The Shadow Supply Chain: A Pivot To Usage-Based Discovery
.jpg){kind=small}
We’ve established the new forensic reality: a massive 72.9% inventory gap exists between the vendors you monitor and those invisible to your security. We have seen the shortcomings of SSO and its inability to holistically monitor all the vendor applications your users engage with, along with a Shadow AI explosion that is compounding both issues.
The era of procurement-only discovery is over. To secure the modern cyber workforce, we must pivot from "buying-based" to usage-based discovery. This method allows us not only to follow the purchase order and monitor SSO but also to supplement the parts they miss by tracking browser telemetry to see what your users are actually engaging with on a day-to-day basis.
With all three of these mechanisms working hand in hand—procurement to secure the vendor list we approve, SSO to secure the front door of applications users are engaging, and usage-based discovery via browsers to see what users are actually using daily—we can form a holistic approach to attaining and maintaining a record of your true vendor inventory.
The 3 principles of usage-based discovery
Usage-based discovery features, such as those provided by UpGuard’s User Risk, serves as a discovery engine which recognizes that usage—not a contract—provides a true indication of your vendor footprint. User Risk is built on this approach and, in practice, applies three core principles to ensure we provide your team with the accurate data they need to secure the vendors you approve and those lurking in the shadows.
1. Follow the user, not the money.
Traditional discovery relies on purchase orders, but modern risk follows employee behavior. To close the inventory gap, organizations must deploy a dual-signal discovery model that combines identity logs with browser telemetry.
This is the only way to catch the 31.4% of vendor interactions that occur via direct browser access, bypassing OAuth or SAML logs entirely. By following the user's digital footprint rather than the procurement trail, you eliminate the blind spot where direct logins previously went unnoticed.
2. Monitor the "trusted."
A common mistake in VRM is assuming that a corporate contract equals total visibility. Reputable vendors can still become "shadow tenants" that leak data through unmanaged, personal, or departmental instances. Consider that 90% of AI meeting assistants currently operate unmonitored, even within organizations that have established vendor governance.
We see this pattern frequently: Zoom, for example, boasts an "Excellent" security score, yet our research found it was monitored in only 2 of the 13 organizations using it, leaving over 1,000 users unchecked on unmonitored instances. High-scoring vendors must be audited for shadow usage to ensure they aren't processing sensitive data on unvetted servers.
3. Tier by usage, not just scores.
Security teams must stop tiering risk based on purchase orders and start tiering by real-world usage intensity. A "green" security score is a mirage if the vendor is being used in ways that bypass your security controls. True risk management requires a formula that incorporates both posture and the visibility gap:
Risk = Security Posture x Exposure x Visibility Gap
This approach allows teams to prioritize risk based on actual employee behavior and the scale of unmonitored data exchange rather than static, trailing indicators like a signed contract.
These three principles directly address the structural failures of traditional VRM in the modern user-led environment by replacing "assumed control" with forensic reality. Together, they transform your strategy from a reactive search for "Shadow IT" into a proactive, usage-based governance model.
The path to true vendor governance with User Risk
By shifting to real-time usage data, you move beyond static spreadsheets. You can finally see the "Document Laundromats," "Invisible Employees" (AI bots), and all the smaller niche vendors operating in your environment. Once you have the true, unified visibility you need, you can predict risk factors more accurately, govern application and tool usage across high-risk areas, and report with confidence.
UpGuard User Risk provides this unified visibility by consolidating disparate signals into a single view. This isn't just about finding more problems; it's about prioritization and action. By using our AI Analyst to synthesize thousands of signals into a Unified Risk Score, you can focus your team on the individuals and apps that pose the highest risk to the business.
Beyond what usage-based discovery can provide in terms of visibility, it can also play a pivotal role in your overall security culture. When a user attempts to upload sensitive data to an unvetted AI tool, User Risk provides a real-time contextual nudge. We don’t just block them; we coach them in the moment of risk, building a security-first culture that scales.
This allows you to leverage usage-based discovery as the engine not only for your vendor operations management but also for your individual employee security, cutting through the high demands of both governance and the users you need to protect and guide—all in one simple motion.
The future of user-centric risk management
Ultimately, the 72.9% gap is a choice. You can continue to govern the 27.1% you can see, or you can embrace the reality of how your employees actually work. With usage-based discovery, you gain a true path to illuminate the shadows in your vendor inventory, empower your employees to make safe and responsible security decisions, and strengthen your overall cybersecurity posture.
Read the full Shadow Supply Chain report here to get the complete picture.
Or, if you’re ready to see usage-based discovery in action, book a tour of UpGuard User Risk today.
.jpeg){kind=avatar}