Most CIOs now have at least a partial view of their shadow IT problem. Whether through SaaS discovery tools, finance audits, or network analytics, you know there are far more applications in use than your official catalogue suggests. You may even have dashboards showing who is connecting to what. The question is what you do with that insight.
If the answer is limited to “block, blacklist, and send policy reminders,” you are leaving value on the table. Shadow IT data is not just a risk register; it is a map of unmet needs, poor adoption, and broken experiences across your SaaS estate. Treated well, it becomes one of the most useful inputs into your roadmap for Salesforce, Workday, Microsoft 365, Copilot, ERP, HRIS, and the long tail of line-of-business tools.
This article looks at how to make that shift. We’ll explore how to combine shadow IT telemetry with digital adoption analytics, using a DAP like Lemon Learning to prioritise where you improve workflows, where you rationalise vendors, and where you invest in better in-app guidance. The aim is to turn a messy inventory of unsanctioned tools into a disciplined plan for higher adoption, lower support costs, and better ROI on the platforms you have already bought.
The first step is to move beyond simple counts. Knowing that “we have 300 unapproved SaaS apps” is a starting point, not a strategy. You need to understand who is using those tools, for what, and how that behaviour overlaps with your sanctioned systems.
Modern SaaS management and security vendors are clear on the scale of the issue. Employees adopt unsanctioned apps primarily to get work done faster when official tools lag. IDC and others estimate that well over 40% of SaaS in a typical enterprise runs without formal IT approval. Those numbers are alarming, but they are also rich input. Each unsanctioned app is a clue about a process where users felt blocked.
To turn that into something actionable, you need basic enrichment. Group shadow IT by business unit, function, and use case. Which apps are sales using, and do they duplicate CRM or CPQ capabilities you already own? Which tools sit in HR, and do they overlap with Workday, your LMS, or collaboration platforms? Which “shadow AI” tools are being used for drafting content that Copilot or sanctioned generative AI could handle inside Microsoft 365?
Next, overlay risk. Some of these tools will handle little or no sensitive data; others will clearly touch customer, financial, or HR information. Security and compliance teams can help you prioritise, drawing on research like Reco’s analysis of the move from shadow IT to shadow AI at which highlights how quickly unsanctioned tools can create exposure when they sit next to core systems.
At this stage, many organisations stop. They have an inventory, some heatmaps, and a list of tools to block or review. But to build a roadmap, you must take one more step: connect these external behaviours to what is happening inside your sanctioned apps. That is where digital adoption analytics come in.
Once you can see where shadow IT lives and what it does, the temptation is to react tactically: block the worst offenders, clean up contracts, tighten requests. Necessary, but not sufficient. The strategic move is to treat that visibility as the front door to an adoption roadmap that improves how people use the platforms you already have.
Start by tagging each shadow IT cluster to one or more “anchor” platforms in your official stack. A niche sales enablement tool maps to Salesforce; a rogue time-tracking app maps to Workday; a personal kanban board maps to Microsoft 365 or your project portfolio tool. Your job is not to replicate every feature; it is to understand which workflows people are trying to fix and whether your standard platforms can credibly cover them.
Then, hold up a mirror to your adoption data. For each anchor platform, examine not just logins but workflow completion, feature usage, and support load. A CRM with high login counts but low opportunity hygiene and constant “how do I update this?” tickets is not adopted; it is used under duress. A Workday tenant where managers log in only for approvals, but avoid self-service options, is a magnet for side spreadsheets and untracked HR workflows.
Lemon Learning’s analytics give you a magnifying glass on this behaviour. You can see which in-app guides people trigger in Salesforce, Workday, or Microsoft 365, where they abandon flows, and what they search for in the help panel when they’re stuck. Combined with SaaS discovery insights, this lets you answer questions like: are shadow IT tools stepping in where we never provided meaningful guidance, or where the core tool is genuinely unfit?
From here, build a quarterly “shadow IT to adoption” backlog. For each domain, define a small number of plays:
Consolidate: bring a widely used shadow app under contract and SSO if it materially outperforms your current platform and you are not ready to replace it.
Replace: deprecate redundant tools by improving adoption of the core platform with in-app guidance, automation, and better configuration.
Re-architect: if both shadow and sanctioned tools are struggling, you may need a process or platform redesign, not just more training.
Each play should ship with an adoption plan, not just a change request. That means in-app walkthroughs in the affected tools, short contextual announcements, and clear “before/after” KPIs on tickets, cycle times, or data quality. Shadow IT telemetry tells you where to invest; your DAP-led adoption model turns that investment into behaviour change.
Discovery alone is not enough; you have to bake risk thinking into how you run digital infrastructure. For CIOs, that means combining observability with adoption tooling, not choosing one over the other.