Independent and vendor-neutral. Every figure on this site is either a source-cited published statistic or a reader-controlled bounded calculation. No vendor averages presented as fact.

ShadowITCost

Last verified April 2026

Interactive estimator

Estimate your organization's shadow IT exposure

Adjust the inputs, watch the four-category exposure range update, export the result to CSV. Every assumption is visible and adjustable. Every output is a range, not a point estimate.

How the tool works

You supply organizational inputs (employees, industry, SaaS management maturity, in-scope compliance frameworks) and assumption inputs (breach probability, shadow IT attribution, enforcement probability, IT team size, shadow time share). The tool computes a low, expected, and high estimate for each of the four cost categories and a combined range. Every default has a source on the statistics ledger or in the framework.

The output is bounded, not predictive. It tells you what your exposure looks like if your inputs are correct. Refining the inputs through actual measurement (expense audit, SSO gap, IT time audit) is the next step.

Your inputs

Organization
Observable spend assumptions
Breach exposure assumptions

Use your cyber insurer's rate or your threat model. Typical range: 5 to 25 percent.

Share of breach probability you attribute to shadow IT. Explicit assumption, typical range 10 to 30 percent.

Compliance enforcement assumption

Your subjective annual probability of a material enforcement action across your in-scope frameworks. Typical defensible range: 1 to 10 percent depending on sector and history.

Operational overhead

Your exposure range

Four-category combined estimate

Low

$534K

Expected

$1.20M

High

$3.37M

1. Observable spend

Expense audit + SSO gap

$270K$661K$1.62M

1,000 employees x 1.5 to 3 apps x $15 to $45 per month

2. Probabilistic breach

ALE with IBM benchmark

$174K$91K$281K

Financial services (IBM 2024) x 10% annual breach prob x 15% shadow attribution

3. Compliance fine

Statutory caps x enforcement prob

$180$308K$1.23M

GDPR, SOC2 at 3% subjective enforcement

4. Operational overhead

IT time audit

$90K$144K$234K

12 FTE x $150,000 x 8% shadow time share

Methodological honesty

The combined range is the sum of the four category ranges, not an independently derived number. The range spans roughly an order of magnitude by design: it communicates the underlying uncertainty rather than hiding it in a false-precision point estimate.

All inputs are adjustable assumptions that you supply, not measurements. The defensibility of the output depends on the defensibility of the inputs. Use this tool as a bounded first pass, then refine each input using the measurement method described on the corresponding category page.

Three worked scenarios

Reference outputs for three illustrative organizations. The point is to show how the variance behaves across organization size, industry, and maturity. Apply the same method to your own inputs.

Small healthcare

200 employees, healthcare, no SaaS management, GDPR + HIPAA

  • Spend$110K - $470K
  • Breach$50K - $290K
  • Compliance$10K - $1.0M
  • Operational$60K - $230K
  • Combined$230K - $2.0M

Combined range driven by HIPAA cap and limited spend visibility. SSO rollout is the highest-leverage next step.

Mid financial services

1,000 employees, financial, partial maturity, GDPR + SOC 2

  • Spend$540K - $2.2M
  • Breach$120K - $1.1M
  • Compliance$25K - $0.5M
  • Operational$180K - $520K
  • Combined$865K - $4.3M

Observable spend dominates the central estimate. Expense audit + SSO gap will refine quickly.

Large enterprise SaaS

5,000 employees, tech, mature maturity, GDPR + EU AI Act + SOC 2

  • Spend$1.3M - $5.0M
  • Breach$500K - $2.5M
  • Compliance$120K - $7.0M
  • Operational$420K - $1.4M
  • Combined$2.3M - $15.9M

EU AI Act high-end cap dominates the upper bound. Governance posture on AI tools drives variance.

From estimate to measurement

The estimator's output is a starting point. Refining the inputs by running actual discovery is the path to a defensible measurement. The five discovery methods, in priority order:

Frequently asked questions

Why does the estimator return a range rather than a single number?+
Because shadow IT cost is the sum of four categories with very different certainty levels. Observable spend has a financial trail and is reasonably tight. Probabilistic breach exposure depends on assumptions about breach probability and shadow attribution that have wide reasonable ranges. Compliance fine exposure depends on statutory caps multiplied by your subjective enforcement probability. Operational overhead is internal to your organization. A single number would hide that variation; a range communicates it.
What does 'expected' mean statistically here?+
It is the geometric mean of the low and high for the spend category, the breach-probability-times-cost-times-attribution product for the breach category, and the framework-cap-times-enforcement-probability product for the compliance category. The combined expected is the sum of category expecteds. It is a central estimate, not a guarantee or a forecast. Treat it as the most defensible single number to lead with on a board deck while keeping the low and high visible.
How do I source the inputs the tool asks for?+
Employees and industry are obvious. SaaS management maturity is your honest read on whether SSO is enforced and whether procurement has gates. Breach probability comes from your cyber insurance carrier, threat model, or industry baseline (5 to 25 percent is typical). Shadow IT attribution is an explicit assumption (10 to 30 percent typical). Enforcement probability is your subjective annual probability of a material enforcement action under your in-scope frameworks (1 to 10 percent typical, higher in regulated sectors). IT team size, FTE cost, and shadow time share are internal HR data.
What is the CSV export for?+
It produces a five-row CSV (one row per category plus combined) with the inputs and the resulting low, expected, and high values. The intent is that you paste it into a board deck appendix, a SOC 2 risk register entry, or an internal exposure assessment document. Every cell traces back to inputs you supplied, so the auditor or board member can follow the calculation and challenge any assumption.
Can the estimator return a guarantee or a forecasted reduction?+
No. It returns a bounded estimate of current exposure based on the inputs you provide. The forecasted reduction from a governance program is a separate calculation handled on the /governance-roi page. There are no guarantees on either side; the value of the tool is in disclosing the assumptions, not in producing a confident-sounding number.
How often should I re-run the estimator?+
Quarterly for the observable spend category (the app portfolio shifts continuously). Annually for breach exposure (when IBM publishes the Cost of a Data Breach refresh, your insurance carrier renews, or your threat model is reviewed). When in-scope compliance frameworks change (for example, expanding into a GDPR jurisdiction, picking up a HIPAA-covered customer, scoping the EU AI Act). Whenever your IT team structure changes for the operational overhead category.