7 min Reading Time

On average, a mid-sized company uses 275 SaaS applications. Large enterprises deploy over 2,000. The problem? One-third of those apps are unknown to the IT department – and 70 percent of software spending is now controlled by business units. SaaS sprawl isn’t an IT hygiene issue – it’s a governance failure that belongs squarely on the strategic agenda.

The Invisible Explosion: 275 Apps – and IT Doesn’t Know One-Third of Them

The Zylo SaaS Management Index 2025 paints a sobering picture: The average enterprise runs 275 SaaS applications. According to the Torii SaaS Benchmark Report 2026, large enterprises average 2,191. And every month, an average of eight new apps join the stack – often without IT’s knowledge or approval.

What is SaaS sprawl? SaaS sprawl describes the uncontrolled proliferation of cloud-based software across an organization. Business units procure tools independently – without central tracking, security vetting, compliance review, or redundancy analysis. The result: overlapping functionality, dormant licenses, and critical blind spots in IT governance.

Per Zylo, more than one-third of all corporate applications constitute shadow IT. Sixty-seven percent of IT leaders cite uncontrolled procurement by business units as their top SaaS challenge. This isn’t a matter of IT discipline – it’s a structural governance deficit rooted at the C-suite.

The pattern repeats itself: A business unit needs a new tool. Formal procurement takes weeks; a corporate credit card works instantly. Within a quarter, 30 employees use the app, upload customer data, and integrate it into core workflows. IT learns about it – if at all – during the next budget audit.

70 Percent of Spending Bypasses IT Entirely

The power shift in software procurement is complete. Business units now own 70 percent of SaaS spending. IT controls only 26 percent. The remainder falls under Shared Services and Procurement. That shift isn’t inherently problematic – business units understand their needs best. It becomes problematic without centralized visibility.

Sources: Zylo SaaS Management Index 2025, Flexera State of the Cloud 2025

The consequence? Between 51 and 53 percent of all SaaS licenses go unused within 30 days of purchase (Zylo, 2025). Meanwhile, spending on AI-native SaaS applications has surged 108 percent year-on-year. Companies are spending more on software they can’t see, don’t fully use, and can’t centrally manage.

For the CFO, that means one-quarter of cloud spend delivers no measurable return. For the CIO, it means the attack surface expands with every unauthorized app. For the executive leadership team, it means both issues fall squarely under their accountability.

AI Accelerates the Wild Growth

The rise of generative AI tools has pushed the shadow-IT problem into a new dimension. A Bitkom study from October 2025 (n = 604 companies with ≥20 employees) reveals: In 8 percent of companies, private AI tools are widely used at work – double the share from 2024. Another 17 percent report isolated cases. And 17 percent simply don’t know – but suspect it’s happening.

Meanwhile, only 26 percent of companies officially provide access to generative AI tools. The gap between demand and official supply is filled by shadow IT. ChatGPT, Google Gemini, Claude – the tools are one browser tab away. Employees upload customer data, draft contracts, and internal strategy documents into external AI services – without IT’s awareness. Each action represents a potential data leak.

Uri Haramati, co-founder of SaaS management provider Torii, sums up the dynamic: “AI didn’t invent shadow IT – but it massively accelerated its speed and scale” (CIO Dive, March 2026). What once involved isolated marketing or project management tools now involves AI assistants processing corporate data – without IT knowing which data flows where.

NIS2 and DORA Make SaaS Governance Mandatory

The regulatory landscape shifted fundamentally in 2025 and 2026. With the implementation of the EU AI Act and the enforcement of DORA and NIS2, executive leadership bears personal liability for their organization’s cybersecurity governance – including explicitly the software supply chain.

Specifically: NIS2 obliges governing bodies to approve and oversee cybersecurity risk management measures. Gross negligence triggers personal fines and even temporary professional bans. A board member who doesn’t know which 275 SaaS applications run in their company – and which have access to sensitive data – has a problem no CIO can solve for them.

DORA further tightens requirements for financial institutions: Every ICT third-party provider must be registered, assessed, and continuously monitored. A SaaS tool used by the compliance department for contract management falls under this mandate just as much as the core ERP platform. Without a complete SaaS inventory, DORA compliance is impossible.

“Companies should avoid AI wild growth and proactively prevent shadow AI. To do so, they must establish clear rules for AI usage and provide employees with approved AI technologies.”
Dr. Ralf Wintergerst, President of Bitkom (Bitkom Press Release, October 2025)

What Wintergerst demands for AI applies equally to SaaS overall: If you don’t equip your employees with approved, secure tools, don’t be surprised when they build their own. Responsibility lies not with the IT department – it rests with the C-suite, which owns the governance architecture.

What the Board Must Decide – Now

SaaS governance is not an IT initiative the CIO can execute alone. It requires decisions at the board level:

1. Establish transparency: Without full visibility, there is no governance. The board must commission a comprehensive SaaS inventory – one that captures all applications, including those no one ordered. Tools like Zylo, Torii, or Productiv automate discovery. The “Capacity Tax” – the share of IT capacity consumed by administration rather than innovation – typically sits between 25 and 40 percent. That metric persuades the CFO.

2. Define procurement rules: The board must decide who may buy software – and under what conditions. This doesn’t mean centralizing every approval. It means setting clear thresholds: At what spend level does central review kick in? Which data categories require mandatory security assessment? Which compliance standards are non-negotiable?

3. Provide official AI access: That 26-percent gap in official AI provisioning is an open invitation to shadow IT. Offering employees pre-vetted, privacy-compliant AI tools reduces the incentive to seek alternatives. This isn’t a technology decision – it’s a risk management decision.

4. Clarify accountability: Who at the C-level holds ultimate responsibility for SaaS governance? Experience shows: Without a clearly designated owner, every initiative stalls. A cross-functional SaaS Board – with representatives from IT, Finance, and major business units – creates the necessary accountability.

A counterargument is valid: Overly rigid governance stifles innovation. Business units that wait months for IT approvals will find workarounds. The solution isn’t control – it’s steering: a governance framework that enables rapid procurement while guaranteeing visibility and compliance.

Conclusion

SaaS sprawl is the silent erosion of IT governance. 275 apps. 70 percent business spend. 27 percent waste. And a board held personally liable for everything it doesn’t know. NIS2 changed the rules: Ignorance is no longer a shield against liability. The first step isn’t a technology project – it’s a board resolution: Which software runs in this company? Who ordered it? And who owns it? Anyone unable to answer that question faces a strategic problem.

Frequently Asked Questions

Header Image Source: Pexels / Kampus Production (px:8171188)