Shadow IT Report 2026: The Top 10 Tools Creating the Most Unmanaged Spend

Shadow IT isn't just rogue developers spinning up AWS accounts anymore. In 2026, the biggest sources of unmanaged software spend were the tools you already use; they're just scaling outside your visibility and control.

We analyzed shadow spend patterns across Tropic's $18B+ spend intelligence platform to identify which vendors are creating the most unmanaged spend and why it's happening.

TL;DR

• Google dominates: ~45% of shadow IT transactions are Google services (Cloud, Workspace, Ads)
• Top 3 control 70%+: Google, Microsoft (~25%), and OpenAI (~20%) account for the majority of high-frequency shadow spend
• Two distinct patterns: High-dollar infrastructure that scales beyond contracts (Google Cloud, New Relic, Snowflake) vs. high-frequency small purchases that bypass procurement (OpenAI, Atlassian, Twilio)
• Top 10 by dollars: Google, Circle CI, New Relic, Rippling, Snowflake, SAP Concur, HubSpot, Deel, Airtable, ZoomInfo

The Top 10 Tools Creating the Most Shadow IT Problems

By Dollar Amount (Highest Exposure)

Our analysis reveals which vendors create the largest unmanaged spend by total dollars:

1. Google (Cloud Platform, Workspace add-ons, Google Ads)
2. Circle CI
3. New Relic
4. Rippling
5. Snowflake
6. SAP Concur
7. HubSpot
8. Deel
9. Airtable
10. ZoomInfo

By Frequency (Most Transactions)

Which vendors show up most often as shadow IT purchases:

1. Google (approximately 45% of shadow IT frequency)
2. Microsoft (approximately 25%)
3. OpenAI (approximately 20%)
4. Atlassian
5. Twilio
6. GitHub
7. Adobe
8. HubSpot
9. Figma
10. Slack

What Causes Shadow IT?

Frictionless Self-Service (Google, Microsoft, OpenAI, Atlassian)

Teams start with freemium tiers that deliver immediate value. When they need more capacity, a credit card instantly unlocks the upgrade. Auto-scaling usage means there's no approval checkpoint between "we're trying this" and "we're spending $15K/month." By the time the bill arrives 30 days later, the spend has already happened and the tool has become essential to workflows.

Consider a typical scenario: An engineering team starts with Google Cloud's free trial to prototype a feature. They add a managed database for persistence, enable load balancing for reliability, and suddenly they're spending $15,000 monthly before anyone in finance knows the project exists.

Embedded in Existing Workflows (OpenAI, GitHub Copilot)

AI features launch as "add-ons" to tools teams already use, positioned as productivity enhancers rather than new software purchases. Individual users opt in without realizing they're creating recurring charges. Procurement never sees these because technically they're upgrades to existing approved vendors.

A developer enables GitHub Copilot for $10 per month because it appears to be just another GitHub feature. Six months later, finance discovers that 200 engineers have been auto-billed, totaling $12,000—spend that would have required procurement approval if positioned as new software.

Departmental Budget Hiding (HubSpot, Adobe, ZoomInfo)

Marketing and sales tools get purchased on departmental credit cards, categorized as "marketing campaigns" or "lead generation" rather than software subscriptions. They're expensed rather than capitalized and renew annually without procurement review because they're buried in departmental spend.

Marketing buys ZoomInfo on the team budget as "lead data," initially spending $15,000. Over 18 months, the spend grows to $85,000 through user additions and feature upgrades. IT and procurement discover the tool only during a vendor consolidation effort.

Auto-Scaling Infrastructure (AWS, Google Cloud, New Relic, Snowflake)

The initial purchase happens through proper channels with full approval. But usage-based pricing means bills can double or triple without any new purchase decision. Teams lack alerts when spend exceeds budget by 2x or 3x, and finance sees the variance but can't explain or control it without technical context.

You contract for $50,000 annually of Snowflake based on projected data volumes. Actual spend hits $120,000 because data retention policies weren't optimized and query patterns proved more expensive than estimated. This isn't shadow IT in the traditional sense—procurement approved the vendor—but it's functionally unmanaged spend.

The Two Types of Shadow IT

Shadow IT manifests in two distinct ways, each requiring different discovery and management approaches.

Type 1: High-Dollar Operational Infrastructure

Vendors: Google Cloud, New Relic, Rippling, Circle CI, Snowflake

How it happens: Core business systems start small and scale rapidly, often with initial approval that becomes outdated as usage grows. Finance knows these vendors exist but has lost visibility into actual spend versus budget.

