You've spent millions on your security stack—SIEM, EDR, zero trust, the works. But according to Grip Security's latest report, 90% of your SaaS applications and 91% of AI tools are completely unmanaged. They're not integrated with your IDP and invisible to your security controls.
One CISO we spoke with called these "identity islands"—apps that sit outside your IDP:
“We acquire a lot of smaller affiliates, and they have business applications that come from smaller vendors who have never played in the enterprise space. So they don't have the architecture for all the enterprise-class IDP processes in place. We end up leaving them alone, and then they become islands of information and identity management.”
And very quickly, they become blind spots where your security stack simply doesn't reach. The result? Your million-dollar investment has gaping holes you didn't budget for.
This guide walks you through how unmanaged SaaS breaks your security posture, then shows you exactly how to discover these shadow applications, audit their risk, and bring them under governance before they become your next breach headline.
TL;DR
- Most companies unknowingly run hundreds of SaaS apps outside IT oversight—tools not connected to their IDP or security stack—creating invisible “identity islands” that weaken even the best security posture.
- The risks of unmanaged SaaS usage include orphaned accounts becoming breach vectors, redundant licenses draining budgets, and untracked data storage breaking compliance with SOC 2, ISO, and GDPR.
- Traditional IAM tools like Okta and BetterCloud can’t detect these apps because they only manage what’s explicitly integrated—leaving everything else invisible to access controls and audits.
- The only way to regain control is through continuous discovery and SaaS governance: centralizing your software inventory, automating offboarding, enforcing access policies, and monitoring for new signups.
- Stitchflow closes this identity blind spot by combining multi-source discovery with browser-based automation—uncovering every app, auditing access in real time, and automating cleanup across 100% of your SaaS stack.
What are unmanaged SaaS apps?
Unmanaged SaaS apps are any cloud applications your employees use that aren't connected to your identity provider or governed by IT policies. They're not in your software asset inventory, not integrated with your IDP, and often not even on your radar until something breaks. This includes non-SSO/SCIM disconnected apps, shadow IT, inactive user accounts, and more.
One IT director explained the problem this way:
"We have a lot of applications that are not tied to Okta either because they don't have that connection, or they're in Okta but don't support offboarding. So when it gets to us offboarding leavers, we have a lot of tools that we need to go into the back end, make sure they're removed, and it just becomes a little bit of a pain."
The most common culprits: file sharing tools, AI applications, survey platforms, and scheduling software.
These are apps employees spin up for ad hoc or one-time needs—a marketer running a single customer survey, a salesperson grabbing a meeting scheduler, a product manager trying out the latest AI tool. They sign up with their work email, start using it immediately, and IT never hears about it.
❗Managed vs. unmanaged SaaS apps: What’s the difference?
Managed SaaS apps are integrated with your identity provider—platforms like Okta, Azure AD, or Google Workspace—which means they're governed by centralized IT access policies, visible across your security stack, and support automated user lifecycle management.
Unmanaged SaaS apps, on the other hand, are adopted independently by employees without IT involvement. They lack single sign-on integration, operate outside your security controls, and require manual oversight—if they're discovered at all. This can create shadow IT risks and leave gaps in your data governance and compliance frameworks.
The real risks of unmanaged SaaS apps
Unmanaged SaaS apps don't just sit quietly in the background—they create active vulnerabilities across your organization. Here's what you're actually dealing with:
Identity and access risks
The most immediate threat from unmanaged SaaS apps is that you can't control access to systems you don't know exist.
Consider what happened to a U.S. state government organization. A threat actor obtained leaked credentials from a former employee and used them to breach the network through the organization's VPN. All because the ex-employee's account was never deprovisioned.
One IT leader at an insurance firm put it bluntly:
"We really don't have a fully functioning IDP across the enterprise. Some applications may have their own Active Directory. Somebody has the keys, hopefully, and knows what's going on inside and manages it—hopefully. That's not always the case, and we know it."
That "hopefully" should terrify you. Unmanaged access means unmanaged data exposure. Every orphaned account is a potential entry point. Every untracked login is a gap in your audit trail. And every former employee with lingering access is a breach waiting to happen.
📚Also read: 10 user access review mistakes and how to avoid them
Financial risks
Unmanaged SaaS doesn't just create security holes—it also bleeds money. SaaS sprawl means you're paying for tools you don't know about, can't track, and often don't need.
First, there’s license duplication. Without centralized visibility, different teams buy the same functionality multiple times. Marketing has one project management tool, engineering has another, and operations just signed up for a third. You're paying three vendors to do the same job.
Then there's the SSO tax—vendors charging extra for basic security features like single sign-on integration. The SSO Wall of Shame documents hundreds of companies doing exactly this, forcing you to choose between security and budget.
