The Shadow Supply Chain

The Shadow Supply Chain Report

Your official vendor list is a record of intent—what you bought. But your operational reality is now built on a record of behavior—what your employees actually use —and that record is quietly expanding every day.

This is our conclusion after analyzing anonymized telemetry data from 20 organizations. Across these teams, over 70% of the applications employees are using, what we describe as “active vendors,” go completely unmonitored by security. Not for lack of effort; they are simply becoming harder to track.

These "hidden vendors" are slowly (but surely) forming a shadow supply chain that increasingly handles corporate data, processes credentials, and integrates with production workflows—all without a single risk assessment. 

The reality of modern vendor discovery has shifted. Effective Shadow IT discovery is no longer optional; it is a forensic necessity for the modern enterprise:

• The 73% blind spot: The average security team is blind to 72.9% of its active vendor supply chain, leaving nearly 100 vendors per organization operating in the shadows.
• The Shadow AI accelerator: AI is the fastest-growing, least monitored category of risk, acting as a critical accelerator that is rapidly widening the inventory gap.
• The invisible employee: AI Meeting Assistants have a 93.8% monitoring gap, acting as silent actors that record and transcribe sensitive strategic discussions on unvetted servers.
• The SSO mirage: 31.4% of all vendor interactions bypass the identity perimeter entirely, occurring via direct browser logins that SSO never sees.
• The user-driven risk: Unmonitored vendors are 3x more likely to have "poor" security scores because they enter through employee adoption rather than a formal security review.

Stop managing what you bought. Start monitoring what you use.

Download the full report to see the forensic reality of the shadow supply chain and learn how to regain control with usage-based discovery.

From an administrative burden to true governance.

Traditional vendor risk management is an administrative process that, while necessary, struggles to keep pace with the modern threat environment, where users can onboard vendors with a single click. Attempting to take control means first gaining visibility into this hidden network of vendors, as you cannot secure or govern what you cannot see.

UpGuard User Risk addresses this by moving beyond the purchase order to follow the user.

User Risk uses browser telemetry and OAuth logs to illuminate the 73% of your vendor footprint hidden in the shadows. From shadow AI to direct browser logins, get the forensic visibility needed to close the inventory gap and regain true governance.

Take a two-minute video tour to see usage-based discovery in action.

Explore User Risk now →

‍