Shadow IT discovery is the process of finding every SaaS application employees have signed up for using company email, company data, or company payment methods without IT's knowledge or approval. For Indian businesses, this is no longer just a helpdesk nuisance — under the Digital Personal Data Protection (DPDP) Act 2023, an unsanctioned app that stores customer data outside your control is a compliance liability you are accountable for even though you never approved it.
Why shadow IT quietly became a DPDP problem
Five years ago, an employee signing up for a free file-sharing tool or a marketing automation trial was an IT hygiene issue — annoying, but rarely urgent. That changed the moment the DPDP Act made every "Data Fiduciary" responsible for personal data processed on its behalf, regardless of which vendor or tool is doing the processing. If a sales rep uploads a customer list to a personal Trello board, a growth marketer pipes lead data into an unvetted email-warmup tool, or a support agent pastes ticket transcripts into a free AI chatbot, your company — not the employee, not the app vendor — carries the accountability when that data leaks.
The DSCI (Data Security Council of India) and CERT-In have both flagged unmanaged SaaS sprawl as a growing attack surface for Indian enterprises, particularly as remote and hybrid work normalized employees provisioning their own tools without procurement or security review. Every one of those tools is a place your organisation's data lives that your CISO cannot list, audit, or delete from.
What "shadow IT" looks like in a real Indian SMB
Shadow IT rarely arrives as one obvious rogue tool. It accumulates in layers, and each layer has a different discovery method:
- Free-tier signups — project management boards, form builders, note-taking apps, AI writing assistants, signed up with a work email because the free tier solved a problem IT's approved stack didn't.
- Trial-to-permanent tools — a 14-day trial a team never cancelled, now embedded in a workflow, silently billed to a personal card and renewed for years.
- Departmental workarounds — HR uses a resume-parsing SaaS the security team never reviewed; finance uses a personal Google Sheet synced to an automation tool for reconciliations.
- Browser extensions with SaaS backends — grammar checkers, PDF converters, and screen recorders that request broad permissions and quietly sync data to a third-party cloud.
- Contractor and freelancer tools — external collaborators bringing their own project trackers, design tools, or file stores into which your data flows without a contract, an NDA review, or a data processing agreement.
The four real discovery channels
There is no single "shadow IT scanner" that sees everything. A credible discovery program stitches together four independent signal sources, because each one catches a different category of tool.
- Identity and SSO logs. If you run Google Workspace, Microsoft 365, or an SSO/IdP, "Sign in with Google/Microsoft" events reveal every third-party app an employee has authorised with their work identity — often the single richest, cheapest signal available.
- Expense and finance records. Small recurring SaaS charges routinely fall below whatever threshold triggers procurement review, so trawling card statements and expense reports for recurring software line items surfaces tools nobody formally approved.
- DNS and network egress logs. Corporate DNS resolver logs and firewall/proxy egress logs show which SaaS domains devices on the network are actually talking to — this catches tools that were never authorised via SSO at all (e.g., signed up with a personal email, used on a work laptop).
- Direct employee survey. A short, blame-free, anonymous survey ("what tools do you use to get your job done that IT didn't set up for you?") consistently surfaces tools the technical signals miss — especially browser-extension and mobile-app shadow IT that leaves no DNS trace on the corporate network.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanBuilding the app inventory: what to capture per tool
Once discovery signals are merged, the output should not just be a list of app names. For each discovered application, record enough context to make a triage decision:
| Field | Why it matters |
|---|---|
| App name and vendor | Basic identification and vendor risk lookup |
| Who uses it and how many | Determines migration effort and business impact of blocking |
| What data flows into it | The core DPDP question — is personal data involved |
| Where the vendor stores data | Cross-border transfer and data-localisation considerations |
| Authentication method | SSO-linked apps are easier to control than password-only signups |
| Whether a DPA/contract exists | No data processing agreement is itself a red flag under DPDP |
| Business justification | Distinguishes "critical workaround" from "convenience tool" |
Triage: sanction, migrate, or block
Every discovered app resolves to one of three outcomes, and the decision should be made against a written checklist rather than gut feel:
- Sanction — the tool meets your baseline security bar (SSO support, an acceptable data processing agreement, reasonable vendor security posture, no unnecessary cross-border transfer of sensitive personal data) and solves a real problem the approved stack doesn't. Bring it into the managed inventory, add it to renewal and access-review cycles, and require SSO login going forward.
- Migrate — the tool solves a real need but fails the security bar (no SSO, vendor has no visible security practices, data residency is unclear). Give the team a deadline and a comparable approved alternative, and migrate the workflow, not just the login.
- Block and offboard — the tool adds negligible business value relative to its risk, or handles sensitive personal data with no contractual protection at all. Revoke access via SSO/IdP where possible, request data deletion from the vendor, and document the offboarding for your DPDP records.
Where shadow SaaS is typically first discovered
Across discovery programs, the initial detection tends to cluster into a handful of source buckets rather than any one dominant channel — which is itself the argument for running all four discovery methods together instead of picking one. The breakdown below is illustrative rather than a cited measurement; no single channel is standardly reported to cover a majority of unsanctioned tools on its own, which is the practical reason a one-channel program under-detects.
Making discovery a lightweight, recurring program
A shadow IT program that requires a dedicated headcount will not survive contact with an SMB's actual staffing. The programs that last share three traits:
- Automated, scheduled pulls from SSO logs and DNS/egress logs rather than manual export-and-review each quarter.
- A named owner — even part-time — who reviews the merged inventory, runs triage, and tracks migrations to completion. Without an owner, "sanction vs migrate vs block" decisions never get made and the inventory just grows.
- A lightweight intake path for new tools, so the next well-meaning employee has a fast, approved way to request a tool instead of just signing up quietly. NIST's guidance on system inventory management and OWASP's guidance on third-party component risk both point to the same underlying principle: you cannot secure what you cannot see, and the fastest way to reduce shadow IT is to make the sanctioned path faster than the unsanctioned one.
Getting started this month
You do not need a dedicated tool or a large budget to begin. Start with the two cheapest signals — pull the third-party app list from your Google Workspace or Microsoft 365 admin console, and scan the last two quarters of expense reports for recurring software charges. That single pass typically surfaces the majority of shadow SaaS in a small organisation and gives you a concrete list to triage this week rather than a vague sense that "there's probably shadow IT somewhere." Add DNS/egress review and an employee survey once the first pass is triaged, and you have a repeatable, low-effort program rather than a one-off project.
If you want a broader view of where your unmanaged SaaS exposure sits alongside your external attack surface, a free VAPT scan is a fast way to see what's actually reachable from outside, and our guidance on data mapping and processor accountability lives on the DPDP compliance page. For more practical guides like this one, browse the Bachao.AI blog.