Impact:

• Large budget variance (contracted $100K, actual $140K)
• Difficult to forecast because usage-based pricing is unpredictable
• Can't consolidate or renegotiate because business depends on it

Type 2: High-Frequency Smaller Purchases

Vendors: OpenAI, Microsoft 365 add-ons, Atlassian, GitHub, Adobe, Twilio

How it happens: Individual teams or users purchase directly through credit cards under approval thresholds. Self-service upgrades from free to paid tiers happen without IT involvement. Lots of small transactions add up.

Impact:

• Death by a thousand cuts ($50 here, $200 there = $50K annually)
• Security/compliance risk from unvetted software
• Duplicate purchases (3 teams buy the same tool independently)
• No negotiation leverage (paying list price on everything)

Shadow Spend by Category

Based on our analysis across Tropic customers, shadow spend appears most frequently in these categories:

Infrastructure & DevOps: Google Cloud Platform auto-scaling, Circle CI overages, New Relic consumption growth, GitHub seat sprawl

GTM & Sales Tools: ZoomInfo seat additions, HubSpot feature upgrades, Apollo.io team purchases, Outreach expansions

AI & Productivity: OpenAI API usage, Microsoft Copilot subscriptions, Anthropic/Claude API calls, GitHub Copilot seats

HR & Operations: Rippling module additions, Deel contractor payments, SAP Concur travel overages

Design & Collaboration: Adobe Creative Cloud seats, Figma organization upgrades, Slack paid features

Which Vendors Cause The Most Shadow Spend?

These three vendors account for approximately 70% of shadow IT by frequency, each through distinct mechanisms.

Google (45% of Shadow IT Frequency)

Google's dominance isn't accidental—it reflects how Google's products are designed for ease of adoption. Teams can spin up Cloud projects with credit cards instantly. Workspace add-ons get purchased departmentally. Google Ads spending often gets categorized as "marketing" rather than software. Auto-scaling infrastructure means budget variance is constant.

The challenge with Google is that services are often simultaneously approved and shadow. You might have an enterprise Workspace agreement that procurement negotiated, but individual teams are spinning up Cloud projects, purchasing Ads campaigns, and adding Workspace add-ons—all using Google, all arguably "approved," but none within the scope of the managed contract.

Microsoft (25% of Shadow IT Frequency)

Microsoft's shadow spend comes through upgrades that don't feel like new purchases. Teams upgrade from E3 to E5 licenses to get Copilot access without realizing this requires procurement approval. Azure auto-scales like AWS. Power Platform apps proliferate across departments as citizen developers build workflow automation without IT governance.

Microsoft's bundling strategy makes shadow spend particularly hard to track. When teams "upgrade" their Microsoft 365 licenses, it appears as a change to an existing vendor relationship rather than a new purchase. The shadow spend hides within an approved vendor, making it invisible to traditional procurement controls that focus on new vendor additions.

OpenAI (20% of Shadow IT Frequency)

OpenAI demonstrates how quickly AI tools can scale from experimentation to production without procurement involvement. Individual users subscribe to ChatGPT Plus for $20 monthly. Developers add API keys to projects for prototyping, then those prototypes become production features without the API usage ever going through procurement review.

Consumption grows exponentially as AI features launch and user adoption increases. A project starts with $200 monthly in API costs during development, scales to $2,000 as the feature launches internally, then hits $15,000 monthly when rolled out to customers. Each growth phase happens automatically through consumption, with no purchase order or approval process.

The Hidden Costs Beyond Direct Spend

Shadow IT creates costs beyond the invoice amounts:

Security & Compliance Risk: Unvetted software may not meet company requirements. Data flows to unapproved systems without security reviews. Compliance violations occur when tools handling sensitive data haven't been assessed for GDPR, SOC 2, or HIPAA requirements.

Duplicate Spend: Multiple teams independently purchase the same tool. One team pays for Airtable, another subscribes separately, a third uses it through departmental budgets. The company pays three times for software that could have been consolidated under a single enterprise agreement with volume discounts.

Lost Negotiation Leverage: Shadow IT means paying list price instead of negotiated rates. You have no consolidated vendor relationships that could unlock better terms. The difference between list price and negotiated enterprise pricing typically ranges from 20-30%, meaning shadow IT isn't just unmanaged—it's systematically overpaying.

