REV. MAY 2026
/ Source-cited reference
Shadow IT Statistics: A Source-Cited Reference
Every figure on this page has a number, a source name, a year, a URL, and a methodology note. Figures we cannot trace to a primary source are listed in their own section with honest annotation rather than quoted as fact.
How this page is built
Each statistic has a number, a source name, a year, a source URL, what was actually measured, and a trust flag: primary (peer-reviewed or official measurement), analyst (analyst estimate with methodology disclosed), vendor (vendor-published with telemetry from customer base), official (statutory or regulatory text), or weak (widely-repeated but untraceable). Click any citation chip to expand the full methodology note and source URL.
Spending and adoption
30 to 40%
Gartner
Gartner CIO Agenda research, analyst estimate of business-led IT spending (2019/2022)
measures: Estimated share of enterprise technology spending occurring outside the formal IT organization in large enterprises.
methodology: Analyst estimate derived from Gartner's CIO survey panel and analyst forecasting models. Not a primary measurement of any single organization. Range commonly cited as 30 to 40 percent of large-enterprise technology spending.
trust: Analyst estimate, methodology partially disclosed
https://www.gartner.com/en/information-technology/insights/cio-agendaShare of enterprise tech spend that occurs outside the IT organization
Analyst estimate. Applies to large enterprises; do not extrapolate to mid-market without adjustment.
269 apps
Productiv
Productiv State of SaaS Apps Report (2024)
measures: Average and median number of SaaS applications per surveyed customer organization, departmental SaaS adoption patterns, and licence usage rates.
methodology: Vendor-published. Aggregated telemetry from Productiv platform customer base; not a representative sample of all enterprises. Sample size and methodology self-disclosed in the report.
trust: Vendor-published, methodology self-disclosed
https://productiv.com/state-of-saas/Average SaaS apps per Productiv customer organization
Vendor-published. Productiv customer telemetry is not a random sample of enterprises.
See report
Zylo
Zylo Annual SaaS Management Index (2024)
measures: SaaS spending and application portfolio benchmarks across Zylo customer base, including spend by employee band and by category.
methodology: Vendor-published. Aggregated Zylo platform telemetry from a self-selecting customer set. Sample size and methodology self-disclosed.
trust: Vendor-published, methodology self-disclosed
https://zylo.com/saas-management-index/Zylo SaaS spend benchmarks by employee band and category
Vendor-published. Customer telemetry, self-selected sample.
See report
BetterCloud
BetterCloud State of SaaSOps (2024)
measures: SaaS adoption growth, IT versus non-IT app procurement, and SaaSOps practices.
methodology: Vendor-published. Practitioner survey conducted by BetterCloud. Sample size and respondent profile self-disclosed.
trust: Vendor-published, methodology self-disclosed
https://www.bettercloud.com/state-of-saasops/BetterCloud SaaSOps practitioner survey findings
Vendor-published practitioner survey; respondent profile self-disclosed.
Security and breach
$4.88M
IBM CODB
IBM Cost of a Data Breach Report 2024 (research conducted by Ponemon Institute) (2024)
measures: Average total cost of a data breach across surveyed organizations globally, by industry, region, and breach attribute.
methodology: Annual study by Ponemon Institute, sponsored by IBM. Activity-based costing across roughly 600 organizations that experienced a breach in the prior year. Methodology disclosed in the report appendix.
trust: Primary research, peer-reviewed or official
https://www.ibm.com/reports/data-breachGlobal average total cost of a data breach (IBM 2024)
Primary-source Ponemon/IBM activity-based costing across ~600 breached organizations. Industry splits in the report.
Annual
Verizon DBIR
Verizon Data Breach Investigations Report 2024 (2024)
measures: Confirmed data breaches and security incidents analysed across thousands of organizations, with breach pattern, action, and asset breakdowns.
methodology: Aggregated incident data from Verizon and 80-plus contributing organizations including law enforcement and CSIRTs. Methodology disclosed in the report. Counts incidents and breaches; not a cost study.
trust: Primary research, peer-reviewed or official
https://www.verizon.com/business/resources/reports/dbir/Verizon DBIR incident pattern data (thousands of confirmed breaches)
Primary-source aggregated incident data from Verizon plus 80+ contributing organizations. Counts, not costs.
Compliance: statutory penalty caps
EUR 20M or 4%
GDPR Art 83
EU General Data Protection Regulation, Article 83 (Penalties) (2018)
measures: Maximum administrative fines under GDPR: up to 10 million euros or 2 percent of worldwide annual turnover (lower band), up to 20 million euros or 4 percent of worldwide annual turnover (upper band), whichever is higher.
methodology: Statutory text. Penalty levels are statutory caps, not typical fine values. Actual fines vary by case and jurisdiction.
trust: Official regulatory or statutory source
https://gdpr-info.eu/art-83-gdpr/GDPR Article 83 upper-tier administrative fine cap
Statutory cap (whichever is higher, of EUR 20M or 4% worldwide annual turnover). Actual fines vary by case.
