Businesses think they know what software their teams are using, but most don't have the full picture.
If your organization runs on Google Workspace, employees can connect third-party apps to their Google accounts in a few clicks without IT approval. Project management tools, AI assistants, file converters, browser extensions, automation platforms. Each one gets granted access to your data, your calendar, your Drive, and your email, and in most organizations, nobody is keeping track.
Shadow IT is a real and growing problem in 2026, and most organizations are further behind than they realize.
Shadow IT refers to any software, app, or service employees use without formal IT authorization. In a Google Workspace environment, it usually starts the same way: an employee signs into a new tool using "Sign in with Google," grants that app OAuth access to their email, calendar, or Drive, and moves on with their day. IT has no record of it.
Data from BetterTracker puts the average company's SaaS count at over 100 applications. Nearly half of those apps are shadow IT, meaning tools IT did not approve, procure, or monitor.
The problem grows over time without anyone noticing. Employees leave, but their app connections stay active. Old tools with full Drive access sit dormant for months or years. Nobody notices until something goes wrong, or until someone audits the SaaS bill.
Google Workspace is designed for openness and collaboration, which is part of what makes it valuable. It also means the barrier to connecting a third-party app is low. Any user can authorize an app via OAuth in seconds, grant broad permissions including access to email, contacts, and files, and do it repeatedly across departments with no centralized visibility.
Google's native Admin Console gives admins some control. You can navigate to Security > Access and Data Control > API Controls to review OAuth-connected apps. But the review is manual. It does not flag risk levels, track usage patterns, or surface which apps are costing money. For IT teams managing dozens or hundreds of users, that process falls apart quickly.
Shadow IT isn't just a security concern. It has a direct impact on SaaS spending, and the two problems are closely connected.
When employees connect apps on their own, organizations accumulate costs that are easy to miss.
Duplicate tools. Multiple teams end up paying for different project management or file-sharing tools that do the same job.
Unused licenses. According to Gartner, roughly 30% of SaaS spend goes to unused licenses and features. Google Workspace seats are one of the most common culprits, and the waste builds when nobody is tracking which users still need access.
Forgotten renewals. Apps connected during a free trial auto-upgrade and attach to a corporate card nobody monitors.
Offboarding gaps. An employee leaves, their accounts are deactivated, but their app connections remain active, sometimes with admin-level permissions.
The spend problem and the security problem are the same problem: nobody has a complete picture of what's connected.
For managed service providers, Google Workspace app visibility is not just an internal concern. It is a concrete service offering that changes how clients perceive your value.
Clients rarely know what apps their employees are using, what those apps can access, or what those apps are costing them. MSPs who walk into a client meeting with a full inventory of connected apps, flagged risks, and identified savings change the nature of that conversation. Instead of reacting to problems, you are surfacing them before the client knew they existed, and that is what separates an IT vendor from an advisor clients rely on and refer to others.
The questions you should be able to answer for every client:
Not all tools solve this problem equally. Here is what matters when evaluating options.
Complete app discovery. The tool should surface every OAuth-connected app across your entire domain, not just the ones IT already knows about. If it only shows sanctioned apps, it is not solving the problem.
User-level detail. Domain-level summaries are not actionable. You need to know which user authorized each app, what permissions were granted, and when the connection was made.
Spend tracking. App visibility and spend visibility need to be connected. Knowing an app exists is not useful if you cannot see what it is costing.
Multi-tenant support for MSPs. If you manage multiple clients, the tool needs to handle multiple Google Workspace environments from a single interface. Logging in client by client does not scale.
Output you can act on. Discovery only matters if it leads somewhere. The tool should make it easy to flag apps for review, identify redundancies, and build a case for consolidation.
Google Scout is BetterTracker's Google Workspace discovery tool. It connects directly to your Google Workspace environment and surfaces every third-party app connected to your domain, along with usage data, permission levels, and spend visibility.
For SMBs, it answers a question most businesses cannot currently answer: what software is actually running inside our organization?
For MSPs, it creates a repeatable process for discovering hidden costs and security gaps across every client account and presenting that data in client-facing conversations.
Google Scout is part of BetterTracker's broader SaaS management platform, which also includes ContractTracker, ExpenseTracker, and CustomerTracker. Together, they give you a unified view of what you are using, what you are spending, and where you are exposed.
Start a free trial at bettertracker.com.