REV. MAY 2026
REGISTER 2026.04 / FRAMEWORK v1/ The shadow IT cost measurement framework
How much is shadow IT costing your organization?
You cannot fix what you cannot measure. This is a framework to estimate your exposure across four cost categories with five discovery methods. Every figure on this site is either a source-cited industry statistic or a bounded calculation with adjustable assumptions.
ABOVE WATERLINE / sanctioned
~ ~ ~ waterline ~ ~ ~visible / hidden
BELOW WATERLINE / shadow
Free-tier collaboration board
free tier, no SSO
AI writing assistant
personal credit card
File transfer service
team-tier, no SSO
Survey tool
free tier escalated
Integration platform
team-tier, paid by lead
Analytics workspace
trial that never ended
Illustrative pseudo-records. Average enterprise app count of 269 is reported by Productiv (vendor-published, sample is Productiv customers).
Estimate annual observable shadow SaaS spend
Three inputs / one bounded range / four assumptions exposed
low / 10p
$270K
expected / 50p
$661K
high / 90p
$1.6M
inputs: 1,000 employees, 1.5 to 3 shadow apps per employee at partial maturity, $15 to $45 per app per month. industry mod: General mid-market baseline.
> See the assumptions behind this range
apps per employee: ranges are a composite of vendor-published SaaS management telemetry (Productiv, Zylo) adjusted by SaaS management maturity. These are indicative ranges, not a measurement of your organization. See the statistics ledger.
cost per app per month: based on the observed SaaS licence cost range for team-tier subscriptions ($15 to $45). High-tier enterprise apps would push the upper bound higher; free-tier apps push the lower bound down but are covered under compliance exposure rather than spend.
what this is not: this is the observable spend category only. Breach, compliance, and operational exposure are separate categories you can estimate at /measure-your-exposure.
/ The honest caveat
"Average shadow IT cost" is a misleading question
The most widely cited figure, Gartner's 30 to 40 percent of enterprise technology spending occurring outside IT Gartner CIO Agenda research, analyst estimate of business-led IT spending (2019/2022) measures: Estimated share of enterprise technology spending occurring outside the formal IT organization in large enterprises. methodology: Analyst estimate derived from Gartner's CIO survey panel and analyst forecasting models. Not a primary measurement of any single organization. Range commonly cited as 30 to 40 percent of large-enterprise technology spending. trust: Analyst estimate, methodology partially disclosedGartner
Exposure is bimodal. Organizations with SSO enforced across the app catalog, procurement gates on expense reports, and a SaaS management platform in place look nothing like organizations without any of the three. A single average hides that bifurcation.
Measure, do not guess. The framework below is the method. The estimator above applies it to your inputs. The statistics ledger shows every public figure with its source and methodology so you know what you are anchoring to.
- 30-40%
Gartner
Gartner CIO Agenda research, analyst estimate of business-led IT spending (2019/2022)
measures: Estimated share of enterprise technology spending occurring outside the formal IT organization in large enterprises.
methodology: Analyst estimate derived from Gartner's CIO survey panel and analyst forecasting models. Not a primary measurement of any single organization. Range commonly cited as 30 to 40 percent of large-enterprise technology spending.
trust: Analyst estimate, methodology partially disclosed
https://www.gartner.com/en/information-technology/insights/cio-agenda- Analyst estimate of large-enterprise technology spending that occurs outside the IT organization.
- 269 apps
Productiv
Productiv State of SaaS Apps Report (2024)
measures: Average and median number of SaaS applications per surveyed customer organization, departmental SaaS adoption patterns, and licence usage rates.
methodology: Vendor-published. Aggregated telemetry from Productiv platform customer base; not a representative sample of all enterprises. Sample size and methodology self-disclosed in the report.
trust: Vendor-published, methodology self-disclosed
https://productiv.com/state-of-saas/- Average number of SaaS applications across Productiv customer base. Vendor-published; sample is Productiv customers, not a representative enterprise sample.
- $4.88M
IBM CODB
IBM Cost of a Data Breach Report 2024 (research conducted by Ponemon Institute) (2024)
measures: Average total cost of a data breach across surveyed organizations globally, by industry, region, and breach attribute.
methodology: Annual study by Ponemon Institute, sponsored by IBM. Activity-based costing across roughly 600 organizations that experienced a breach in the prior year. Methodology disclosed in the report appendix.
trust: Primary research, peer-reviewed or official
https://www.ibm.com/reports/data-breach- Global average total cost of a data breach, IBM 2024 report. This is a public breach benchmark, not a claim that shadow IT causes that cost.
- Up to 4%
GDPR Art 83
EU General Data Protection Regulation, Article 83 (Penalties) (2018)
measures: Maximum administrative fines under GDPR: up to 10 million euros or 2 percent of worldwide annual turnover (lower band), up to 20 million euros or 4 percent of worldwide annual turnover (upper band), whichever is higher.
methodology: Statutory text. Penalty levels are statutory caps, not typical fine values. Actual fines vary by case and jurisdiction.
trust: Official regulatory or statutory source
https://gdpr-info.eu/art-83-gdpr/- GDPR Article 83 upper-tier administrative fine, as a percentage of worldwide annual turnover. Statutory cap; actual fines vary by case.
/ Framework, part 01
Four cost categories, each measured differently
Shadow IT cost is the sum of four distinct buckets. Conflating them destroys the credibility of any board estimate. Separating them, with a named method per category, is what makes an exposure figure defensible.
Observable spend
Unauthorized SaaS subscriptions you can audit from expense reports, SSO gap analysis, and SaaS management platforms. The most quantifiable bucket.
Method
Expense audit plus SSO gap
> read detail
Probabilistic breach exposure
Annualized loss expectancy from shadow IT contribution to breach probability. Requires explicit assumptions and public breach cost benchmarks.
Method
ALE with cited breach cost
> read detail
Compliance fine exposure
Statutory penalty ranges under GDPR, HIPAA, SOC 2, PCI DSS, and EU AI Act when data or access controls fail. Caps cited from official sources.
Method
Statutory penalty caps
> read detail
Operational overhead
Integration rework, offboarding gaps, duplicated tools, IT ticket volume. Measured from your own org's time audit rather than claimed benchmarks.
Method
Internal IT time audit
> read detail
/ Framework, part 02
Discovery methods, combined for coverage
No single method finds everything. CASB misses personal browser accounts. SSO gap misses apps not using SSO. Expense audit misses free tiers. Browser inventory misses personal devices. Combining all four gets you to most of the picture, with explicit gaps documented.
CASB and network analysis
Network-layer visibility of SaaS traffic. Strong on managed devices, blind on personal accounts.
SSO gap analysis
Export the full app list from your IdP and cross-reference against the approved catalog.
Expense audit
12 months of expense reports and corporate card data, filtered by SaaS-relevant MCC codes.
Browser inventory plus survey
Browser extension inventory via MDM plus an amnesty-framed employee survey.
/ Full estimator
Measure your exposure across all four categories
The homepage estimator covers the observable spend category only. The full tool models all four categories and returns a combined low, expected, and high range with a CSV export for board presentations.
>Open the full estimatorLooking for execution tools? shadowitcalculator.com has audit-score, risk-score, policy generator, and approved-alternative pickers for teams actively running a discovery sprint.
>Visit sister