The Shadow IT Detection Playbook (Step-by-Step Workflow)

This is the operational workflow for detecting shadow IT — the unapproved tools your company is using or paying for without finance, IT, or leadership knowing. For the why and the strategy, see the shadow IT guide. This is the runbook: the exact steps, in order, to surface what's hidden.

Run it end to end the first time, then re-run the detection steps quarterly.

Stage 1 — Establish your "known" baseline

You can't find the unknown without a list of the known.

1. Build the approved-tools list. Every tool finance/IT knows about and intends to pay for. If this doesn't exist, this is your first deliverable.
2. Note the official owner and payment method for each known tool.

Everything you discover in the next stages that isn't on this list is a shadow IT candidate.

Stage 2 — Detect via the billing trail

3. Search every company inbox for signup signals: welcome to, your account is ready, you've been invited, confirm your email, your trial has started. Welcome emails mark the birth of a shadow tool.
4. Search for billing signals: receipt, invoice, subscription confirmed, payment, renews.
5. List every vendor found. Cross-reference against the approved list. Flag anything not on it.

Stage 3 — Detect via payment methods

6. Pull recurring charges from every card — company cards, founder's personal card, employee cards.
7. Scan expense reports for recurring software reimbursements — shadow IT often lives here, bought on personal cards.
8. Check PayPal and app store billing — mobile and alternative-billing tools bypass card tracking.
9. Flag every recurring software charge not tied to an approved tool.

Stage 4 — Detect via access & identity

10. List apps connected to SSO (Google Workspace / Okta).
11. Compare to your paid-tools list. Tools you pay for that aren't in SSO are prime shadow IT — bought outside the official process.
12. Check OAuth grants — apps employees granted access to your Google/Microsoft accounts. Revoke unknown or unused grants.

Stage 5 — Triage what you found

For each shadow IT candidate, capture:

Prioritize by risk, not just cost. A free tool holding customer data outranks a $50/month tool that touches nothing sensitive.

Stage 6 — Resolve (don't punish)

13. Bring each tool into daylight: assign an owner, document its purpose.
14. Cancel clear waste (unused or duplicate tools) — export data first.
15. Secure the keepers: move behind SSO, review permissions, add to the offboarding checklist.
16. Fix the root cause: make requesting a tool fast and easy. Shadow IT mostly exists because the official path was slow.

Stage 7 — Prevent recurrence

17. Stand up a billing inbox so new signups become visible automatically.
18. Require company email for company tools — personal-email purchases are invisible.
19. Add "list and transfer all tools" to offboarding so departures don't orphan accounts.
20. Schedule the detection stages (2–4) quarterly.

Automating the detection stages

Stages 2 and 3 — the billing-trail and payment detection — are exactly what InvoiceAgent automates. It scans your connected billing inbox for signup confirmations, receipts, and trial notices, surfacing the tools your company pays for (including the welcome emails that mark a shadow tool's creation) so you're not running manual searches every quarter. It turns recurring detection from a manual sweep into a continuous signal. The triage, resolution, and prevention stages stay human — but they start from a complete list instead of guesswork.

Run the full playbook once. After that, the detection should be running quietly in the background, so shadow IT surfaces as it appears instead of accumulating until the next audit.