- SalesforceChaCha
- Posts
- π Shadow IT Is Already In Your Org πΊ
π Shadow IT Is Already In Your Org πΊ
The Flexibility Trap
Salesforce ChaCha
June 04, 2026 β’ Estimated Reading Time: 4 minutes
Good morning, Salesforce Nerds! The pitch was simple: empower your business users.
Give them tools to build without waiting on IT. Drag-and-drop automation. AppExchange apps a click away. OAuth integrations that take minutes to configure. π
Salesforce delivered on these promises. And in doing so, built the most capable Shadow IT incubator in your enterprise stack.
Shadow IT has a long history in enterprise environments. But Salesforce is different.
It doesn't just tolerate Shadow IT β it practically hands it a badge and a desk. π
The very features that make the platform powerful are the same ones that make governance a nightmare.
You don't have a rogue user problem. β
You have a platform-design-meets-organizational-gap problem. β
And the gap is wider than you think.
TABLE OF CONTENTS
π Shadow IT Is Already In Your Org πΊ
NOT YOUR GRANDPA'S SHADOW IT
SHADOW IT LOOKS OFFICIAL
In traditional enterprises, Shadow IT looks like Dropbox on a corporate laptop or a team running its own Trello instance.
Obvious. Detectable. Bannable. π«
In Salesforce, it looks like a Connected App your Sales Ops team installed eighteen months ago to sync data to a Google Sheet.
It has a polished name, a real OAuth handshake, and read/write access to your Opportunity object.
Nobody remembers approving it. π¬
It looks like the unmanaged package a well-meaning admin installed from AppExchange to solve a reporting gap.
The vendor's trial expired. The package stayed. The callouts it makes to an external endpoint still fire on every Account save. π»
It looks like thirty-seven active Flows built by five different people across three business units β none documented, two updating the same field in conflicting order.
This is Shadow IT in Salesforce: it wears a suit, runs in production, and has no owner. π₯
THE ATTACK SURFACE IS BUILT-IN
OAUTH, PACKAGES, AND FLOWS
Connected Apps are the most underestimated Shadow IT vector on the platform.
Any user with the "Manage Connected Apps" permission can create an OAuth session that persists indefinitely, grants broad object access, and generates almost no audit trail in the standard Setup UI. Tokens don't expire unless you force them to. π
Unmanaged packages install raw metadata directly into your org: no namespace, no upgrade path, no mechanism for the vendor to push a patch.
You can't know what an unmanaged package does without reading every class, trigger, and custom setting it deposited.
Nothing in your security team's software inventory will ever show it. π¦
Rogue automation is the quietest vector.
Flows built outside any change management process accumulate fast in high-autonomy admin environments. They run in system context, fire on objects their creator could access at build time, and carry no built-in expiration date.
A Flow from 2021 is still modifying records in 2025 while the admin who built it works somewhere else entirely. π
Named Credentials used in Apex callouts sit in Setup, largely invisible to anyone not specifically hunting for them.
If an endpoint rotates credentials or changes behavior, your org has no native mechanism to detect the drift. π
GOOD INTENTIONS, BAD OUTCOMES
HOW THE WORKAROUND STARTS
Shadow IT doesn't start with malice. It starts with a business user who needs something in two days that the IT ticket queue won't touch for six weeks. ποΈ
Salesforce's low-code surface makes that workaround accessible to more people than any other enterprise platform.
A motivated admin, a business analyst with Flow Builder access, or a RevOps manager who just finished three Trailhead modules can build something that technically works and push it to production before anyone reviews it. π οΈ
The organizational gap is the space between what IT governs and what Salesforce permits. That space is enormous. π
Salesforce was designed to be configured by business users. Most governance models were designed for traditional software procurement.
Those two realities have never fully reconciled.
When business pressure is high and governance friction is high, users route around governance.
Every time. No exception, no matter how many policies you've posted on Confluence. π
IT'S ALREADY IN YOUR ORG
CAN'T GOVERN WHAT YOU CAN'T SEE
The standard enterprise approach to Shadow IT detection doesn't translate to Salesforce: no network traffic to scan, no software inventory to check, no procurement record to audit. π΅οΈ
Your Connected Apps list in Setup is the closest thing to an authorization log.
It only shows currently active apps. Revoked grants disappear. Sessions tied to departed users may leave ghost authorizations that nobody has reviewed or cleaned up.
Unmanaged packages don't surface in any centralized software register.
You have to know to look in Setup > Installed Packages, then actually read what each one contains.
Most orgs never do. π±
Active Flows have no built-in ownership model. Salesforce records who created a Flow, but nothing about who reviewed it, who approved it, or whether it's still needed.
The process list in your org is almost certainly longer than anyone on your team can account for. π¬
The audit surface exists. It's scattered, manual, and rarely owned by someone with enough context to interpret what they're looking at.
That's not a platform limitation. That's a governance gap. π
STOP IT BEFORE IT STARTS
BUILD THE GOVERNANCE GATE
Detection is reactive. Prevention requires building governance into the platform before the next connected app gets authorized or the next unmanaged package lands in production. π
Start with permissions.
Remove "Manage Connected Apps" from any profile or permission set that doesn't explicitly require it.
Restrict package installation to system administrators only.
Treat Flow Builder access in production as a privileged capability, not a default for anyone holding the System Administrator profile.
Establish a lightweight approval process for new integrations, installed packages, and automation built outside your standard development workflow.
It doesn't have to be bureaucratic. It just has to exist.
A Slack message, a Jira ticket, a shared log. Whatever creates a record that a human reviewed and sanctioned the addition before it touched production. β
Run a quarterly audit: Connected Apps, Installed Packages, Named Credentials, and active Flows checked against your approved inventory.
Anything that can't be traced to an approval is a candidate for removal. π
Shadow IT grows in the gap between what the platform allows and what your organization governs.
The platform won't close that gap for you. π‘οΈ
SOUL FOOD
Todayβs Principle
"Every system is perfectly designed to get the results it gets."
and now....Salesforce Memes
What did you think about today's newsletter? |