Taming the SaaS Sprawl: How IAM Can Rein in Shadow IT in 2025

Peter van ZeistDigital / Internet / SoftwareLeave a comment

When Convenience Becomes Chaos

SaaS has changed the game for how businesses operate. What once took weeks of procurement, onboarding, and provisioning can now happen in a matter of minutes. With just a credit card and an email address, employees can spin up cloud-based tools for everything from project management to data analytics. The result? Faster innovation, greater agility — and a sprawling, invisible ecosystem of applications that IT never approved.

Welcome to the age of SaaS sprawl.

The numbers speak volumes. According to various industry reports, the average company now uses over 130 SaaS apps. But here’s the kicker: many of these tools fly completely under the radar of IT and security teams. Whether it’s a free trial of a new dashboarding tool or a small team buying a niche collaboration platform, these “unofficial” apps make up what’s known as Shadow IT — and they’re everywhere.

In fact, 81% of companies say they’re concerned about the use of unsanctioned applications by employees. That’s not surprising. Shadow IT introduces a host of risks, from data leakage and non-compliance to identity fragmentation and credential sprawl. And in an era where remote work is the norm and cybersecurity threats are more sophisticated than ever, flying blind just isn’t an option.

Yet many organizations are still playing whack-a-mole, trying to keep up with a growing cloud stack using outdated tools and manual audits. It’s time to change that. It’s time to treat SaaS sprawl like the strategic risk — and opportunity — that it is.

That’s where Identity and Access Management (IAM), combined with modern SaaS Monitoring solutions, steps in. IAM helps secure the front door, ensuring the right people have the right access to the right tools. But what about the tools IT doesn’t even know about?

In this post, we’ll explore why SaaS sprawl has become one of the most pressing security challenges of 2025, how Shadow IT quietly undermines even the best defenses, and how new capabilities — like LastPass’s SaaS Monitoring — are giving IT and security teams the visibility they need to regain control, without slowing the business down.

Let’s dive in…

The SaaS Explosion: A Double-Edged Sword

There’s no question that SaaS has revolutionized the modern workplace. In less than a decade, we’ve seen a dramatic shift from on-premise software and tightly controlled tech stacks to cloud-native ecosystems that prioritize speed, scalability, and user empowerment. SaaS tools now cover every business function imaginable — from CRM and HR to marketing automation, developer collaboration, and finance.

The result? Agility. Cost efficiency. Faster innovation. And most importantly, empowered employees who can select the tools they feel best fit their workflows.

But there’s a flip side!

The same ease that makes SaaS so appealing also makes it incredibly difficult to manage. Gone are the days when IT had to provision every application through a central service desk. Today, employees often bypass traditional procurement entirely — signing up for freemium tools, team-level subscriptions, or cloud platforms they discovered from a colleague or influencer. It’s not malicious; it’s simply human. People want to get their work done.

This organic, bottom-up adoption creates a wildly fragmented IT environment. Multiple teams may be using different versions of the same app. Customer data might be copied across unsanctioned platforms. And licenses are purchased — and forgotten — without any formal oversight. The more decentralized the organization, the faster this grows.

In one survey, it was found that the average employee uses 8–12 SaaS apps – with a rising trend –, while IT is often aware of only a fraction of them. Multiply that across departments, remote teams, and third-party contractors, and it becomes clear: what looks like flexibility from the outside is often chaos behind the scenes.

What’s more, this isn’t just a “tech stack” problem. It’s a securitycompliance, and identity management problem. If IT doesn’t know an app exists, it can’t secure it. If credentials are shared informally over Slack or email, it opens the door to phishing, credential stuffing, and insider misuse. And if sensitive data is uploaded to a shadow system, regulatory exposure becomes a ticking time bomb.

This is SaaS sprawl in action — and left unchecked, it undermines even the most mature cybersecurity programs. But before we can address it, we need to understand its most dangerous manifestation: Shadow IT.

Why Shadow IT Keeps CISOs Up at Night

There was a time when Shadow IT referred to the occasional rogue laptop or a team running a side project on a forgotten server. In 2025, it’s an entire parallel tech stack. Unapproved, unmonitored, and often unmanaged — Shadow IT has become one of the most persistent and underestimated threats facing security leaders today.

Why? Because it operates in the blind spots.