A snippet from the SSO Wall of Shame
When apps are adopted in the shadows, teams skip SSO to avoid the upcharge, leaving you with both a security gap and wasted spend on redundant licenses. Shadow purchases also kill your negotiation leverage. No volume discounts. No enterprise agreements. Just individuals paying list price on corporate cards, renewal after renewal.
The result: SaaS auto-renewals on forgotten contracts, wasted licenses sitting idle, teams unknowingly breaching usage caps, and triggering overage fees.
Compliance risks
Unmanaged SaaS apps create compliance gaps you can't afford. SOC 2, ISO 27001, GDPR, and HIPAA all require you to know where your data lives, who has access to it, and how it's protected. Unmanaged apps make that impossible.
When sensitive customer data ends up in an unapproved survey tool or file-sharing service, you're non-compliant. When auditors ask for your data inventory and access logs, you can't produce them because half your SaaS apps aren't tracked.
As one CISO says, "It becomes a lot trickier to know the source of truth. So there can be a series of audits we have to go through to find out if those users even need that app anymore."
That's what compliance looks like with unmanaged SaaS—weeks spent reconstructing where data lives and who has access, hunting down apps that may or may not still be in use. And the cost shows up as delayed certifications, failed audits, regulatory fines—and most importantly, deals that stall because you can't prove compliance.
📚Also read: A complete guide to IT compliance audits
Operational risks
When different teams use different tools for the same function, you get inconsistent processes and fragmented data. Marketing's analytics don't match sales' numbers. Engineering's project tracker doesn't sync with the product team’s roadmap.
Then there are the missed renewals that happen because no one owns the vendor relationship. Tools go offline mid-project when a credit card expires or the employee who signed up has left.
Here’s how a Lead Systems Administrator puts it: "We have applications here that were just set up vanilla out of the box, and they're not really providing a good use case for us." This means they have to spend days, if not weeks, “to vet everything, get rid of the waste or tech debt."
‼️How unmanaged SaaS creates supply chain vulnerabilities
Unmanaged SaaS apps are supply chain weak links. One poorly secured app can compromise your entire infrastructure because these tools connect to your systems, access your data, and integrate with your vendors, partners, and clients.
When a vendor's security fails, the breach doesn't stay contained. It cascades. An unmanaged scheduling tool with access to employee calendars connects to your CRM. A file-sharing app used by your finance team syncs with external accounting firms.
And because these apps are unmanaged, you don't know which vendors are in your supply chain, what security standards they follow, or how they handle your data. You only find out during the breach disclosure.
Why traditional IAM tools can’t see unmanaged SaaS apps
Your IAM stack—Okta, Azure AD, OneLogin—was built to manage applications it knows about. That's the problem. Most unmanaged SaaS apps never make it into your identity provider, and your IAM tools have no way to find them.
Here's what they miss:
- No discovery mechanism: IAM tools only track apps manually added to their catalog and configured with SAML, OIDC, or SCIM. If it's not onboarded, it doesn't exist.
- Blind to bypassed logins: Users sign in with email and password, magic links, or native Google/Microsoft auth. These bypass SSO entirely, leaving accounts invisible to your IDP.
- Can't verify SSO enforcement: Apps may support SAML or OIDC, but aren't actually integrated. IAM tools can't tell which apps could be connected, who has shadow accounts, or whether SSO is being used consistently.
- No usage data: IAMs authenticate logins but don't track active versus inactive accounts, permission changes, admin actions, or sharing activity. They're access gates, not usage monitors.
- Provisioning isn't inventory: Even with SCIM, IAMs manage a defined set of apps and users, not the full ecosystem of tools employees actually use.
The result: more than 40% your SaaS apps operate outside your IDP. Not because your IAM tools are poorly configured, but because they were never designed to manage apps that don't integrate with them.
So, how do you discover unmanaged SaaS apps?
Because unmanaged SaaS apps come from different places, you need to combine multiple complementary data sources to find them. We call this the multi-method discovery approach. Here are some ways to get user and app data—beyond your IDP:
- Network/Proxy/CASB/SWG Logs: Identify SaaS traffic patterns and domains in use.
- Managed browser signals: Detect logins and app usage directly from browser activity.
- OAuth token and API permission scans: Enumerate all “Sign in with Google/Microsoft” and connected third-party integrations.
- Expense, billing, and procurement data: Correlate spend and vendor data with discovered SaaS usage.
- CSV uploads: Import user or app lists from existing spreadsheets or exports.
- Self-reporting: Let departments or app owners declare the tools they use.
Different SaaS management tools specialize in different data sources.
- CASB-style platforms rely heavily on network or proxy traffic logs.
- SSPM and expense-based tools focus on invoice and financial data.
- OAuth scanners surface connected integrations from major identity or productivity platforms.
Modern platforms like Stitchflow combine all these inputs along with one more—browser-based automation.
