The 90% Problem: Why Most of Your SaaS is Invisible to IT

Roughly 90% of the SaaS applications in use at any given organization are invisible to that organization's IT team. This isn't a typo. It's not a marketing exaggeration. It's the consistent finding of multiple independent industry surveys over the past three years.

If your IT team's vendor list has 30 SaaS tools on it, your actual SaaS footprint is probably closer to 200. If you think you have 50, you probably have 300. The exact ratio varies, but the pattern doesn't.

Here's where that 90% comes from, why traditional security tools don't see it, and what you can actually do about it.

Where the 90% Comes From

There are four main paths SaaS takes to get into your company without IT noticing:

1. Free tier signups with work email

This is the largest single category. Every Calendly, Loom, Notion, Trello, Figma, and ChatGPT account a team member opens with their work address creates a vendor relationship. No invoice. No ticket. No record. Just a confirmation email.

2. OAuth grants and Sign in with Google buttons

When an employee clicks "Sign in with Google" or "Sign in with Microsoft" on a new app, two things happen. They authenticate, and they grant that app a set of permissions on your tenant. Those permissions can include reading email, accessing files, modifying the calendar, or pulling contacts. The app shows up in the OAuth log, but unless someone is reviewing that log, it stays invisible.

3. App marketplace installs inside Microsoft 365 and Google Workspace

Both platforms have add on marketplaces. Employees can install Slack apps, Teams apps, Drive apps, and Outlook apps directly from those marketplaces, often with admin consent loopholes that let third party tools pull data without IT knowing.

4. Personal accounts shared with the team

A team lead opens a personal Asana board to organize a side project. They invite five colleagues. The board has customer information. There is no enterprise contract, no audit trail, and no IT relationship.

Each path looks small in isolation. Together, they account for 90% of your environment.

Why Traditional Security Tools Miss It

Companies often assume their existing security stack will catch Shadow SaaS. It usually doesn't, because each tool was built for a different problem.

CASBs (Cloud Access Security Brokers)

Designed for enterprise environments where every device routes traffic through a corporate network. SMBs rarely have the network architecture or budget to deploy them. Even when deployed, they miss apps that bypass the corporate network (which is most of them, post pandemic).

MDM (Mobile Device Management)

Sees what's installed on managed devices. Doesn't see browser based SaaS, doesn't see OAuth grants, and doesn't see what runs on personal devices logged into work accounts.

Endpoint security and antivirus

Built for malware. SaaS apps are not malware. They are legitimate businesses with valid TLS certs and clean reputations. Endpoint tools have no reason to flag them.

Network monitoring

Can see traffic to known SaaS domains. But the data inside that traffic is encrypted, and the question of whether the SaaS is sanctioned isn't visible from the network alone.

Manual vendor lists

Whatever someone wrote in a spreadsheet six months ago. Out of date the moment it was saved.

The result: tools designed to protect your environment can't find half of the surface area they're supposed to be protecting.

What the 90% Actually Costs

The 90% problem creates four downstream costs:

1. Security exposure

Every unmanaged SaaS vendor is a potential breach vector. The 2024 Snowflake incident affected hundreds of companies through a single compromised credential at a third party tool that most of them didn't formally track. That pattern repeats every quarter.

2. Compliance failure

SOC 2, ISO 27001, HIPAA, and PCI all require complete vendor inventories. Auditors find what's in your tenant log even when it's not in your written list. The gap is what fails the audit.

3. Wasted spend

Industry data consistently shows 20 to 35% of SMB SaaS budgets are tied up in duplicate, redundant, or unused tools. The average company we see has 4 to 6 different note taking apps, 2 to 3 video conferencing platforms, and at least one set of paid licenses that nobody uses.

4. Offboarding gaps

When an employee leaves, IT can disable their email. They cannot revoke OAuth grants they didn't know existed, transfer ownership of personal Trello boards they were never told about, or cancel subscriptions paid on personal cards but used for work.

The cost compounds with time. The longer the 90% goes undetected, the more vendor relationships, the more data exposure, and the more dependencies you've quietly accumulated.

How to Actually Find What's There

The good news: most of the 90% is already documented in systems you control. Microsoft 365 and Google Workspace log every OAuth grant, every app marketplace install, every email signup confirmation, and every identity event. The data is there. It just isn't aggregated.

A continuous discovery scan does the aggregation:

• Reads OAuth grants from your tenant
• Parses email metadata for SaaS signup, trial, and renewal patterns
• Cross references against known SaaS vendor databases
• Flags AI tools, third party integrations, and stale grants
• Maps each finding to the compliance frameworks you care about

No agents on user devices. No traffic interception. No employees who need to fill out a form. The visibility is built in to your existing platforms; it just has to be surfaced.

What You Should Do This Week

Three concrete steps, in order:

1. Run a discovery scan

You can't fix what you can't see. The first scan typically finds 3 to 5 times more SaaS than the company expected.

2. Sort by risk, not by alphabet

Most discovery tools dump a flat list of 200 apps. That's noise. The signal is which ones have privileged OAuth scopes, which ones haven't been used in 90 days, and which ones touch regulated data.

3. Fix the offboarding gap first

Every ex employee with active OAuth grants is a security incident waiting to happen. Closing that window is the highest leverage 30 minutes you'll spend this quarter.

Why This Matters for Your Business

You don't need to eliminate Shadow IT or Shadow AI. You need to know what's there. Once you have visibility, the rest of the work, sanctioning vendors, consolidating duplicates, closing offboarding gaps, becomes straightforward.

Without visibility, your security posture, your compliance program, and your IT spend are all running on a vendor list that's missing 9 out of every 10 entries.

Your Next Step