Shadow stack: the SaaS subscriptions your CFO doesn't know you're paying for

Large enterprises run hundreds of SaaS subscriptions, and a meaningful share never passes through IT or procurement. Most CFOs know the number on the software budget line, but almost none of them know what is actually inside it. This article is the audit that surfaces the gap.

How the shadow stack builds

Nobody sets out to build a shadow stack. It assembles itself through a series of rational decisions made by different people with different budgets and no shared visibility.

A marketing team needs a project management tool and the one IT approved is slow to provision, so they sign up for a free trial on a business credit card. The trial converts to a paid plan, the person who signed up moves to a different role, and the subscription keeps billing because nobody remembers it exists.

Product teams often evaluate three analytics platforms during a sprint. When two don’t advance, their subscriptions rarely get cancelled immediately, because the engineer who set them up is deep in a different project. A quarter later, they’re still billing.

The department-head discovery is harder to catch: an AI writing tool gets rolled out to a team of eight, expensed quarterly on a departmental card, and categorized by finance under “software” alongside the ERP renewal. It never appears in the IT software inventory.

Multiply these patterns across every department over three to five years and you have a shadow stack: a predictable output of decentralized purchasing at scale, rather than a failure of governance.

The numbers that should concern every CFO

The scale of the problem is consistent across the research: 53% of all SaaS licenses go unused in any average 30-day period (Zylo, 2025 SaaS Management Index), and the average organization wastes about $21 million annually on unused licenses (Zylo, 2025). 70% of SaaS spending is now controlled by business units; IT retains oversight of just 26% (Zylo, 2025). Flexera’s State of the Cloud 2025 puts average cloud spend waste at 27%, which on a $5 million SaaS budget comes to $1.35 million annually lost to unused licenses, redundant tools, and unmanaged subscriptions. Organizations underestimate their total SaaS spend by more than 300% (Zylo, 2025).

All of this traces back to good decisions made without a shared view of the whole. The marketing team that adopted the analytics tool was solving a real problem, and the finance team that approved the budget line was approving a real business need. The shadow stack is what happens when every local decision is correct and the aggregate is nobody’s responsibility.

The four places shadow spend hides

Departmental credit cards and expense reports

Departmental credit cards are the most invisible procurement channel: a department head can sign up for a $300/month SaaS tool, expense it quarterly, and it will appear in finance as a travel or miscellaneous line item rather than a software subscription. Finance doesn’t flag it, IT never sees it, and it renews automatically.

Audit procedure: Pull expense reports for the past 12 months and filter for recurring charges from software vendors. Look for charges from known SaaS categories: productivity, analytics, design, project management, communication, AI tools. Any recurring charge that does not appear in the IT software inventory is shadow spend.

Free trials that converted to paid

Free trials convert automatically, and the team that started the trial is usually no longer watching the billing cycle when that happens. The tool was useful enough that nobody cancelled it, but it never went through formal procurement, so it never appeared in the software inventory.

These subscriptions tend to be small individually ($50 to $300 per month) and numerous collectively. A company with 200 employees that averages two unconverted trial-to-paid subscriptions per department per year is carrying 20 to 30 active subscriptions that nobody formally approved and nobody is tracking.

Audit procedure: Cross-reference credit card statements and expense reports against IT’s software inventory. Any subscription below $500/month is worth specific scrutiny, since that price range is where trial conversions concentrate.

Former employee accounts

When an employee leaves, their SaaS subscriptions do not automatically terminate. A sales rep who used a data enrichment tool, a designer who licensed a font subscription, an analyst who signed up for a market intelligence platform: each continues billing after the employee departs unless someone specifically cancels it. In organizations without a rigorous offboarding process that includes software deprovisioning, these accounts accumulate.

In Zylo’s 2026 SaaS Management Index, 78% of IT leaders reported unexpected charges from consumption-based or AI pricing models in the last 12 months. Former employee accounts compound this: they may be generating usage-based charges on tools the company does not know it still has access to.

Audit procedure: Pull the list of active SaaS account holders from any tool with admin access. Cross-reference against current employee records. Accounts belonging to former employees are termination candidates regardless of subscription size.

Overlapping functionality across approved tools

This is the most expensive category and the hardest to surface, because every subscription in it was formally approved. The problem is that different teams, at different times, approved tools that do essentially the same thing for slightly different reasons.

A company running Asana for the product team, Monday for marketing, Jira for engineering, and Notion for documentation is paying for four tools that all include project tracking functionality. Salesforce alongside HubSpot and a customer data platform creates similar redundancy across CRM capability. Each purchase was justified at the time; the aggregate is a redundancy cost that nobody has been tasked with eliminating.

Audit procedure: For each functional category (project management, analytics, CRM, communication, document creation, design, AI tools), list every tool the company is paying for that touches that category. Any category with more than two tools has a redundancy to name and cost.

The shadow stack audit

The procedure takes three to four weeks to run properly and produces a prioritized list of eliminations and consolidations.

Week 1: inventory

Pull three data sources simultaneously:

• IT’s existing software inventory (every tool IT knows about, with contract value and renewal date)
• Finance’s expense categorization (every recurring charge categorized as software, SaaS, or technology for the past 12 months)
• Departmental budget line items tagged as software or tooling

Consolidate into a single spreadsheet and cross-reference the two datasets: items in finance’s data that do not appear in IT’s inventory are shadow spend; items in IT’s inventory that do not appear in finance’s data are a different kind of visibility gap. Both directions matter.

