Here's the uncomfortable truth: according to Gartner, roughly 40% of IT spending in most organisations happens outside of IT's view. The spreadsheet that runs billing. The personal Dropbox folder with customer contracts. The server in the broom cupboard that nobody mentioned during diligence. This is shadow IT, and in a post-acquisition environment, it's not just an annoyance-it's a material risk.
The pattern is remarkably consistent. You inherit what's documented: the accounting software, the CRM, the phone system. But beneath that visible layer sits an invisible infrastructure of personal workarounds, forgotten subscriptions, and business-critical processes running on tools nobody approved. The billing manager has been using a 15-year-old Access database "just until the new system comes in." The warehouse foreman syncs delivery schedules via WhatsApp. The operations lead uploads sensitive client data to a personal Google Drive because the corporate file server is "too slow."
These aren't accidents. They're rational responses to friction, complexity, or gaps in official systems. But they create hidden costs-duplicated SaaS licences, fragmented data, security holes, and workflows that break the moment someone leaves. And in the first 90 days post-close, when you're trying to unify systems and get clean consolidated reporting, shadow IT is where integration plans go to die.
This article lays out a practical framework for discovering shadow IT after acquisition, understanding what you're dealing with, and bringing it under control-without alienating the team you just bought.
Why Shadow IT Is the Invisible Value Leak in M&A
Let's be direct: shadow IT leaks value in three ways-security exposure, hidden costs, and integration delay.
First, security. Every unmanaged device, unsanctioned SaaS app, or personal cloud account is a potential breach point. It's common to find acquired companies with customer payment data stored in an employee's personal OneDrive, HR records on an unlicensed Dropbox account, and sales pipelines in a shared Gmail inbox. None of this appears on an IT asset list. None of it has proper access controls or audit trails. And the moment you consolidate systems, you're liable for data that you didn't even know existed.
Second, duplicated spend. Shadow IT often means paying for the same capability multiple times. Three project management tools, four file storage subscriptions, two CRMs-one official, one built by the sales team in Airtable because "Salesforce was too complicated." When you're rolling up five companies, this compounds quickly. You inherit not just systems, but the licensing chaos beneath them.
Third, integration friction. The most painful discovery comes when you try to consolidate reporting or migrate data. You assume customer records live in the CRM. Then you find out half the sales team maintains "their version" in Excel because they don't trust the CRM data quality. Or the finance director has rebuilt the entire chart of accounts in Google Sheets because the legacy ERP couldn't produce the reports the board wanted. Shadow IT doesn't just add technical work-it undermines your entire integration timeline because nobody told you what actually runs the business.
Shadow IT is a symptom. It signals gaps, friction, or mistrust in official systems. Ignoring it won't make it disappear. It'll just resurface later-usually at the worst possible moment.
What Shadow IT Looks Like in Acquired Companies
Shadow IT isn't one thing. It's a spectrum, from the innocuous (browser extensions) to the existential (business-critical databases nobody documented). Knowing what to look for is half the battle.
The Usual Suspects: Spreadsheets, SaaS, and Workarounds
The most common form of shadow IT in service-industry roll-ups: spreadsheets. Not just any spreadsheets-business-critical ones. The Excel file that tracks job completion, calculates margins, allocates technician schedules, or manages recurring maintenance contracts. These files are often shared via email, stored on personal drives, and maintained by one person who's been there for 12 years. They're undocumented, unversioned, and utterly essential.
SaaS subscriptions are the second category. Employees adopt tools that solve immediate problems: Slack for team chat when email's too slow, Trello for project tracking when the official PM tool is overkill, Dropbox for file sharing when the VPN's unreliable. These apps bypass procurement, get paid on personal credit cards (then expensed), and proliferate. By the time you acquire the company, you might have 30-40 active subscriptions that IT has never heard of.
Then there's physical infrastructure. The closet server test is real. Common discoveries include:
- On-premise servers in storage cupboards, running legacy line-of-business apps or acting as local file servers.