Let’s say a marketing manager signs up for a new analytics tool to generate faster customer insights. It’s free, easy to use, and integrates with their favorite dashboard app. So far, so good — until they connect it to your CRM, upload sensitive campaign data, and invite a few contractors to collaborate. None of this goes through IT. None of it is monitored. And when the manager leaves the company, the account stays active. The credentials remain unchanged. The data sits exposed.

Multiply this scenario across dozens of teams and hundreds of apps, and you begin to see the problem.

Security Without Visibility Is Just Guesswork

Security teams rely on visibility to make informed decisions. Without it, they’re flying blind — and Shadow IT robs them of that clarity. When users deploy SaaS apps independently, they create access points that aren’t logged in central directories. Credentials may be reused, stored in browsers, or worse, written down. Multifactor authentication is rarely enabled. Logs aren’t centralized. Risk assessments never happen.

These blind spots open the door to:

  • Data exfiltration — whether intentional or accidental
  • Non-compliance with regulations like GDPR, HIPAA, and SOC 2
  • Credential sprawl and untracked access
  • Lack of visibility into who is using what, and for what purpose

The real kicker? It’s not malicious. Shadow IT is almost always born from good intentions — employees trying to be productive, innovative, or collaborative. But the road to breach is paved with convenience.

A Wake-Up Call for the Enterprise

No wonder that these 81% of organizations are concerned about the use of unsanctioned applications by employees. That number isn’t just high — it’s telling. It reflects a collective anxiety within IT and security teams: that they’ve lost control not just of infrastructure, but of identity itself.

And identity is everything. When you don’t know where your identities are being used — or by whom — you can’t enforce security policies. You can’t manage entitlements. You can’t deprovision access when employees leave. You can’t even tell which tools are redundant, let alone which are critical.

This growing unease has led to a clear consensus: traditional approaches to IT governance are no longer enough. Shadow IT isn’t a fringe concern — it’s a central challenge to securing the modern enterprise.

And it’s one that demands a new kind of solution.

The Limitations of Traditional IT Governance

For years, IT teams have relied on tried-and-true governance models to manage applications and enforce security standards. Centralized procurement, asset inventories, access request workflows, and annual audits were once enough to keep things running smoothly. But in a world dominated by SaaS — and driven by user autonomy — those methods have begun to show their age.

It’s not that these tools are broken; they’re simply built for a different era.

The Governance Gap

Traditional IT governance assumes control at the point of entry. In other words, if an app doesn’t go through IT, it doesn’t enter the system. That assumption worked when software lived on company servers, or when provisioning was complex and time-consuming. But the cloud changed all of that. Anyone with a credit card and a few minutes can become an administrator — without IT ever knowing.

This creates a “governance gap” — a disconnect between what IT thinks is being used and what’s actually being used. By the time an app is discovered in an audit, it may have already stored sensitive data, granted access to external users, or exposed an integration to an attacker. Worse, it may be entrenched in business-critical workflows — making it hard to remove or replace without operational disruption.

The audit process itself also presents challenges. It’s periodic, manual, and often backward-looking. It tells you what happened, not what’s happening. In a rapidly evolving cloud environment, that delay can be costly.

Policies Without Teeth

Many organizations have strong policies on paper: “All apps must be approved by IT,” “No third-party storage without review,” “MFA is mandatory.” But without enforcement mechanisms, these policies are more like suggestions. Employees may not even be aware of them, especially in decentralized or hybrid work environments. And in the absence of automated discovery and enforcement, IT has little recourse beyond sending email reminders or conducting occasional training.

Meanwhile, the business marches on — spinning up new tools, entering new markets, and iterating on new ideas. The tools that make all this possible often fall outside IT’s line of sight.

Complexity and Burnout

Adding to the challenge is sheer complexity. IT teams today are juggling more than ever: hybrid infrastructure, device management, compliance frameworks, threat detection, user support — and now, a sprawling SaaS footprint. The effort to manually track every new app, every change in access, and every policy violation is not just inefficient — it’s unsustainable.

This leads to a dangerous cycle: overwhelmed IT teams, frustrated end users, and a growing shadow ecosystem that operates outside governance frameworks. The end result is a fragmented identity landscape where nobody truly knows who has access to what — or why.

Clearly, what’s needed is not more policy — it’s better tooling. A system that integrates governance into daily workflows. A platform that offers real-time visibility and centralized access management without getting in the way of productivity.