Week 2: usage verification

For every tool in the inventory, verify actual usage. Most SaaS platforms provide usage dashboards or last-login data accessible to administrators. For tools without usage dashboards, survey the department head who owns the subscription: how many people on your team used this in the last 30 days?

Zero active users in the last 30 days makes a tool a decommission candidate regardless of contract status. Fewer than 30% of licensed seats active makes it a rightsizing candidate at next renewal.

Week 3: overlap mapping

For each functional category, list every tool the company is paying for that touches it. For each category with more than two tools, identify which tool is the designated standard and which are redundant.

Redundancy elimination typically requires a decision about consolidation timing rather than immediate cancellation, because teams have built workflows around what they use. The audit names the redundancy and estimates its annual cost; the business decision about timing follows.

Week 4: prioritization

Rank the identified shadow spend in three tiers:

Terminate immediately:
tools with zero active users, former employee accounts, trials that converted without anyone’s knowledge

Eliminate at next renewal:
redundant tools in categories where a standard exists, tools the owning team agrees to migrate off

Rightsize at next renewal:
tools where the licensed seat count significantly exceeds active usage

The output is a prioritized action list with estimated annual savings per line item. In our experience, a first pass at a mid-market company surfaces six figures of recoverable annual spend. For enterprises above 1,000 employees, the number is typically higher.

What AI is doing to the shadow stack

The average large enterprise is now operating 2,191 applications, and more than 61% of discovered applications are not formally approved or overseen by IT teams.

AI tools are the fastest-growing category of shadow spend, with spending on AI-native SaaS increasing 108% year over year (Zylo, 2026). Most of that growth is happening outside IT’s purview: employees are adding AI writing tools, research assistants, coding tools, and productivity tools on personal or departmental cards faster than procurement processes can accommodate.

The shadow stack problem that took three years to build through general SaaS adoption is being recreated in twelve months through AI tool adoption. The audit procedure above captures it, but only if it is run now. Every month of delay adds more unconverted trials, former employee accounts, and overlapping tools that become harder to consolidate.

The governance change that prevents recurrence

Running the audit solves the current problem; preventing the next one requires one structural change: any recurring software expenditure above a defined threshold (typically $100 to $200 per month) requires IT registration before the first billing cycle.

Departments can still buy the tools they need; the requirement is registration: before the first billing cycle, the tool goes into IT’s software inventory, a renewal alert is set, and the subscription is added to the next contract review cycle. The shadow stack stops forming because there is no purchasing path that bypasses the inventory.

The threshold needs calibration before rollout. Too low and you create unnecessary friction for small tools; too high and the most expensive shadow spend continues to accumulate below it. Most organizations that implement this policy successfully set the initial threshold at $100 to $150 per month and adjust based on what the first year’s audit data reveals.

WAYF surfaces shadow stack problems as part of the estate mapping process that precedes every transformation engagement. If your organization has not run a software audit in the past 12 months, the shadow stack is almost certainly larger than you think.

---

FAQ

1. What is shadow IT?

   Shadow IT refers to software, tools, and services used by employees without the knowledge or approval of the IT department. In the SaaS era, shadow IT is overwhelmingly cloud-based: subscriptions purchased on department cards, free trials that converted to paid plans, and tools adopted by individuals or teams without formal procurement. Shadow IT creates financial waste, security blind spots, and compliance risk.

2. How much does shadow IT cost the average company?

   In our experience, a mid-market organization typically carries six figures of recoverable annual SaaS spend. Larger organizations waste an average of $21 million per year (Zylo, 2025). Flexera's 2025 State of the Cloud report puts average cloud spend waste at 27% of total cloud budget. For a company spending $5 million annually on software, that is approximately $1.35 million in waste, most of which is in tools that are unused, redundant, or forgotten.

3. How do you find shadow IT in your organization?

   The most reliable method is cross-referencing three data sources: IT's software inventory, finance's expense categorization for recurring software charges, and departmental budget line items. Items appearing in finance data but not in IT's inventory are shadow spend. Items in IT's inventory with no active usage in the past 30 days are waste candidates. The gap between these sources is the shadow stack.

4. What is the difference between shadow IT and SaaS sprawl?

   Shadow IT refers specifically to tools used without IT's knowledge or approval. SaaS sprawl is the broader problem of uncontrolled SaaS growth, including both approved tools that are no longer used and shadow tools that were never approved. Shadow IT is a subset of SaaS sprawl. Both contribute to wasted spend; shadow IT adds security and compliance risk on top of the financial cost.

5. Why do organizations underestimate their SaaS spend?

   Because 70% of SaaS purchasing happens outside IT's purview, in departmental budgets, on expense reports, and through individual credit cards. Finance sees the total spend but not the breakdown. IT sees the approved inventory but not the shadow spend. Neither has a complete picture without combining their data sources. The 300% underestimation figure reflects the gap between what organizations believe they're spending on SaaS and what they're actually spending when all channels are consolidated.

WAYF includes software inventory auditing in every technology estate assessment.

Book a call

---

Sources

• Zylo: 2025 SaaS Management Index
• Zylo: 2026 SaaS Management Index
• Torii / CIO Dive: App Sprawl and Shadow IT 2026
• JumpCloud: SaaS Usage Statistics 2025
• Flexera: State of the Cloud 2025