- USB drives with customer data, used as backup or transfer mechanisms.
- Personal laptops and tablets used for work, containing company email, files, and credentials.
- Old network-attached storage (NAS) devices set up years ago and never decommissioned.
Finally, workflow workarounds. These are the hardest to spot because they're not tech-they're behaviour. The sales rep who screenshots CRM records and shares them via WhatsApp. The finance clerk who prints reports, annotates them by hand, scans them, and emails PDFs. The operations manager who maintains a shadow org chart in PowerPoint because the HR system doesn't reflect reality. These patterns don't show up in network scans, but they define how work actually gets done.
The Hidden Cost of Invisible Systems
Shadow IT costs more than the subscription fees. The real cost is fragmentation.
Data silos kill productivity. When customer information lives in three places-CRM, spreadsheet, and someone's email-every query becomes a scavenger hunt. Reporting takes longer. Errors multiply. New hires struggle to figure out which version is "truth."
Compliance risk escalates. GDPR, data protection, industry-specific regulations-shadow IT makes compliance nearly impossible. You can't protect, audit, or delete data you don't know exists. In litigation or regulatory review, undiscovered data becomes a liability. eDiscovery processes miss shadow repositories, leaving you exposed.
Integration drag is the M&A-specific cost. You build a migration plan based on documented systems. Then, three weeks into execution, you discover the "real" customer database is a FileMaker app on someone's desktop. Your timeline slips. Your costs increase. Worst case: the acquired team loses trust because the new system doesn't support the workflows they relied on.
When to Conduct Your Shadow IT Audit
Timing matters. Conduct your shadow IT discovery immediately post-close, as part of your broader integration audit process. Waiting three months means three months of unmanaged risk-and three months for shadow systems to become even more entrenched.
Ideal window: the first 2-4 weeks after acquisition. You're already interviewing department heads, mapping workflows, and inventorying systems. Shadow IT discovery slots naturally into that process. The acquired team is still adjusting, so they're more open about "how things really work" before they learn what the new owners want to hear.
Two forcing functions make early discovery critical:
- Security baseline: You need to know what's touching your network, holding your data, and accessing your systems-immediately. Every day of delay is a day of unmanaged exposure.
- Integration planning: You can't build a credible migration roadmap if you don't know what you're migrating from. Shadow IT discoveries mid-execution derail timelines and budgets.
That said, shadow IT isn't a one-time audit. It's an ongoing discipline. Tools proliferate. Workarounds evolve. Plan for periodic re-scans-quarterly in high-change environments, annually as a minimum.
A Practical Framework for Shadow IT Discovery
Discovery is both technical and human. You need tools to scan networks and logs, and you need conversations to understand why those tools exist. Here's a practical framework that works.
Start With the People, Not the Tech
The fastest way to uncover shadow IT: ask the people doing the work.
Structured interviews with department heads and key operators will surface 70% of shadow IT in the first week. Questions to ask:
- "Walk me through your Monday morning routine. What systems do you open?"
- "If I turned off [official system], what would break?"
- "What tools did you adopt because the official system couldn't do X?"
- "Which spreadsheets or files would cause chaos if they disappeared?"
This isn't an interrogation. Frame it as process understanding, not compliance enforcement. People will tell you about workarounds if they believe you're trying to support them, not punish them. The warehouse manager who built the delivery tracker in Excel isn't a rogue actor-he's someone who solved a problem when IT couldn't.
Also interview IT-or the person acting as IT. In small acquisitions, "IT" might be the office manager, the bookkeeper's nephew, or an external MSP who comes in twice a month. They'll know where the bodies are buried: the forgotten server, the app that "just works" so nobody touches it, the licences paid on the founder's personal credit card.
Map Data Flows and Dependencies
Once you've surfaced the obvious tools, map how data moves between them.
