSO offboarding misses all of it.
Even when IT revokes the user's Google or Microsoft account, OAuth tokens already issued to third-party apps often persist until the app refreshes its own session — sometimes weeks.
When a shadow app surfaces 6 months later, there's no record of who provisioned what or when. The breach is harder to scope and the compliance write-up takes weeks.
You can't revoke what you don't know about. Run an OAuth-grant audit (Google Workspace, Microsoft 365) and a corporate-card vendor scan before anyone leaves. The first time you do it, you'll find apps you didn't know existed.
Ex-employees often used multiple emails: corporate, personal, a project-specific alias. Dedupe per human across every app so a single 'revoke' command catches every account they ever opened.
Your offboarding doc almost certainly lists Okta, Google, Slack, GitHub. Add a step: 'Run shadow-IT audit; revoke any apps not in the standard list.' This single line catches the long tail.
Every revoke should write to an immutable log: who, what app, when, by whom. SOC 2 assessors want this exact record, and it takes a 4-hour audit prep down to a 5-minute export.
One-time offboarding doesn't catch the shadow account someone signed up for last week. A continuous inventory means new apps appear in the next audit cycle, not after a breach.
Shadow SaaS is any cloud application employees use for work that wasn't provisioned by IT — typically signed up for with a personal email or corporate card, never added to the SSO directory. The average mid-market company has 5× more shadow apps than IT can name.
Standard offboarding revokes access to apps in the SSO directory. Shadow SaaS apps aren't in the directory, so they're not in the offboarding checklist, so they don't get revoked. The ex-employee retains access — and any data they had in those apps — indefinitely.
Industry surveys put the number at 38% retaining at least one app 30 days after termination, with discovery averaging 47 days for shadow accounts. The mean is dragged up by long-tail apps no one remembers to check.
An ex-employee with a grievance retains access to a shadow app holding customer data, source code, or financial records. Even when nothing malicious happens, the compliance exposure alone (SOC 2, HIPAA, GDPR) can sink an enterprise sales cycle when the prospect's security review asks about access controls.
Three ways. (1) Inventory: every OAuth grant from connected workspaces, deduplicated per human, so you can see every app a leaving employee touched. (2) One-click revoke: per-seat and bulk reclaim across connected apps. (3) Immutable audit log: every revoke timestamped and attributed, ready to export for SOC 2 evidence.
Model them manually in 30 seconds — name, cost, seat list. You can mark seats as killed even when there's no API to revoke them. The audit trail is identical.
Connect your workspace and SeatMap.AI surfaces every app — shadow or sanctioned — that any current or recently-departed employee has touched.