Negotiation Implications

Understanding shadow spend patterns changes how you approach renewals:

For high-frequency shadow vendors (Google, Microsoft, OpenAI): Consolidate all discovered instances before renewal. Use the total spend—managed plus shadow—as leverage for enterprise agreements. Negotiate governance controls as part of the contract, including automated spend alerts and approval workflows.

For high-dollar infrastructure vendors (New Relic, Snowflake, Circle CI): Focus on consumption monitoring and spend caps. Negotiate quarterly true-ups based on actual usage. Build in price protection clauses that limit increases even when usage grows.

For departmental tools (HubSpot, ZoomInfo, Adobe): Discover all instances across teams before engaging the vendor. Consolidate to single enterprise agreement with central billing and departmental charge-back so teams maintain ownership while finance gets visibility.

How Tropic Can Help

Tropic's procurement platform addresses shadow IT through automated discovery and continuous monitoring:

• Automated vendor identification across credit cards, expenses, and accounting systems
• Real-time alerts when new software purchases occur
• Integration with SSO/identity providers to catch shadow tools
• Consumption monitoring for usage-based vendors
• Spend intelligence showing where shadow IT is most common based on $18B+ in data

Frequently Asked Questions

What is shadow IT spend?

Shadow IT spend refers to software purchases made outside formal IT or procurement approval processes. In 2025, this increasingly means tools that teams adopt through credit cards, self-service upgrades, or consumption that scales beyond contracted amounts.

Why does Google create so much shadow IT?

Google accounts for approximately 45% of shadow IT frequency because its products are designed for frictionless adoption. Teams can instantly spin up Cloud projects with credit cards, purchase Workspace add-ons departmentally, and scale infrastructure automatically—all without procurement checkpoints.

Is shadow IT always unauthorized?

No. Modern shadow IT often involves approved vendors where usage or specific features scale beyond the managed contract scope. For example, you might have an enterprise Google Workspace agreement while teams independently spin up Cloud projects—technically using an approved vendor, but outside procurement visibility.

How is AI changing shadow IT patterns?

AI tools like OpenAI and GitHub Copilot create shadow spend through embedded features that feel like productivity enhancements rather than software purchases. Individual users opt in without realizing they're creating recurring charges, and consumption scales from experimentation to production without procurement involvement.

What's the difference between Type 1 and Type 2 shadow IT?

Type 1 is high-dollar operational infrastructure (Google Cloud, Snowflake, New Relic) that starts with approval but scales beyond budget through consumption-based pricing. Type 2 is high-frequency smaller purchases (OpenAI, Atlassian, Twilio) where individual teams buy tools directly, creating many small transactions that add up.

How much does shadow IT typically cost companies?

While specific amounts vary by company size, shadow IT commonly represents 8-18% of total software budgets. The hidden costs—security risks, duplicate purchases, and lost negotiation leverage—often exceed the direct spend.

Can shadow IT be completely eliminated?

No, and that's not the goal. The objective is creating visibility and control without blocking legitimate purchases that help teams work effectively. Modern shadow IT governance focuses on automated discovery, appropriate approval thresholds, and consumption monitoring rather than trying to prevent all unmanaged purchasing.

How does shadow IT affect vendor negotiations?

Shadow IT typically means paying list price on unmanaged purchases. Consolidating shadow spend during renewals can unlock 20-30% savings through enterprise pricing. It also provides negotiation leverage—vendors want to keep your total business, including spend they didn't know about.

What tools create the most shadow IT by dollars vs. frequency?

By dollars: Google, Circle CI, New Relic, Rippling, Snowflake lead—these are operational infrastructure tools that scale expensively. By frequency: Google (45%), Microsoft (25%), and OpenAI (20%) dominate through many smaller transactions and embedded adoption patterns.

Methodology

This analysis is based on shadow IT patterns identified across Tropic's $18B+ spend intelligence platform, representing data from thousands of companies ranging from 1 to 10,000+ employees. Shadow IT is defined as software purchases made outside of IT/procurement approval processes, including credit card purchases under approval thresholds, consumption growth on approved vendors exceeding contracted amounts, and departmental tool purchases not tracked in vendor management systems. Data includes shadow IT discovered and managed between January 2024 and January 2025.

About Tropic: Tropic is an intelligent procurement platform that combines AI agents and expert services to help finance and procurement teams save time and money on software purchases. Our spend intelligence database includes $18B+ in software contracts, giving customers unmatched visibility into managed and unmanaged spend. Learn more at tropicapp.io.

Last updated: February 2025 | Data reflects shadow IT analysis through January 2025

‍