Trace the flow of key business objects-customer records, job tickets, invoices, employee information. Where does data originate? Where does it get copied, transformed, or aggregated? What breaks if one link in the chain disappears?
Common patterns include:
- CRM → Spreadsheet → Accounting system: Sales entered in CRM, exported weekly to Excel for margin calculations, then manually keyed into the accounting system.
- Email → File share → Local desktop: Customer contracts arrive via email, saved to a shared drive, then copied to the finance director's laptop for "safekeeping."
- Paper → Scan → Personal cloud: Field technicians complete job sheets on paper, office staff scan them, then upload PDFs to a personal Google Drive because the company file server is "too complicated."
These dependency maps reveal two things: what's business-critical (high usage, many downstream dependencies), and what's redundant (parallel workflows that duplicate effort).
Technical tools help here. Network traffic analysis and firewall logs show which cloud services are being accessed. Endpoint agents can inventory installed software. SaaS discovery platforms (like BetterCloud, Torii, or Zylo) scan SSO logs, browser traffic, and expense data to surface subscriptions. But tools alone miss context-this is why you start with people.
Catalogue, Classify, and Decide
Finally, build a structured inventory. For every shadow IT asset, document:
- What it is: Tool name, version, hosting (cloud/on-prem/desktop).
- Who uses it: Individual, team, department, or company-wide.
- What it does: Business process or workflow it supports.
- Data sensitivity: What data it holds (PII, financial, operational, none).
- Risk level: Security posture, compliance gaps, business continuity risk.
Then classify each asset:
- High risk: Holds sensitive data, lacks security controls, or is business-critical but unsupported. Immediate action required.
- Medium risk: Redundant or overlapping with approved tools, or low-security apps with moderate usage. Plan migration or formalisation.
- Low risk: Personal productivity tools with no sensitive data and minimal business impact. Monitor or tolerate.
This classification drives prioritisation. You can't fix everything at once. Focus on high-risk shadow IT first-migrate, secure, or decommission. Medium-risk items go into your 90-day integration roadmap. Low-risk tools can often be left alone or addressed opportunistically.
What to Do With What You Find
Discovery is only half the job. Now you need to decide what stays, what goes, and how to manage the transition without causing rebellion.
Migrate, Tolerate, or Sunset
Three options for every shadow IT asset:
1. Migrate to approved alternatives.
If the shadow tool solves a real need and there's an enterprise equivalent, migrate the data and users. Personal Dropbox becomes corporate Google Drive or SharePoint. The Excel-based job tracker becomes a module in your ERP or a lightweight workflow tool. The key: make the new system better than the workaround, or at least equally convenient. If the approved tool is slower, harder, or missing features, adoption will fail and shadow IT will reappear.
2. Tolerate with oversight.
Some shadow IT isn't worth fighting. The marketing manager's Canva subscription, the sales rep's personal CRM plugin, the operations lead's preferred note-taking app-if they're low-risk and low-cost, let them continue but bring them under governance. Formalise the subscription (move payment to corporate), ensure data export capability, and document the dependency. This pragmatic tolerance signals that you're not interested in control for its own sake.
3. Sunset and replace.
High-risk or redundant shadow IT must be decommissioned. The unsecured file server, the compliance-violating cloud storage, the overlapping SaaS subscriptions-plan a clear migration path, set a sunset date, and communicate it early. This is where the Sunset Policy becomes essential: define the criteria for shutdown (e.g., "all file shares must meet encryption and access control standards by day 90"), communicate timelines, and enforce them. Without a deadline, "temporary" dual-running becomes permanent.
The decision framework:
- Business-critical + high-risk = migrate or secure urgently.
- Business-critical + low-risk = tolerate with governance.
- Redundant or high-risk + low-usage = sunset.
Document Everything Before You Turn Anything Off
Before you decommission any shadow IT asset-server, app, or spreadsheet-document it thoroughly.