~$2.13M
HIPAA CMP
HHS HIPAA Civil Money Penalty tiers (45 CFR 160.404, as adjusted annually) (2024)
measures: Civil money penalty tiers for HIPAA violations, ranging from approximately 137 dollars per violation (no knowledge tier, minimum) to over 2 million dollars annual cap (wilful neglect, not corrected).
methodology: Statutory penalty tiers adjusted annually for inflation by HHS. Penalty per violation cap and annual cap are statutory; actual fines depend on Office for Civil Rights enforcement decisions.
trust: Official regulatory or statutory source
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.htmlHIPAA annual cap at wilful-neglect tier (2024 inflation-adjusted)
Statutory cap per violation category per year. Adjusted annually; check current figures with HHS.
~$5K - $100K/mo
PCI SSC
PCI Security Standards Council, PCI DSS v4.0 (2022/2024)
measures: Payment card industry data security standard. Penalty exposure flows from card brand contracts, not from the standard itself.
methodology: Industry standard published by the PCI Security Standards Council. Card brand fines (Visa, Mastercard, etc.) typically reported in trade press as ranging from approximately 5,000 to 100,000 dollars per month for non-compliance, with higher post-breach assessments. Specific values are contractual and not published officially.
trust: Official regulatory or statutory source
https://www.pcisecuritystandards.org/PCI non-compliance monthly assessments (trade press reported)
Contractual between card brands and acquirers; cascades to merchants. Exact values not published officially.
EUR 35M or 7%
EU AI Act
EU Artificial Intelligence Act (Regulation (EU) 2024/1689), penalty articles (2024)
measures: Statutory penalty caps for AI Act violations: up to 35 million euros or 7 percent of worldwide annual turnover for prohibited AI practices, lower bands for other violations.
methodology: Statutory text published in the Official Journal of the EU. Caps are statutory maxima, not typical fines.
trust: Official regulatory or statutory source
https://eur-lex.europa.eu/eli/reg/2024/1689/ojEU AI Act prohibited-practice penalty cap
Statutory cap (whichever is higher, of EUR 35M or 7% worldwide turnover). Phased enforcement.
No statutory fine
AICPA TSC
AICPA Trust Services Criteria (SOC 2) (2017/2022)
measures: Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 is an attestation, not a regulatory regime, so there are no statutory fines.
methodology: Attestation framework. Cost exposure flows from auditor findings, customer contract impact, and remediation cost rather than statutory fines.
trust: Official regulatory or statutory source
https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2SOC 2 and ISO 27001 penalty exposure
Exposure is contractual and reputational, not statutory.
Figures you will see quoted that we cannot verify
Honesty sectionEach of the following figures circulates across vendor content and general shadow IT coverage but we have not been able to trace it to a primary public source. We list them here as indicative, not authoritative. If you use them, label them accordingly.
~33%
vendor blogs
Various vendor blogs: roughly one third of SaaS spend is unmanaged (various)
measures: Often-quoted claim that approximately one third of SaaS spending in surveyed organizations is unmanaged or outside formal IT procurement.
methodology: We have not been able to trace this figure to a single primary public source. It appears across vendor blog content with partial or chained attribution. Treat as indicative, not authoritative.
trust: Widely repeated, primary source unverified
SaaS spend that is unmanaged / outside formal IT procurement (vendor blogs)
Widely repeated across vendor content without primary source. Treat as indicative, not authoritative.
~90%
vendor blogs
Various vendor blogs: roughly 90 percent of AI tools used outside IT awareness (various)
measures: Claim circulating in vendor content that approximately 90 percent of AI tool use occurs without IT visibility.
methodology: We have not been able to trace this figure to a peer-reviewed or analyst-published primary source as of April 2026. The figure appears in vendor marketing without disclosed methodology. Treat as indicative only.
trust: Widely repeated, primary source unverified
AI tools used outside IT awareness (vendor blogs)
Appears in vendor marketing without a peer-reviewed or analyst-published primary source. Do not cite as fact.
60 to 70%
vendor cases
Various vendor case studies: governance reduces shadow SaaS spend by 60 to 70 percent (various)
measures: Range of reduction claims published in SaaS management vendor case studies.
methodology: Self-selected customer success stories. Sample is not representative; baselines vary widely. We treat this as a marketing range, not a forecasted reduction. For an internal business case, applying a conservative 20 to 40 percent expected reduction range with sensitivity analysis is more defensible.
trust: Widely repeated, primary source unverified
Reduction in shadow SaaS spend after governance deployment (vendor case studies)
Vendor case studies; self-selected successes. For business case planning, use 20 to 40% as conservative.
The shadow AI caveat
Shadow AI is an emerging category. Primary public data on AI tool adoption outside IT awareness is thin as of this freshness date. Numbers that circulate (for example that 90-percent figure) are typically vendor marketing without disclosed methodology. McKinsey and similar analyst firms publish AI usage surveys; those are more defensible but measure general AI adoption rather than shadow-specific use.
Our recommendation: treat shadow AI as a subset of shadow IT with the same measurement framework and the same discovery methods. Do not cite shadow-AI-specific statistics unless you can trace them to a primary source and confirm the methodology. Your own OAuth consent grant report is more useful evidence than a circulated percentage.
Bibliography
Industry data sources ->
Apply the data
The framework ->
Interactive
Measure your exposure ->