The Cloud Apps You Don’t Know About Are the Ones That Will Hurt You

Research consistently puts the number at around 80% — the share of employees who use cloud applications their employer hasn’t sanctioned. For a small business, that number isn’t an abstraction. It’s specific: the paralegal using a personal Dropbox to share large document sets with clients. The associate using a free online PDF converter to process confidential filings. The office manager using a consumer-grade project management app that stores client billing information.

None of those people are trying to create a security problem. They’re trying to do their jobs efficiently. But each one represents data leaving your environment through a channel you didn’t review, don’t monitor, and have no contractual protections around.

Shadow IT used to be a problem for large enterprises. In 2026, the tooling to address it is accessible to businesses of any size — and the exposure is no longer hypothetical for small firms.

The Discover Phase: Finding What’s Running

The first challenge is visibility. You can’t manage what you don’t know about.

DNS filtering with cloud application intelligence is the most practical starting point. When an employee visits Dropbox, Notion, Airtable, or any of hundreds of other cloud services, that request starts with a DNS lookup. An Advanced DNS Security platform can log those queries and categorize them against a cloud application database — giving you a map of what your employees are actually using, not what you assume they’re using.

Your M365 admin center is a second source: the OAuth-connected applications section shows every third-party app that a user has authorized with their Microsoft credentials. A firm that has never audited this list typically finds dozens of entries, including applications that were authorized by employees who no longer work there.

The Decide Phase: Which Apps to Allow, Which to Block

The output of the discovery phase will be longer than most IT conversations expect. The goal isn’t to block everything employees are using — that approach fails because productivity needs are real. The goal is to make informed decisions about each category of tool.

A practical framework sorts apps into three buckets. First, sanctioned applications: tools the firm has formally approved, where you understand the data handling practices and have appropriate agreements in place. For law firms, the key question is whether the service offers a Business Associate Agreement (if HIPAA-adjacent) or data processing terms that are compatible with your confidentiality obligations under Florida Bar Rule 4-1.6.

Second, tolerated but limited: apps that are acceptable for non-sensitive use but shouldn’t touch client data or privileged communications. A free design tool used to create social media graphics is different from the same tool used to process client documents.

Third, blocked: services with unclear or unacceptable data handling practices, services that offer no enterprise privacy controls, and services where the risk of sensitive data exposure outweighs any productivity benefit.

The Enforce Phase: Making Policy Real

Deciding what’s allowed is straightforward. Enforcing it without making life difficult for legitimate users requires the right tools in place.

DNS filtering can enforce application category blocks at the network level — preventing access to file-sharing services not on your approved list, blocking consumer cloud storage from company devices, and flagging attempts to access newly registered domains that haven’t been categorized yet. This operates transparently for employees accessing approved services and stops access to blocked ones before data can be transferred.

For M365 environments, Entra ID Conditional Access can restrict which applications users can authorize with their Microsoft credentials, and Microsoft Defender for Cloud Apps (formerly MCAS) provides cloud application discovery and control integrated with your M365 tenant. This is particularly useful for firms that have already invested in E3 or E5 licensing — many of these capabilities are included and simply haven’t been configured.

The goal of enforcement isn’t to lock everything down. It’s to make the approved paths easy and the unapproved paths visible, so deviations get caught before data leaves through a channel nobody reviewed.

A Word on Timing

This is a worthwhile project to run before onboarding new AI tools rather than after. AI applications have a particularly acute version of the shadow IT problem: employees are highly motivated to use them, the productivity benefits are real, and the data handling practices vary significantly between consumer and enterprise versions of the same tool.

Running an unsanctioned cloud audit now gives you a current baseline, helps you understand what your employees actually need from AI tools, and puts you in a position to adopt AI productively rather than reactively.

If you want help running the discovery phase — DNS analysis, M365 OAuth audit, or building the decision framework for your specific environment — that’s something we do as part of our managed services engagement and on request for prospective clients.