This is where Identity and Access Management (IAM) becomes critical. But to truly close the governance gap, IAM must evolve.

IAM to the Rescue: Building Visibility and Control

If SaaS sprawl is the wildfire, then Identity and Access Management (IAM) is the firebreak — the structured system that prevents the blaze from spreading out of control. IAM has long been the backbone of enterprise security, providing the mechanisms to verify who a user is, what they can access, and under what conditions. But in the face of modern SaaS dynamics, IAM is no longer just a perimeter tool. It’s the central nervous system of digital trust.

The Core Promise of IAM

At its heart, IAM answers three critical questions:

  1. Who is accessing your systems?
  2. What are they accessing?
  3. Are they supposed to?

This sounds simple, but in reality it requires tight integration between user directories, authentication mechanisms, application provisioning workflows, and policy enforcement layers. When done right, IAM creates a secure, consistent experience for users and a comprehensive, auditable control system for IT.

And when it comes to SaaS, IAM is essential. Why? Because SaaS apps often live outside traditional security perimeters. They don’t sit in your data center. They’re not governed by your firewall. And they evolve constantly — with new features, APIs, and potential vulnerabilities. IAM offers a way to extend your control to these apps without smothering the business in bureaucracy.

The Rise of Zero Trust and Least Privilege

Modern IAM solutions are increasingly adopting Zero Trust principles — the idea that no user or device should be trusted by default, even if they’re inside the network. Access is granted based on dynamic context: identity, device posture, location, and behavioral patterns. This is a natural fit for SaaS, where users are often working from remote locations on personal devices.

In parallel, the principle of least privilege ensures that users only get the access they truly need — nothing more. This minimizes exposure, reduces attack surface, and makes it easier to revoke access when someone changes roles or leaves the organization.

But here’s the catch: IAM only works if it knows what apps exist in the first place.

You can’t apply Zero Trust to an app you don’t know exists. You can’t enforce least privilege on a service with shared login credentials. And you certainly can’t deprovision an account you never knew was created. This is the core limitation of even the best IAM deployments — they’re only as good as their visibility.

That’s where SaaS Monitoring enters the picture.

Enter SaaS Monitoring: The New Frontier of Shadow IT Control

If IAM is the brain of your identity security strategy, then SaaS Monitoring is the radar. It picks up on what you don’tknow — the unsanctioned, unmanaged, and often invisible apps that employees bring into the fold. And in a world where new tools appear daily, this kind of visibility is no longer a luxury. It’s a necessity.

What is SaaS Monitoring?

SaaS Monitoring refers to the continuous detection and analysis of software-as-a-service applications used across an organization — whether they’re officially approved or not. Unlike traditional tools that rely on static inventories or periodic audits, SaaS Monitoring operates in real time. It leverages data from browser activity, network logs, or identity providers to build a constantly evolving map of your app ecosystem.

Think of it as a security camera for your cloud stack. It doesn’t just show you what’s there — it shows you how it’s being used, by whom, and with what level of risk.

Some of the key capabilities include:

  • Discovery of unsanctioned SaaS apps
  • User-level visibility into who is using which apps?
  • Authentication method for the apps – SSO, or weak password?
  • Integration with IAM systems to evaluate access hygiene
  • Risk scoring based on app reputation, data access, and compliance posture
  • Automated policy alerts or enforcement when thresholds are exceeded

This visibility transforms SaaS from a black box into a manageable, governable part of your IT architecture.

How It Goes Beyond Traditional Controls

You might be thinking, “Don’t we already have tools for this?” Possibly. But traditional Data Loss Prevention (DLP), CASBs, or endpoint monitoring tools were built in a different context — often for static environments or devices. They can be slow to adapt, hard to scale, are expensive or cost a lot of time and effort to manage. In other words: Their TCO is high.

By contrast, modern SaaS Monitoring tools are purpose-built for the fluid, user-driven nature of the cloud. They detect shadow apps as they emerge, not after a breach. And they provide actionable context — not just logs — so security teams can make informed decisions quickly.

Critically, they also integrate with IAM, enriching user identity with behavioral data. That means you can not only see what apps are being used, but determine whether usage aligns with role-based access policies, security requirements, or compliance mandates.

A LastPass Perspective

At LastPass, we’ve seen firsthand how organizations struggle with this SaaS blind spot. That’s why we’ve introduced SaaS Monitoring as part of our broader identity and access management platform.