Capture:
- What it does and who depends on it (process description, user list).
- Data it contains (export a full backup, even if you think it's redundant).
- Access credentials and configuration (admin logins, API keys, integration points).
- Migration or replacement plan (what system takes over, when, and who's responsible).
Why? Because you'll be wrong about something. The "unused" server will turn out to host a critical report. The "personal" spreadsheet will be the only record of a customer contract term. The decommissioned app will be the only place a particular dataset lives. Documentation and backups are your insurance policy.
Also, communicate the change to affected users before you flip the switch. Explain why the change is happening, what the new process is, and who to contact for help. The worst integration failures aren't technical — they're cultural. Teams who felt blindsided, ignored, or punished for "doing something wrong" became hostile to all future changes. A two-minute conversation and a one-week notice period can prevent months of resentment.
Shadow IT Is a Signal, Not a Crime
Shadow IT is not a rogue actor problem. It's a signal. When people adopt unsanctioned tools, they're telling you that official systems aren't meeting their needs-whether that's speed, simplicity, functionality, or reliability. Treating shadow IT discovery as a compliance crackdown misses the point and alienates the very people you need onside for integration to succeed.
The goal isn't control for its own sake. It's visibility, risk management, and operational coherence. You need to know what's running the business so you can protect it, integrate it, and improve it. That requires both technical discovery tools and human conversations-and the judgment to distinguish between must-fix risks and pragmatic tolerances.
In the first 90 days post-acquisition, shadow IT discovery should sit alongside your broader integration audit: system inventory, data quality assessment, and workflow mapping. The earlier you surface these hidden dependencies, the fewer surprises derail your integration timeline.
Shadow IT will never fully disappear. As long as official systems have friction, people will find workarounds. The question isn't whether shadow IT exists-it's whether you know about it, whether it's managed, and whether it's creating unacceptable risk. That's the difference between integration debt and integration discipline.
Frequently Asked Questions
What is shadow IT and why is it a risk after acquisition?
Shadow IT refers to unauthorised systems, apps, and tools used outside of IT's oversight—such as personal spreadsheets, unsanctioned SaaS subscriptions, or undocumented servers. Post-acquisition, it creates security vulnerabilities, hidden costs, and delays integration by hiding business-critical processes that aren't documented during due diligence.
When should you conduct shadow IT discovery after acquiring a company?
Shadow IT discovery should begin immediately post-close, ideally within the first 2–4 weeks of acquisition. Early detection is crucial for establishing a security baseline, identifying hidden systems before integration planning, and preventing unmanaged exposure whilst the acquired team is still open about actual workflows.
How can you effectively discover shadow IT in an acquired company?
Start with structured interviews with department heads and key operators, asking how work actually gets done. Then map data flows and dependencies between systems. Supplement conversations with technical tools like network traffic analysis, endpoint software inventory scans, and SaaS discovery platforms to identify unsanctioned applications and subscriptions.
What are the most common types of shadow IT found in acquisitions?
The most common shadow IT includes business-critical spreadsheets for tracking operations, unsanctioned SaaS subscriptions like Dropbox or Trello, undocumented on-premise servers in storage cupboards, personal devices used for work, and informal workflow workarounds such as WhatsApp for sharing sensitive data instead of approved systems.
Should all shadow IT be eliminated after acquisition?
No. Shadow IT should be classified as migrate, tolerate, or sunset based on risk and business value. Low-risk personal productivity tools can be tolerated with oversight. Business-critical tools should migrate to approved alternatives. Only high-risk or redundant systems need immediate decommissioning with clear communication and replacement plans.
How does shadow IT impact M&A integration timelines and costs?
Shadow IT undermines integration by hiding the systems that actually run the business. When undocumented databases, spreadsheets, or workflows are discovered mid-migration, project timelines slip, costs increase, and data consolidation becomes more complex. Integration plans built on incomplete information frequently fail or require expensive rework.
