Shadow IT in M&A: The Licensing Liability Nobody Priced

The standard M&A IT questionnaire asks: “List your major software applications.”

The standard answer is a list of 40-80 applications — the ones IT knows about, the ones in the software asset register, the ones that appear on the annual budget.

The actual answer, discovered by ACQI during post-acquisition discovery in a 2024 financial services acquisition: 340 applications, of which 142 were not on the disclosed list.

That’s a 3x multiplier on the disclosed application count. Here’s where the gap comes from, what it costs, and how to find it before you sign.

Where Shadow IT Comes From

1. Business unit purchasing

The marketing team subscribes to a CRM tool on a corporate card. The operations team uses a file sync service that was set up by an employee who left three years ago. The finance team built a reporting tool in Power Platform that nobody told IT about.

These applications exist on company-issued credentials, use company data, and fall outside IT’s visibility. They’re not malicious — they’re just undiscovered.

2. Proof-of-concept deployments

Cloud infrastructure is cheap to spin up. A developer creates an Azure resource group to test something. The test becomes a development environment. The development environment becomes production for a small team. It runs for two years before anyone asks whether it should still exist.

3. Acquired entity portfolios

When you acquire a company, you inherit their shadow IT along with their disclosed IT. The acquired company may have had a 6-month shadow IT problem, but you inherit it on Day 1 — along with the licensing liability, the security exposure, and the undocumented dependencies.

4. Employee-installed tools

Browser extensions, desktop applications, mobile apps connected to corporate M365 accounts — these represent a category of shadow IT that most discovery tools miss entirely.

The Three Shadow IT Problems in M&A

Problem 1: Licensing liability

Every undisclosed SaaS subscription is a licensing liability. The company is paying for something nobody tracked. Often it’s a per-user license, which means you’re paying for users who have left, for users who never activated, or for duplicate functionality that another application already covers.

In a typical 5,000-user acquisition:

• 12-18% of per-user SaaS licenses are assigned to inactive or departed users
• 8-12% are duplicates of other applications already licensed
• 5-7% are unused applications still running on auto-renewal

For a company spending £2M/year on SaaS, that’s £500K-£740K in recoverable waste — per year.

Problem 2: Security exposure

Undisclosed SaaS applications connected to corporate credentials represent an uncontrolled attack surface:

• Credential reuse: Users reuse passwords across applications. If Shadow SaaS App #47 is breached, the corporate credentials used there are now exposed.
• Data residency: Corporate data exists in undisclosed SaaS applications outside your DLP and data residency controls.
• OAuth token exposure: Third-party applications with M365 API access can read email, files, and contacts without IT’s knowledge.
• Segregation of duties: A shadow application with a service account that has privileged Entra ID access creates an invisible escalation path.

Problem 3: Migration complexity

You can’t migrate what you can’t see. Every undisclosed application is a potential:

• Data dependency in a migration wave plan
• Authentication path that will break post-consolidation
• Compliance risk if it touches regulated data
• Integration that will require rework if the service is decommissioned post-close

How to Find Shadow IT in Due Diligence

Method 1: M365 OAuth audit

Every application that has M365 API access — reading email, files, SharePoint, Teams — leaves an OAuth grant in Entra ID. These are enumerated through ACQI’s M365 discovery modules.

What to extract:

• All application registrations (first-party and third-party)
• All delegated permissions (what the app can access on behalf of a user)
• All application permissions (what the app can access with its own credentials)
• All service principals with high-privilege roles
• All Microsoft first-party apps (should match your own M365 license)

Anything in the third-party list that isn’t on the disclosed application register is shadow IT.

Method 2: Azure subscription and resource audit

For each Azure subscription in scope:

• List all resources: VMs, storage accounts, databases, serverless functions, SaaS connectors
• Identify resources created by users (creator metadata), not by automation
• Flag resources without proper tagging or in unexpected regions
• Identify resources with public endpoints and no conditional access policy

Method 3: Network-based application discovery

Passive network monitoring can identify applications communicating with corporate infrastructure that don’t appear in any asset register. This catches:

• Legacy on-premises applications still in use
• Undocumented API integrations
• File transfer services (FTP, SFTP, cloud storage) used outside IT visibility
• Monitoring and observability tools deployed without IT approval

Method 4: Active Directory application enumeration

Service account usage, SPN registrations, and IIS application mappings in Active Directory surface applications that are integrated into the identity infrastructure but not in the application register.

Method 5: License inventory reconciliation

Every paid application has a license record — either in the vendor’s portal, in an enterprise agreement, or on a credit card statement. Cross-reference:

• Actual license assignments (from vendor portals) against license entitlements (from contracts)
• Credit card transaction records against application registrations
• Enterprise agreement line items against application usage

The Real Cost of Shadow IT in M&A

A 2024 manufacturing acquisition illustrates the pattern:

Disclosed applications: 67 Actual applications discovered: 231 Shadow IT count: 164 (71% of total)

Of the 164 shadow applications:

• 43 were redundant with already-licensed applications (duplicate functionality)
• 28 had expired or been superseded but were still paying on auto-renewal
• 19 had shared or expired credentials creating security risk
• 11 were storing regulated data outside approved data residency controls
• 6 had dependencies on infrastructure being decommissioned as part of the migration

Financial impact at discovery:

• £840K in identified SaaS waste (immediate cancellation opportunity)
• £210K in security remediation required (credential reset, access revocation, data migration)
• 3 applications flagged as migration-critical that would have caused P1 incidents if missed

Lesson: The shadow IT discovery paid for the entire ACQI deployment in the first week.

What to Do With Shadow IT Once You Find It

Categorize by business criticality

Not all shadow IT should be migrated. Some of it should be decommissioned. Some of it should be formalized (bring IT visibility, standardize licensing, enforce security policies).

The decision framework:

1. Critical and replaceable: Migrate to a standardized platform and decommission the shadow tool
2. Critical and irreplaceable: Formalize, secure, and bring under IT management
3. Non-critical and redundant: Decommission immediately
4. Non-critical and useful: Evaluate for standardization or individual team adoption

Address credential hygiene as a priority

Any shadow application with shared credentials, expired credentials, or service accounts with privileged access should be treated as a security incident. Prioritize:

• Credential rotation for all shadow application accounts
• Audit of OAuth grants for applications with M365 API access
• Review of service principal permissions for cross-tenant access

Build a shadow IT register for future acquisitions

The applications you find in this acquisition will inform your discovery checklist for the next one. Build your shadow IT detection into your standard post-close discovery sprint.

ACQI’s application discovery modules surface shadow IT across M365, Azure, AWS, and on-premises infrastructure. Get complete SaaS visibility before your next acquisition. Request a demo →