Instead of depending solely on APIs or network logs, Stitchflow actually logs into each web app’s admin UI in a secure, headless browser. It extracts live user, role, and access data—even for apps without APIs or SCIM support. This turns previously invisible, unmanaged SaaS apps into verifiable, trackable, and automatable assets.
Stitchflow and SpotOn: A case study in managing unmanaged SaaS apps
SpotOn is a fast-growing payments and retail technology company with a complex SaaS environment spanning over 100 tools—many of which were manually managed or disconnected apps.
They integrated Stitchflow as a SCIM/API bridge into their existing identity workflows. Using Stitchflow’s browser-based automation, the team was able to map and manage every app—even those without APIs—directly through secure, automated admin logins.
The results:
Within months, SpotOn discovered and cleaned up 1,000+ unmanaged SaaS accounts, resolved 449 compliance gaps, and recovered $90K in unused licenses.
Strategies to manage unmanaged SaaS apps
Finding unmanaged SaaS apps is only step one. The real goal is to govern them—to bring every account under consistent identity and access control, and ensure new shadow apps don’t appear unchecked.
Here’s how to solve the problem and keep it from coming back:
1. Implement SaaS governance processes
Discovery alone doesn’t solve risk—it just exposes it. Once you know what’s in use, you need governance.
- Assign ownership for every app.
- Classify each as approved, conditional, or restricted.
- Define who can request access and how it’s approved.
Establishing ownership turns a list of shadow tools into a manageable portfolio.
Enforce access policies
Create and enforce access control policies that define how users authenticate and when they can maintain access.
- Require SSO or MFA where possible.
- Disallow direct email/password sign-ups using corporate domains.
- Implement least-privilege principles: grant access by role, not by exception.
- Reassess permissions when roles change or projects end.
Policies should be enforced automatically wherever tools allow, and audited regularly elsewhere.
👉Use the free Stitchflow App Access Matrix to create role-based access control policies for your organization.
Centralize your SaaS inventory
Consolidate all app and user data into a single source of truth—a shared system that IT, Security, and Finance can all use.
Pull data from identity providers, expense systems, and discovery tools. And make sure to track who owns each app, how many users it has, and what data it touches. A central repository makes it possible to spot redundancy, waste, or compliance gaps early.
Automate remediation
Manual cleanup doesn't scale—you need systems that enforce governance without constant human intervention.
Start by automating user deactivation immediately after offboarding so accounts don't linger. And schedule regular access reviews to identify permission drift before it becomes a security issue. The more you automate these processes, the less shadow IT can take root.
How Stitchflow closes the identity blind spot for unmanaged SaaS apps
By combining browser-based automation with continuous discovery, Stitchflow extends governance, provisioning, and compliance visibility to every app—even those without APIs, SCIM, or SSO.
100% app coverage
Traditional identity tools stop at SSO and SCIM-connected apps—Stitchflow goes further. It works across legacy systems, AI tools, regional logins, and disconnected web apps, providing identity-level visibility and lifecycle control everywhere.
Multi-domain environments and contractor accounts are handled natively, ensuring every login, regardless of ownership, IDP, or domain, is auditable and actionable.
Continuous auditing and automated remediation
Stitchflow runs continuous, browser-driven audits across all connected and disconnected apps to surface orphaned, inactive, or non-SSO accounts in real time. When issues are found, IT teams can trigger 1-click remediation—deactivate a user, reassign ownership, or automatically open an ITSM ticket for review.
Every action is also logged, timestamped, and evidence-backed for compliance and audit readiness.
AI and shadow IT discovery
Stitchflow’s discovery engine detects new (and shadow apps) the moment users start connecting to them. It correlates browser activity, OAuth authorizations, and network signals to spot unfamiliar domains or “Sign in with Google/Microsoft” flows.
When something new appears, Stitchflow spins up a secure headless browser session to log in, confirm the workspace or domain, and verify whether an organizational account exists. Once confirmed, each app is AI-classified and risk-scored based on its authentication model, data access, and compliance posture.
👉Worried about Shadow IT? Use Stitchflow’s free Shadow IT discovery tool to find and manage them.
Cost recovery and license optimization
Stitchflow identifies duplicate, idle, or overlapping licenses across your stack, runs lightweight Slack-based license surveys, and delivers renewal insights to help right-size spend.
By extending control beyond the IDP tier, Stitchflow effectively removes the “SSO tax” — unlocking identity-level automation and visibility without needing every vendor’s premium integration.
Stitchflow Slack survey UI
In short, Stitchflow unifies SaaS discovery, access control, cost optimization, and compliance—giving organizations true end-to-end identity visibility across 100% of their SaaS landscape.
👉Book a demo to see how Stitchflow closes your identity blind spot and keeps unmanaged SaaS under control.
Frequently asked questions
Unmanaged SaaS apps are cloud tools used by employees outside IT’s control—not linked to SSO, provisioning, or monitoring. They create compliance, data exposure, and offboarding risks because no one tracks who has access or what data is shared.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
