Independent and vendor-neutral. Every figure on this site is either a source-cited published statistic or a reader-controlled bounded calculation. No vendor averages presented as fact.

ShadowITCost

Last verified April 2026

Method 4 of 4

Browser Extensions and Employee Survey: Closing the Last-Mile Gap

Two methods in one page because both target the same category: tools that leave no financial or SSO trail. Browser extension inventory via MDM plus an amnesty-framed survey closes most of what the other three methods miss.

The blind spot both methods target

SSO gap sees what is connected to your IdP. Expense audit sees what leaves a financial trail. CASB sees what transits your managed network. None of them see free-tier SaaS accessed from a browser with no account, meeting bots that record via personal accounts on personal devices, AI tools paid for by individual employees out of pocket, or browser extensions that interact with corporate data locally.

That gap is typically 20 to 50 percent of the app portfolio depending on the organization. Browser inventory and employee survey close most of it.

Browser extension inventory: the technical method

On managed devices, deploy browser extension inventory through Chrome Browser Cloud Management (for Google Chrome), Microsoft Edge Management Service, or the browser extension reporting capability of your MDM (Intune, Jamf, Kandji, Mosyle). Scope the data collection clearly to the extension list: extension ID, extension name, version, install date per device. Do not collect browsing history or page content.

The output is a per-device list of installed extensions. Aggregate by extension name. Map each extension to the SaaS vendor or tool category behind it. Flag categories that typically involve corporate data: AI writing assistants (Grammarly, ChatGPT extensions, Claude extensions), note-taking (Notion Web Clipper, Evernote Web Clipper), screen capture (Loom, Vidyard), meeting recording bots (Otter.ai browser, Fireflies, Fathom), scraping and data export, password managers, VPN extensions.

Prioritize extensions that interact with sensitive page content (AI assistants injecting into every page, scrapers, DOM readers) for review. These are the categories where a browser extension becomes a material data pathway.

Employee survey: the subjective method

Run a short amnesty-framed survey, ideally co-signed by a senior leader (CIO, CISO, head of division). Four anchor questions work well:

  1. What tools do you use for work that you think IT does not know about? (free text)
  2. What AI tools are you using at work? (checklist plus free text)
  3. What tools did you pay for personally that helped you do your job? (free text plus optional amount)
  4. What tool do you wish IT supported officially? (free text)

Frame explicitly: no disciplinary consequence for any disclosure. Goal is to get the tools officially supported. Visible follow-through within a month is critical; if the survey surfaces useful tools and IT then takes three months to respond, the amnesty is broken and you will not get responses next time.

Response rates and honesty

Response rate is the leading indicator of survey quality. Short, amnesty-framed, leader-endorsed surveys typically hit 30 to 50 percent response in mid-market organizations. Below 15 percent the sample is not useful. The honesty of responses depends on whether the amnesty framing is credible, which depends on visible follow-through from earlier rounds.

Response bias is real: self-selecting responders tend to be power users and early adopters, which means the survey over-weights productivity and AI tools. That bias is actually useful for shadow IT purposes because those categories are where the governance exposure is highest.

Output

Apps uniquely discovered via browser inventory or survey, not already detected by SSO or expense methods, get added to the consolidated registry with the method flagged in the 'detected by' column. Annual spend is often zero (free tier) or unknown (personal-card), which shifts the cost emphasis for these apps toward compliance exposure and breach risk rather than observable spend.

Sample survey text

"We are building a better supported set of work tools for the whole company. The first step is to know what tools teams are actually using, including tools bought outside of IT. There is no disciplinary consequence for sharing honestly. If you list a tool that is useful for your work, our goal is to get it officially supported so you don't have to expense it, hide it, or keep your data in an account that disappears if you change roles. Three short questions..."

Method 3

Expense audit ->

Method 2

SSO gap analysis ->

Cost bucket

Breach risk ->

Frequently asked questions

Why combine browser inventory and survey into one method?+
Both target the same blind spot: apps that leave no financial trail and no SSO record. Browser extensions and local tools are often free, installed without IT review, and are functionally invisible to the three other methods. A survey captures the subjective layer (what employees consciously use), while browser inventory captures the objective layer (what is actually installed). Together they close most of the remaining gap after SSO and expense methods.
How do I deploy browser inventory without invading privacy?+
On managed devices, use Chrome Browser Cloud Management, Microsoft Edge Management Service, or your MDM's browser extension policy. These tools report the list of installed extensions by managed device, not the user's browsing activity. Scope clearly: extension list, extension ID, version, install date. Do not collect URL history or page content. Communicate the scope to employees before deployment.
What do browser extensions tell me about shadow IT?+
A lot. AI writing extensions, note-taking plugins, screen capture and recording tools, productivity add-ins, password managers, VPN extensions, meeting bots that require a browser extension to record calls, scraping tools, and data export tools are all common shadow IT categories that show up here. The extension name usually maps directly to a SaaS vendor, giving you both the 'what tool' and 'how many users' answers.
How do I run an amnesty-framed employee survey well?+
Four rules: (1) state clearly that honest disclosure has no disciplinary consequence and the goal is to get useful tools officially supported; (2) keep it short (under 10 questions) with open-ended 'list any tools you use for work that you think IT does not know about' as the core question; (3) have a leader (CISO, CIO, or divisional leader) co-sign the communication so employees believe the amnesty is genuine; (4) follow through. Visibly onboard a handful of disclosed tools within a month of the survey to prove the amnesty was real.
How many responses do I need for the survey to be useful?+
Response rate matters more than absolute count for this purpose. Above a 30 percent response rate, you typically get enough signal to identify the most-used hidden tools. Below 15 percent, you are measuring the bias of the responders more than the app portfolio. Short, amnesty-framed, leader-endorsed surveys typically hit 30 to 50 percent in mid-market organizations; a survey that reads as a compliance checklist often hits under 10 percent.
What is the typical incremental coverage from this method?+
Practitioner experience: 20 to 50 percent of apps discovered are uniquely surfaced by browser inventory or survey and not detected by SSO gap, expense audit, or CASB. The split between browser inventory and survey varies: organizations with strong browser extension management surface more through inventory; organizations without MDM rely more heavily on survey. Either way this method is not replaceable by the other three.