shadowitcalculator.com
Tool / 02risk-posture self-assessment

Shadow IT Risk Score

Answer 15 questions about your IT environment. Get a 0-100 score, letter grade, and the three priority actions that will move it the most. About two minutes, no login.

Progress / 00 of 15

APP · App governance

weight 25%

  • Q01 Do you maintain an approved app catalog?

  • Q02 Is there a procurement process for new SaaS?

  • Q03 When was your last SaaS audit?

IAM · Identity and access

weight 25%

  • Q04 Is SSO enforced for all approved apps?

  • Q05 Does offboarding cover SaaS access removal?

  • Q06 Do staff use personal accounts for work tools?

DAT · Data protection

weight 20%

  • Q07 Is DLP enabled for cloud apps?

  • Q08 Do you classify data by sensitivity?

  • Q09 Are browser extensions managed centrally?

COM · Compliance posture

weight 15%

  • Q10 Do you audit third-party data processors annually?

  • Q11 Is there a shadow IT clause in your security policy?

  • Q12 Are vendor risk reviews triggered by data sensitivity?

AI · AI governance

weight 15%

  • Q13 Do you have an approved AI tool list?

  • Q14 Is AI usage monitored?

  • Q15 Can staff use personal AI accounts for work data?

Risk score / live

0/ 100

Grade

F

Critical gaps across the board.

Category breakdown

  • App governance0%
  • Identity and access0%
  • Data protection0%
  • Compliance posture0%
  • AI governance0%

Priority actions

  1. 01

    Tighten app governance

    Stand up a tiered approval flow and quarterly app catalog refresh.

  2. 02

    Tighten identity and access

    Enforce SSO across all approved apps; automate SaaS deprovisioning at offboarding.

  3. 03

    Tighten data protection

    Roll DLP and classification labels to your top 10 cloud apps; lock down browser extensions.

Answer remaining 15 questions for full grade.

FAQ

Common questions

01What is a shadow IT risk score?

A shadow IT risk score summarizes how exposed your organization is to unauthorized SaaS, AI, and cloud usage. It is computed from a structured set of questions about app governance, identity controls, data protection, compliance posture, and AI usage. The result is a 0-100 number with a letter grade you can quote in a security report or steering committee.

02How is the score calculated?

The 15 questions are grouped into five categories with fixed weights: App governance and Identity at 25% each, Data protection at 20%, Compliance and AI governance at 15% each. Each question scores 0 to 3 based on maturity, the category percentage rolls up to the weighted overall score, and the letter grade follows: A (80+), B (60-79), C (40-59), D (20-39), F (below 20).

03What counts as a good score?

A and B grades indicate mature SaaS governance: catalog discipline, SSO enforcement, classified data, vendor reviews, and an AI usage policy. C and D grades mean material gaps; you can usually point to one or two missing controls (no SSO enforcement, no AI policy, no offboarding deprovisioning). F means foundational work is needed before discovery makes sense.

04How do I improve my score?

Lift the lowest-scoring category first; the score weighting rewards uniform progress. The most common quick wins are SSO enforcement across all approved apps, an automated SaaS deprovisioning step in offboarding, and a published approved AI tool list with monitoring. The deeper editorial walkthrough lives at shadowitcost.com/risks.

Related tools

Tool / 01

Cost calculator

Translate your risk into dollar exposure across spend, breach, and remediation.

Tool / 03

Policy generator

Close the policy gap that often drives the App and Compliance categories down.

ext / external

Shadow IT risks (deep-dive)

Editorial detail on each category on shadowitcost.com.