Managing SaaS Sprawl - Overbought Apps, Shadow IT, and AI

How are companies still adding 15 new apps a month and uncovering hundreds more hidden tools? Explore three forms of SaaS sprawl, including overbought licenses, unmanaged apps, and fast-rising shadow AI. Discover how continuous monitoring, automated right-sizing, and smarter approvals cut waste, reduce risk, streamline renewals, and protect data across fast-changing stacks.

In this video, John Baker and Uri Haramati, Torii’s CEO and co-founder, share fresh research and a practical response guide. See how adoption jumped from 13 to 15 apps per month, why companies end up with hundreds, and what signals reveal hidden usage across SSO logs, email signups, payments, and browser extensions. Uncover steps to eliminate waste, classify and contain shadow AI, and speed safe approvals, a must-watch for IT, finance, and security teams battling sprawl now.

This article was originally a video (YouTube link here). Below is the full transcript:

I’m John Baker, and I’m here with Uri. Today we’ll be talking about the SaaS sprawl response guide and reviewing first-party research from Torii on SaaS proliferation, AI, and shadow IT.

A few housekeeping notes: we cannot see or hear you. Please submit questions through the question box. We are simulcasting to LinkedIn, where you can ask questions in the comment section, and we will try to save time at the end to address questions.

At a high level, we will define three specific forms of SaaS sprawl identified in our research, discuss tactics and techniques that IT professionals can use to address them, and conclude with a question and answer session.

A brief introduction to Uri: he is a serial entrepreneur and co-founder of Torii, and he identified issues with SaaS management back in 2017. He brought his passion for building to Torii to help IT teams gain better visibility and control over their technology ecosystems.

We have been tracking SaaS adoption and usage since 2017. Before the pandemic, companies were adopting about 13 new apps per month on average; during the pandemic the rate increased, and it has remained higher, at roughly 15 new applications per month.

Polls and estimates vary widely because defining an app is not straightforward. Do you count monthly active use, API usage, or paid licenses that go unused? Our methodology counts apps that are identified in a company as being paid for, being used, or having an account, and the number that organizations should be paying attention to.

Many people guessed lower numbers in our poll, but our research shows companies frequently have hundreds of cloud apps. This number grows as companies scale, and even small teams can end up with dozens of applications. Apps are being adopted across the organization, not only by IT.

We categorize SaaS sprawl into three types. The first is sanctioned, overbought apps, which are known to procurement and IT but are underutilized. The second is individual unmanaged apps, often called shadow IT, which are purchased or adopted without IT or finance oversight. The third is shadow AI, the rapid rise of AI-based tools adopted from the bottom up.

Sanctioned, overbought apps are typically known to the organization, but they reflect a coordination problem. People migrate to other tools, licenses go unused, and these issues often go off radar. Overbuying impacts finance and efficiency, but it is manageable with the right processes.

To address overbought apps, start with continuous monitoring that goes beyond manually checking admin consoles. Right-sizing is critical, and it must be automated at scale. Prioritize actions, communicate with users before reclaiming licenses, and prepare data-driven strategies for renewals to maximize savings.

Unmanaged apps often have minimal friction for onboarding and can be adopted by a single user to improve productivity. They can augment workflows, but they also introduce inefficiencies when teams duplicate work across different tools, and they create spend leakage when paid apps are bypassed.

Shadow IT can be the good, the bad, and the ugly. The good is improved productivity and innovation. The bad is wasted spend and fragmented workflows. The ugly is security exposure when sensitive data is routed through unmanaged tools, or when those tools integrate with critical systems.

Blocking shadow IT entirely is unrealistic. The goal should be to bring it into the light and manage it. That means detecting usage, educating users, automating discovery and approval workflows, and setting clear expectations about which tools require legal, finance, or IT review.

We observed a significant increase in AI-based tools being adopted as shadow apps. Many of the most commonly discovered shadow apps contain AI, and a large portion of these apps are unmanaged. This creates a new vector of sprawl with distinct data security and compliance risks.

AI tools can seem harmless, such as meeting summarizers, but meetings often contain customer or confidential information. Users may not opt out of model training, and content generation tools may conflict with brand voice or legal constraints. These factors elevate the risk profile of AI tools compared with other shadow apps.

There are also managed, pure-play AI tools being adopted quickly, including general-purpose models and APIs. The pace of adoption has accelerated because these tools can be integrated easily and used in diverse workflows.

To mitigate shadow AI risk, detect whether new apps incorporate AI and classify them accordingly. Decide whether you need to control training data, restrict access to certain data types, or require opt-out settings. Develop clear policies in collaboration with legal, and establish expedited review processes for AI tools so adoption can proceed safely and quickly.

Key takeaways: SaaS sprawl is increasing, and generative AI has introduced a new bottom-up adoption vector. The most common forms of sprawl are overbought sanctioned apps, unmanaged apps, and shadow AI. Conventional discovery methods, such as surveying employees, are insufficient. Visibility is the prerequisite for effective management.

If you can only start with one action, begin with discovery: identify everything being used, who is using it, how much is being paid, and how it connects to critical systems. From there, generate insights and automate responses to reduce cost, secure data, and streamline governance.

For discovery, combine multiple data sources rather than relying on a single method. Useful signals include single sign-on logs, corporate email signups, payment and reimbursement records, integrations into collaboration platforms, API connections, and browser extension telemetry. Compiling these signals creates a more complete picture of the SaaS landscape.

Thank you for joining. We will send a link to the benchmark report to registrants, and you can view it at ToriiHQ.com/benchmark. We have additional webinars planned covering SaaS maturity, tactical processes, cyber security frameworks, and data mapping for compliance. Please check ToriiHQ.com/webinars for upcoming sessions.