I had a moment last quarter that crystallised something for me. Our marketing team had been quietly running an entire campaign workflow through three SaaS tools I’d never heard of, plus a Claude Projects workspace they’d set up on personal accounts. When I found out, my first instinct was the usual one: shut it down, file an incident, send a polite-but-firm email about procurement policy.

Instead, I asked them to walk me through it. Took about 40 minutes. By the end I realised they’d built something better than what our sanctioned stack would have allowed, and faster too. So we paid for proper licences, put SSO on it, added it to the asset register, and moved on.

That’s roughly where I’ve landed on shadow IT in 2026. The fight isn’t worth it the way we used to wage it. But that doesn’t mean surrender either.

What changed

A few things converged. First, the SaaS landscape exploded again in 2024-25 once GenAI features became table stakes. Every team has tools they need that didn’t exist 18 months ago. Second, procurement cycles in most mid-sized Australian businesses still take 6-12 weeks for anything new, which is comically slow compared to how quickly teams can sign up to a free trial and start producing real work.

Third, and this is the uncomfortable one - a lot of the shadow IT I’ve seen in the last year has been better chosen than what central IT would have picked. Teams closer to the work make sharper tooling decisions. We need to stop pretending otherwise.

The ACS ran a piece earlier this year suggesting that on average, Australian enterprises now have 3-4x more SaaS in use than IT thinks. That tracks with what I see when I run discovery audits. The visible iceberg is small.

The new model: discover, don’t police

What I do now, and what I’m seeing other Melbourne CTOs do, is run quarterly discovery exercises rather than try to gate everything upfront. We use a combination of:

• Browser telemetry (already there if you have a managed device fleet)
• Expense card analysis - finance pulls a list of any merchant codes that look like SaaS
• Casual conversations with team leads (“what are you using that I don’t know about?”)
• SSO logs to see what’s been bolted on quietly

The output is a tiered list. Tier 1 is “this is now critical, let’s bring it under management”. Tier 2 is “fine, but watch it”. Tier 3 is “this overlaps with something we already pay for, let’s consolidate”. Tier 4 is “this is a genuine risk and needs to stop today”.

Most things land in Tier 1 or 2. Maybe 10% are Tier 4. That’s a much better ratio than the rhetoric suggests.

What still needs hard lines

I’m not romantic about this. Some shadow IT genuinely puts the company at risk and has to be dealt with firmly. The non-negotiables for me:

• Anything touching customer PII without a DPA in place
• AI tools where prompts and outputs aren’t guaranteed to be excluded from training
• Code repositories outside our managed Git infrastructure
• Anything with payments or financial data
• Tools that don’t support SSO once we exceed 5 users

For those, the response is immediate. But the response is paired with “here’s what you can use instead, available today”. If I can’t offer the alternative on the spot, I’ve already lost.

Budget implications

This shift has changed how I plan budgets. I now hold roughly 8-10% of the SaaS line as a “discover and adopt” reserve. When something legitimate surfaces in a discovery cycle, I can absorb it without a separate business case. That single change cut friction with business units more than any policy update I’ve ever written.

I do still negotiate hard at consolidation points. If three teams are using three different transcription tools, we pick one and migrate. The savings from consolidation usually fund the new things we discover. Net SaaS spend has stayed roughly flat for me over two years despite the ecosystem doubling in size.

The AI angle

GenAI is where this conversation gets sharpest. Teams are using ChatGPT, Claude, Copilot, Gemini, and a long tail of niche tools - often three or four at once. Trying to ban this is a fool’s errand and frankly bad for productivity.

My approach: provide a sanctioned default with proper data handling guarantees (we’re on Copilot for Microsoft 365 plus a managed Anthropic enterprise tenancy), make it free at point of use for any employee, and write a one-page policy that spells out what’s never okay. Then let people self-serve from there. When new AI tools surface in discovery, we evaluate them on the same Tier 1-4 framework.

For teams wanting to go further with custom AI work, I push them through a lightweight intake process rather than full architecture review. The point is to keep the friction low enough that they don’t go around us.

What I’d tell my 2022 self

If I could send a note back to myself three years ago, it would say: spend less energy on prevention, more on rapid legitimisation. The teams aren’t trying to undermine you. They’re trying to do their jobs. Make it easy for them to do that within sensible guardrails and the shadow shrinks naturally.

Shadow IT in 2026 is mostly a signal that your sanctioned stack and procurement cadence aren’t keeping up. Fix those, and the rest gets a lot easier.