Our approach gives IT and security teams the tools they need to:

  • Discover shadow applications in real time
  • Link SaaS usage to known identities in the LastPass vault
  • Identify risky or redundant apps
  • Enforce policies based on user behavior and app profile
  • Support audit and compliance readiness with detailed usage reports

The result?
A smarter, more secure way to manage SaaS — one that aligns user freedom with organizational oversight.

In other words, you don’t have to choose between agility and control. With IAM and SaaS Monitoring working hand in hand, you can have both.

From Firefighting to Forward Planning: A New Era for IT & Security

For too long, IT and security teams have found themselves in a reactive posture — constantly chasing alerts, plugging leaks, and responding to incidents that could have been prevented with earlier visibility. But SaaS Monitoring, when combined with a modern IAM strategy, allows organizations to shift from firefighting to forward planning.

This is more than just a change in tooling — it’s a change in posture.

From Reactive Cleanup to Proactive Governance

In the old model, an app would appear on the radar only when something went wrong: a breach, a compliance audit, a failed integration. By then, the damage — operational, financial, or reputational — was often done.

With SaaS Monitoring in place, IT can see apps as they appear, assess their purpose and risk, and take immediate steps:

  • Approve and onboard them into existing IAM workflows
  • Restrict or revoke access based on policy
  • Communicate with the relevant teams about sanctioned alternatives
  • Flag redundant or duplicative tools for consolidation

The focus shifts from control after the fact to enablement with guardrails — a far more scalable and strategic approach.

Aligning Technology with Business Goals

This proactive governance isn’t just about compliance or breach prevention. It also creates a new opportunity for business alignment. When IT teams understand which tools are truly driving productivity — and which are simply noise — they can make smarter decisions about licensing, support, integration, and deprecation.

It also empowers departments. When marketing wants a new automation tool or sales is piloting a novel CRM plug-in, IT can have those conversations with data in hand — balancing security with agility. Rather than being the “Department of No,” IT becomes a strategic advisor that helps teams succeed securely.

Reducing Burnout and Increasing Resilience

Finally, perhaps the most underrated benefit: peace of mind. Security and IT teams are stretched thin. Burnout is rampant. Giving them the tools to see clearly, act decisively, and support the business without compromising security isn’t just good governance — it’s essential for long-term resilience.

This shift from reactive to strategic isn’t a pipe dream. It’s happening now. And it’s being powered by the convergence of smart IAM practices and intelligent SaaS Monitoring.

Conclusion: Regaining Control in a Cloud-First World

The reality of 2025 is this: SaaS isn’t slowing down. Employees will continue to seek out the tools they need to do their jobs faster, better, and more creatively. Departments will continue experimenting. The lines between sanctioned and shadowed, productive and risky, will continue to blur. If anything, it will continue to accelerate – especially with the sprawl of AI tools (AI Sprawl).

But that doesn’t mean IT and security teams are doomed to play catch-up forever.

With the right strategy — and the right tools — organizations can regain control without compromising agility. It starts with recognizing that traditional governance approaches no longer scale in the face of SaaS & AI sprawl. Then it requires a shift in mindset: from fear of Shadow IT to a plan for managing it.

Recognizing a problem doesn’t always bring a solution, but until we recognize that problem, there can be no solution.
– James A. Baldwin

That’s where modern Identity and Access Management (IAM) becomes your foundation. It centralizes control, standardizes access, and builds trust into every login. But visibility is the critical missing piece — and that’s where SaaS Monitoring steps in.

Together, they form a powerful, future-ready approach to cloud security:

  • IAM ensures that only the right people access the right tools
  • SaaS Monitoring ensures you actually know what tools are in use
  • And combined, they give IT and security teams the ability to guide rather than block, to enable rather than restrict

At LastPass, we believe this is the future of identity-driven security — and we’re building toward it. Our SaaS Monitoring capabilities give IT the insight they’ve been missing: real-time discovery of SaaS usage across the organization, linked to identity, enriched with risk data, and integrated into your workflows.

It’s not just about stopping Shadow IT. It’s about transforming it into strategic IT — where business innovation and security move forward, together.

Because the best security posture isn’t the one that says “no.” It’s the one that says “yes — and here’s how we do it securely.”

Hit that share button—because knowledge is like WiFi, better when everyone has access!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close