Somewhere inside nearly every British enterprise, employees are signing up for cloud applications that nobody in IT knows about. They’re spinning up SaaS tools with a corporate email address, uploading sensitive files to platforms that haven’t been vetted, and doing it all with the best of intentions. The result is a compliance disaster hiding in plain sight.
A new report from Zylo, a SaaS management platform provider, has laid bare the scale of the problem. According to research reported by TechRadar, the average UK organization now runs approximately 898 SaaS applications. That number alone is staggering. But here’s the real problem: IT departments are aware of only a fraction of them.
The phenomenon is called Shadow IT — software adopted outside the knowledge or control of an organization’s technology team. It’s not new. But its scale has become genuinely alarming. Zylo’s 2025 SaaS Management Index found that roughly 51% of all SaaS applications in use across organizations were brought in without IT’s involvement. In practical terms, that means for every application IT has sanctioned, there’s likely another one it doesn’t know exists.
And the compliance implications are severe.
Britain’s regulatory environment has grown more demanding in recent years, not less. The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and sector-specific rules from the Financial Conduct Authority and the Information Commissioner’s Office all impose strict requirements on how organizations handle personal data. Every unsanctioned SaaS application that touches customer data, employee records, or financial information represents a potential violation — one that the company can’t remediate because it doesn’t know the application is there.
The Zylo research highlights that organizations aren’t just losing visibility. They’re hemorrhaging money. SaaS waste — spending on unused, duplicate, or redundant applications — costs companies an average of $18 million annually, according to the report. That figure reflects a global average, but UK firms are hardly immune. With budgets under pressure and CFOs demanding efficiency, the inability to track and rationalize software spending is becoming a boardroom issue.
So how did things get this bad?
The answer lies in a structural shift that accelerated during the pandemic. Remote and hybrid work models pushed employees to find their own solutions. Need a project management tool? Sign up for one. Need a design platform? There’s a free tier. Need a file-sharing service? Pick one from a dozen options. The friction involved in procuring software through official channels — submitting requests, waiting for approvals, enduring security reviews — drove workers to simply go around the process. Speed won. Governance lost.
Eric Christopher, co-founder and CEO of Zylo, has been vocal about the disconnect between how organizations think they manage software and how they actually do. The company’s data suggests that even organizations with dedicated SaaS management programs dramatically underestimate their application count. IT teams typically estimate they run 200 to 300 applications. The real number, as Zylo’s data shows, is often three to four times higher.
This isn’t just a technology management headache. It’s a legal exposure problem.
Under UK GDPR, organizations are required to maintain records of processing activities, conduct data protection impact assessments where necessary, and ensure that any third-party processor handling personal data meets specific contractual and security standards. An application that IT doesn’t know about can’t be assessed. It can’t be included in data processing records. Its vendor can’t be evaluated for adequate security controls or data residency compliance. If that application suffers a breach, the organization is still liable — ignorance is not a defense under data protection law.
The Information Commissioner’s Office has shown increasing willingness to impose fines. In 2023, the ICO issued several notable penalties and enforcement notices, making clear that systemic failures in data governance won’t be tolerated. A company that can’t account for where its data lives because half its software stack is invisible to IT is a company sitting on a regulatory time bomb.
Recent developments underscore the urgency. The UK government has been pushing forward with reforms to its data protection framework, including the Data Use and Access Bill, which aims to modernize how data is handled while maintaining high protection standards. Organizations that already struggle to manage their known software estate will find compliance with evolving regulations even harder if Shadow IT continues unchecked.
The financial services sector faces particular scrutiny. The FCA’s operational resilience requirements, which came into full effect in March 2025, demand that firms map their important business services and identify the technology resources underpinning them. Shadow IT makes that mapping exercise fundamentally unreliable. If a trading desk is using an unsanctioned analytics tool, or a compliance team has adopted an unapproved communication platform, the firm’s operational resilience framework has a hole in it.
Not a theoretical hole. A real one.
Healthcare organizations face similar exposure under NHS Digital’s data security standards and the Caldicott principles governing patient information. Local government bodies handling citizen data. Law firms managing privileged communications. The risk profile varies by sector, but the underlying problem is universal: you can’t protect what you can’t see.
TechRadar’s reporting on the Zylo findings also pointed to a generational dimension. Younger employees, who grew up with consumer SaaS products, are far more likely to adopt tools independently. They don’t see it as circumventing policy — they see it as being resourceful. That cultural gap between how IT defines acceptable software procurement and how employees actually behave is one of the hardest aspects of Shadow IT to address. Technical controls alone won’t fix a cultural problem.
Some organizations have responded by deploying Cloud Access Security Brokers (CASBs) and SaaS management platforms that can discover applications through network traffic analysis, SSO integration data, browser extensions, and expense report mining. These tools can surface Shadow IT and give organizations a more accurate picture of their software footprint. But adoption remains uneven, particularly among mid-market firms that lack the budget or headcount for dedicated SaaS governance teams.
There’s also the question of what to do once Shadow IT is discovered. Simply blocking unsanctioned applications can backfire, driving employees to find even more creative workarounds or damaging productivity. The more effective approach, according to SaaS management practitioners, involves a combination of discovery, risk assessment, and rationalization — identifying what’s in use, evaluating whether it meets security and compliance standards, and either bringing it under management or migrating users to approved alternatives.
But that takes time, resources, and executive sponsorship. Three things in chronically short supply.
The broader technology industry has taken notice. Microsoft, which operates one of the largest SaaS portfolios through its Microsoft 365 platform, has invested heavily in tools like Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) to help organizations detect and manage Shadow IT. Google, similarly, offers admin-level visibility tools for Workspace environments. Yet even these built-in capabilities only capture part of the picture, since employees often use applications entirely outside the corporate identity infrastructure.
Industry analysts at Gartner have projected that by 2027, organizations that fail to centrally manage their SaaS portfolios will remain five times more susceptible to a cyber incident or data loss event due to misconfiguration or unmanaged access. That projection aligns with what Zylo’s data already suggests: the problem is compounding, not stabilizing.
For UK boards and C-suites, the message is increasingly clear. Shadow IT is not an IT problem. It’s a governance problem, a compliance problem, and a financial problem. The average organization is running nearly 900 SaaS applications, and the people responsible for security, privacy, and regulatory compliance can’t see half of them. That gap between visibility and reality is where breaches happen, fines accumulate, and reputations erode.
The companies that will manage this effectively are the ones treating SaaS governance as a continuous discipline rather than a one-time audit. They’re embedding software discovery into procurement workflows, tying SaaS management to compliance reporting, and creating feedback loops between IT, legal, and business units. They’re also accepting an uncomfortable truth: the era of centralized IT control over software is over. What replaces it has to be something more adaptive — a governance model that accounts for the reality of how modern employees actually work.
Anything less is a compliance blind spot waiting to be exploited.
WebProNews is an iEntry Publication