Shadow IT Risk Score
Answer 15 questions about your IT environment. Get a risk score in 2 minutes.
Do you maintain an approved application catalog?
Do you have a procurement process for new SaaS tools?
When was your last SaaS audit?
Is SSO enforced for all approved cloud apps?
Does your offboarding checklist include SaaS account revocation?
Do employees use personal accounts for work tools?
Is data loss prevention (DLP) enabled for cloud services?
Do you classify data by sensitivity tier?
Are browser extensions managed centrally?
Which compliance frameworks apply to your organization?
Do you audit third-party data processors annually?
Is there a shadow IT clause in your security policy?
Do you have an approved AI tool list?
Is AI usage monitored across the organization?
Do employees use personal ChatGPT or Claude accounts for work data?
0 of 15 questions answered
Frequently Asked Questions
What is a shadow IT risk score?
A shadow IT risk score is a 0-100 metric that quantifies how exposed your organization is to risks from unauthorized applications and services. It evaluates five categories: app governance, identity and access management, data protection controls, compliance posture, and AI governance. A higher score indicates better protection against shadow IT risks.
How is the shadow IT risk score calculated?
The score is calculated from 15 questions across five weighted categories: App Governance (25%), Identity and Access (25%), Data Protection (20%), Compliance Posture (15%), and AI Governance (15%). Each question is scored 0-3 based on your answer. The weighted category scores combine into an overall 0-100 score with a corresponding letter grade from A (80-100) to F (0-19).
What is a good shadow IT risk score?
An A grade (80-100) indicates mature shadow IT governance with strong controls across all categories. B (60-79) is good but has gaps worth addressing. C (40-59) indicates moderate risk with several uncontrolled areas. D (20-39) suggests significant exposure requiring urgent attention. F (0-19) indicates minimal governance and high risk. Organizations scoring below 40 typically face 2-3 times higher breach probability from unauthorized applications.
How can I improve my shadow IT risk score?
Focus on your lowest-scoring categories first. Common quick wins include enforcing SSO for all approved apps, maintaining an approved application catalog, establishing an AI tool policy, enabling browser extension management, and running a SaaS audit. Use the policy generator at shadowitcalculator.com/policy-generator to create a formal shadow IT policy, and the audit readiness tool at /audit-score to prepare for a comprehensive audit.