research 10 min

Shadow IT in M&A: The Licensing Liability Nobody Priced

In every acquisition, there's a layer of IT spending nobody in the deal team knew existed — until the integration bills arrived. Here's how shadow IT silently creates post-close liability.

ACQI Research ·

The Number on the Invoice That Wasn’t in the Model

Q3 2025. A PE-backed healthcare platform acquires a regional clinic network for £85M. Finance models the synergy case: £12M in procurement savings from license consolidation.

Six months post-close, the integration team finds:

  • £3.1M in SaaS contracts the target had purchased outside IT procurement
  • £800K in duplicate software suites
  • £400K in annual spend on tools that were being trialed and auto-renewed without anyone making a renewal decision
  • £1.2M in software where the named user licenses had been allocated to contractors and part-time staff who had left the organization

The procurement synergy case reversed: not £12M in savings, but a £5.4M liability to unwind and restructure.

What Shadow IT Actually Is

1. Contractual liability: Contracts signed by business units without legal review, often with auto-renew clauses and penalties for early termination.

2. Seat allocation inaccuracy: The license count reflects current seats, not actual users. Contractors who left 6 months ago. Deactivated accounts that still appear in the license count.

3. Duplicate functionality: Two departments running Jira and Asana. Marketing running HubSpot and Marketo and an instance they stood up in 2021 that nobody remembers.

4. Forgotten renewals: Trials that auto-converted. Annual commitments signed by someone who left the company.

Why Due Diligence Doesn’t Find Shadow IT

Standard IT due diligence asks: “What SaaS contracts do you have?” The target answers from their vendor management system or finance record.

The problem is that shadow IT by definition isn’t in those systems. It’s in:

  • Credit card statements
  • Department head P&Ls
  • The personal email inbox of someone who signed up for a SaaS trial two years ago

To find shadow IT, you need to look at signals that aren’t in the IT questionnaire: API integration logs showing which SaaS apps are authenticating against the directory, browser extension telemetry, license assignment data from directory systems.

The Shadow IT Risk Register

CategoryRiskTypical Finding
Auto-renew contracts past notice windowFinancial£40K-500K in uncancellable commitments
Duplicate SaaS platformsOperational20-40% licensing waste
Contracts without IT governanceSecurityUnpatched SaaS with company data
Personal account credentials for work toolsComplianceGDPR/CCPA exposure

Discovery sprint available for acquisitions in progress. 48-hour turnaround. Request shadow IT assessment.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team