July 10, 2026 By Tim Rice Strategy

Ask most third-party risk teams for their vendor list and they will hand you a spreadsheet of a few hundred companies that went through procurement. Ask their identity or network team what SaaS applications employees are actually signing into, and the number is usually several times larger. That gap has a name. Shadow SaaS is the set of applications your people adopted on their own, with a corporate email and a credit card or just a free tier, that never touched your intake process, your security questionnaire, or your contract review.

It is easy to wave this away as a shadow IT problem for someone else to solve. It is not. Every one of those apps is a third party holding or touching company data, and not one of them has been risk assessed. Research from Productiv has found that roughly half of enterprise SaaS applications are effectively unmanaged, with no owner tracking their security or compliance, and BetterCloud's work puts the average company at around 100 SaaS applications with a growing share carrying embedded AI. The vendors you assessed are the tip. Shadow SaaS is the rest of the iceberg.

Why Shadow SaaS Is a TPRM Problem, Not Just an IT One

The instinct is to treat unsanctioned apps as a policy violation to be stamped out. That misses the point. People adopt these tools because they help them work, and blanket bans mostly push the behavior further underground. The productive response is the same one TPRM already applies to sanctioned vendors: find them, understand the data they touch, assess the risk, and make a deliberate decision to approve, restrict, or remove.

Shadow SaaS also overlaps heavily with the AI problem. Many of the apps employees bring in are AI tools, or ordinary SaaS products that quietly added AI features, which is the exact risk we covered in shadow AI in your vendor stack. An unsanctioned app that pipes documents to a large language model is both shadow SaaS and shadow AI at once. Governing the container gets you closer to governing the AI inside it.

The hard part has never been the will to assess these apps. It has been visibility. You cannot risk-assess a vendor you do not know exists, and traditional discovery methods, expense reports and casual survey, miss most of it. This is where SaaS discovery tooling and TPRM finally meet.

Discovery, Onboarding, and Enforcement in One Place

FairTPRM version 2.6.2 adds a Shadow SaaS module built around a simple idea: the same platform that manages your assessed vendors should also surface the ones you have not assessed yet, and give you a path to bring them under control. It does this by integrating with tools that already see this activity.

Grip Security and Hero Security feed SaaS discovery and identity data into FairTPRM, so unmanaged applications, and the users behind them, show up alongside your managed vendors. Zscaler integration closes the loop on enforcement: for organizations that run Zscaler, unapproved shadow SaaS can be blocked directly from within the FairTPRM framework, so a risk decision becomes an enforced control rather than a note in a report.

FairTPRM Shadow SaaS discovery screen showing 235 discovered applications, 229 pending review, and a table of unmanaged SaaS apps with risk scores, categories, user counts, and onboard, deny, and dismiss actions.
The Shadow SaaS module in FairTPRM v2.6.2. Discovered applications appear with a risk score, category, user count, and a risk type that flags whether an app is sanctioned and whether it uses AI. Each entry can be onboarded as a vendor, denied, or dismissed, and the Zscaler action pushes enforcement to the network. Click to enlarge.

The screen above is the heart of the workflow. Discovered apps arrive in a Pending state with a risk score and a category, and a risk type column that does double duty by flagging both whether an app is sanctioned and whether it carries AI features. From there a TPRM analyst can triage: onboard the ones that matter into the full vendor lifecycle, deny or dismiss the ones that do not, and, where Zscaler is connected, block the ones that should not be in the environment at all. The point is that discovery, assessment, and enforcement live in a single place, rather than scattered across a SaaS management tool, a spreadsheet, and a firewall change request.

From a discovered app to a governed vendor

Onboarding is what separates this from yet another discovery dashboard. When an analyst onboards a shadow SaaS entry, it becomes a first-class vendor in FairTPRM, ready for tiering, a security questionnaire, FAIR-based risk quantification, and ongoing monitoring, the same treatment any procured vendor receives. Shadow SaaS stops being a list of unknowns and becomes part of the managed portfolio. That is the difference between knowing you have a problem and actually closing it.

Seeing the Users, and the Incidents, Behind an App

Discovery at the application level answers what. Governing risk means also answering who, and how exposed. Because the Grip integration brings in identity data, FairTPRM can drill from an application down to the specific users touching it, including how they authenticate and whether they are covered by single sign-on.

FairTPRM detail view for the app Indeed showing 24 users observed by Grip who may be affected by a Grip-detected security incident, with each user's org unit, manager, authentication method, single sign-on status, event dates, and platform.
Drilling into a discovered app. Here Grip has flagged 24 users potentially affected by a security incident involving the application, with each user's authentication method and single sign-on status. Users signing in with standalone credentials rather than SSO stand out immediately as higher risk. Click to enlarge.

This view matters for two reasons. First, it turns an abstract risk ("employees use this app") into a concrete, scoped one ("these 24 people use it, most of them without single sign-on"). Second, when a discovery partner like Grip detects a security incident affecting an application, FairTPRM can show exactly which of your users fall inside the blast radius, which is precisely the information an incident responder needs and rarely has at hand. Accounts that authenticate with standalone credentials instead of SSO are the ones to worry about first, and here they are impossible to miss.

Fitting Shadow SaaS Into the TPRM Lifecycle

None of this replaces good third-party risk practice. It feeds it. The shadow SaaS workflow slots cleanly into the lifecycle you already run.

Stage What happens with shadow SaaS
Discover Grip and Hero surface unmanaged apps and the identities using them, so unknown third parties become visible
Triage and tier Each app gets a risk score, category, and user count, so analysts can prioritize by data sensitivity and reach
Onboard or deny High-value apps become managed vendors with questionnaires and monitoring; the rest are denied or dismissed
Enforce With Zscaler connected, unapproved apps can be blocked from within FairTPRM, turning a decision into a control
Monitor Onboarded apps are reassessed on a cycle, and incident signals from discovery partners flag affected users

The governance backbone stays the same. Assess shadow SaaS against the frameworks you already use, extend your questionnaires with the AI-specific questions that many of these apps now demand, and hold the higher-risk ones to a recognized bar like the NIST AI RMF or ISO/IEC 42001 where AI is involved. Shadow SaaS is not a new discipline. It is the part of your existing vendor population that was invisible, finally made visible and actionable.

TPRM Lesson Learned: Shadow SaaS is third-party risk you already own but have never assessed. The barrier was never willingness, it was visibility, and the fix is to connect discovery, assessment, and enforcement in one workflow. FairTPRM v2.6.2 does this by pulling SaaS and identity discovery from Grip and Hero into the same platform that runs your vendor assessments, letting teams onboard the apps that matter into the full vendor lifecycle, and, for organizations on Zscaler, block the ones that should not be there at all. The result is fewer unknowns, faster incident scoping down to the affected users, and a vendor portfolio that reflects what your organization actually runs rather than only what went through procurement.

Protect Your Organization from Third-Party Risk

Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.

Free Demo Download Source

Sources & References

  1. Grip Security: SaaS identity risk management - Grip Security
  2. Hero Security - herosecurity.ai
  3. Zscaler: Zero Trust Exchange - Zscaler
  4. State of SaaS 2024: unmanaged apps and SaaS sprawl - Productiv, 2024
  5. State of SaaS: SaaS application and AI statistics - BetterCloud, 2025
  6. Cost of a Data Breach Report 2025 (shadow AI findings) - IBM, July 30, 2025