Ask most third-party risk teams for their vendor list and they will hand you a spreadsheet of a few hundred companies that went through procurement. Ask their identity or network team what SaaS applications employees are actually signing into, and the number is usually several times larger. That gap has a name. Shadow SaaS is the set of applications your people adopted on their own, with a corporate email and a credit card or just a free tier, that never touched your intake process, your security questionnaire, or your contract review.
It is easy to wave this away as a shadow IT problem for someone else to solve. It is not. Every one of those apps is a third party holding or touching company data, and not one of them has been risk assessed. Research from Productiv has found that roughly half of enterprise SaaS applications are effectively unmanaged, with no owner tracking their security or compliance, and BetterCloud's work puts the average company at around 100 SaaS applications with a growing share carrying embedded AI. The vendors you assessed are the tip. Shadow SaaS is the rest of the iceberg.
Why Shadow SaaS Is a TPRM Problem, Not Just an IT One
The instinct is to treat unsanctioned apps as a policy violation to be stamped out. That misses the point. People adopt these tools because they help them work, and blanket bans mostly push the behavior further underground. The productive response is the same one TPRM already applies to sanctioned vendors: find them, understand the data they touch, assess the risk, and make a deliberate decision to approve, restrict, or remove.
Shadow SaaS also overlaps heavily with the AI problem. Many of the apps employees bring in are AI tools, or ordinary SaaS products that quietly added AI features, which is the exact risk we covered in shadow AI in your vendor stack. An unsanctioned app that pipes documents to a large language model is both shadow SaaS and shadow AI at once. Governing the container gets you closer to governing the AI inside it.
The hard part has never been the will to assess these apps. It has been visibility. You cannot risk-assess a vendor you do not know exists, and traditional discovery methods, expense reports and casual survey, miss most of it. This is where SaaS discovery tooling and TPRM finally meet.
Discovery, Onboarding, and Enforcement in One Place
FairTPRM version 2.6.2 adds a Shadow SaaS module built around a simple idea: the same platform that manages your assessed vendors should also surface the ones you have not assessed yet, and give you a path to bring them under control. It does this by integrating with tools that already see this activity.
Grip Security and Hero Security feed SaaS discovery and identity data into FairTPRM, so unmanaged applications, and the users behind them, show up alongside your managed vendors. Zscaler integration closes the loop on enforcement: for organizations that run Zscaler, unapproved shadow SaaS can be blocked directly from within the FairTPRM framework, so a risk decision becomes an enforced control rather than a note in a report.
The screen above is the heart of the workflow. Discovered apps arrive in a Pending state with a risk score and a category, and a risk type column that does double duty by flagging both whether an app is sanctioned and whether it carries AI features. From there a TPRM analyst can triage: onboard the ones that matter into the full vendor lifecycle, deny or dismiss the ones that do not, and, where Zscaler is connected, block the ones that should not be in the environment at all. The point is that discovery, assessment, and enforcement live in a single place, rather than scattered across a SaaS management tool, a spreadsheet, and a firewall change request.
From a discovered app to a governed vendor
Onboarding is what separates this from yet another discovery dashboard. When an analyst onboards a shadow SaaS entry, it becomes a first-class vendor in FairTPRM, ready for tiering, a security questionnaire, FAIR-based risk quantification, and ongoing monitoring, the same treatment any procured vendor receives. Shadow SaaS stops being a list of unknowns and becomes part of the managed portfolio. That is the difference between knowing you have a problem and actually closing it.
Seeing the Users, and the Incidents, Behind an App
Discovery at the application level answers what. Governing risk means also answering who, and how exposed. Because the Grip integration brings in identity data, FairTPRM can drill from an application down to the specific users touching it, including how they authenticate and whether they are covered by single sign-on.
This view matters for two reasons. First, it turns an abstract risk ("employees use this app") into a concrete, scoped one ("these 24 people use it, most of them without single sign-on"). Second, when a discovery partner like Grip detects a security incident affecting an application, FairTPRM can show exactly which of your users fall inside the blast radius, which is precisely the information an incident responder needs and rarely has at hand. Accounts that authenticate with standalone credentials instead of SSO are the ones to worry about first, and here they are impossible to miss.
Fitting Shadow SaaS Into the TPRM Lifecycle
None of this replaces good third-party risk practice. It feeds it. The shadow SaaS workflow slots cleanly into the lifecycle you already run.
| Stage | What happens with shadow SaaS |
|---|---|
| Discover | Grip and Hero surface unmanaged apps and the identities using them, so unknown third parties become visible |
| Triage and tier | Each app gets a risk score, category, and user count, so analysts can prioritize by data sensitivity and reach |
| Onboard or deny | High-value apps become managed vendors with questionnaires and monitoring; the rest are denied or dismissed |
| Enforce | With Zscaler connected, unapproved apps can be blocked from within FairTPRM, turning a decision into a control |
| Monitor | Onboarded apps are reassessed on a cycle, and incident signals from discovery partners flag affected users |
The governance backbone stays the same. Assess shadow SaaS against the frameworks you already use, extend your questionnaires with the AI-specific questions that many of these apps now demand, and hold the higher-risk ones to a recognized bar like the NIST AI RMF or ISO/IEC 42001 where AI is involved. Shadow SaaS is not a new discipline. It is the part of your existing vendor population that was invisible, finally made visible and actionable.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Grip Security: SaaS identity risk management - Grip Security
- Hero Security - herosecurity.ai
- Zscaler: Zero Trust Exchange - Zscaler
- State of SaaS 2024: unmanaged apps and SaaS sprawl - Productiv, 2024
- State of SaaS: SaaS application and AI statistics - BetterCloud, 2025
- Cost of a Data Breach Report 2025 (shadow AI findings) - IBM, July 30, 2025