The Exit Ready Series · Post R.25
View the full series →The App Nobody Approved
The buyer's IT consultant asks for the application inventory. Kevin names five systems. The audit finds twelve more — none of them his.
The buyer's IT consultant asks Kevin Downer for the company's application inventory.
Kevin opens the network diagram he drew two years ago. The company email system. The accounting platform. The dispatch system. The shared network drive with Janet's fourteen workbooks. The phone system. That is the stack.
The consultant asks about the other tools. The ones employees signed up for on their own.
Kevin does not know what he means.
"Project management software. File-sharing accounts. Messaging platforms. Scheduling tools. Any application an employee is using for work that was not purchased or approved by you or the company."
Kevin thinks about it. He knows Diane uses Dropbox to share files with customers because the company email has a 10MB attachment limit. He knows the dispatchers use a free scheduling app on their phones because the dispatch system does not have a mobile view. He thinks one of the sales reps built a pipeline tracker in a tool he has never heard of.
He does not know what else is out there. He has never asked.
The junk drawer
Every house has one. The drawer in the kitchen that starts with a few batteries and a screwdriver. Nobody decides to fill it. Nobody inventories it. Things accumulate because someone needed something, could not find the right tool, and grabbed whatever was closest. Five years later the drawer is full of items nobody remembers putting there, half of which still work, and none of which anyone would choose if they were starting fresh.
That is The App Nobody Approved — the pattern where employees adopt tools on their own because the company's systems do not do what they need, and nobody in management knows the full inventory of what is running.
The buyer's IT team is not concerned about the tools themselves. Free scheduling apps and personal Dropbox accounts are not expensive. What concerns them is what lives inside those tools. Customer data in an account the company does not control. Pricing files shared through a platform with no access management. Job notes in an app that belongs to an employee, not the business.
Shadow IT is not a technology problem. It is a data governance problem. The buyer is asking: where is your data, who controls it, and what happens to it when an employee leaves?
The account Diane forgot
The IT consultant runs a network scan and a SaaS audit. The scan surfaces twelve applications in active use that are not on Kevin's list. Two file-sharing platforms. A scheduling tool. A messaging app with three years of customer communication history. A quoting tool one sales rep uses because the company has no formal quoting process. An expense tracker. A survey tool Diane used for a customer satisfaction project two years ago — still active, still holding response data from 140 customers.
Diane's survey account is the artifact the consultant spends the most time on. The account is registered to Diane's personal email. The company has no access. The data includes customer contact information, satisfaction scores, and open-text responses identifying service failures and competitor mentions. Diane ran the survey, presented the results to Ed, and never thought about the account again.
The consultant's note: Customer data residing in twelve unsanctioned applications. No centralized inventory. No access controls. No offboarding process for application-level accounts. Data recovery from departing employees is not guaranteed.
That note is what turns a $15-per-month scheduling app into a diligence finding.
What the buyer prices
The buyer prices shadow IT as two costs. First, the audit and remediation — identifying every unsanctioned tool, determining what data lives in each one, migrating recoverable data into company-controlled systems, and closing the accounts. Second, the governance gap — building the policy, the onboarding checklist, and the offboarding process that ensures it does not happen again.
The first cost is labor. The second is a process the company should have built years ago.
Neither cost is large. Shadow IT is the smallest finding in the IT arc. But the finding confirms the pattern the consultant has documented across four days of site visits: a business where critical information lives in places the company does not own, maintained by people the company cannot replace, with no process for what happens when those people leave.
Twenty-one findings. Each one individually reasonable. The smallest is $80K. The mechanism is the accumulation.
What Ready Looks Like
Maintain an application inventory. Every tool employees use for work — sanctioned or not — is documented, reviewed annually, and either approved or retired.
Business data lives in company-controlled accounts. No customer data in personal Dropbox accounts. No project files in tools registered to personal email addresses. If an employee uses a tool for work, the company owns the account.
Offboarding includes application access. When an employee leaves, their access to every sanctioned tool is revoked and any data in unsanctioned tools is recovered before their last day.
For Meridian, none of these were true.
Kevin finds Diane's survey account during the remediation. He asks her for the login. She tries three passwords before the right one works. She has not opened it in two years.
He exports the data — 140 customer records, satisfaction scores, open-text responses — and moves it to the company's shared drive. Then he closes the account.
The data had been sitting in a free tool, registered to a personal email, protected by a password Diane almost forgot. If Diane had left Meridian before the deal, the data would have left with her. Not because she intended to take it. Because nobody knew it was there.
What this cost Ed: $80K.
The buyer funded the shadow IT audit and remediation post-close — inventorying twelve unsanctioned applications, migrating recoverable data, establishing an application governance policy, and building offboarding procedures for application-level access. The $80K is the direct cost of cataloging and closing the gaps. The deeper cost is the pattern it confirms: a business where data lives in places nobody tracks, controlled by people rather than systems.
Don't be Ed.