Shadow IT in a carve-out is every application, account, and data store the divested business runs on that never made it into the service catalog, and at exit it is the most reliable source of nasty surprises. While the seller pays the bills these dependencies stay invisible, then break the day a subscription is cancelled or an account switched off. Treat the hunt for them as a defined workstream in the TSA exit strategy.
Every business runs on more software than its IT department knows about. A finance team buys a reporting tool on a card. An operations lead wires up an integration to move data between two systems. A spreadsheet with a decade of macros quietly runs a pricing process. None of it is in the asset register, and in normal life that is a manageable mess. In a carve-out it becomes a liability, because the divestiture only protects what is written down.
The service catalog and the TSA cover the services the seller agreed to provide and the buyer agreed to pay for. Anything that did not make the list is invisible to the agreement. While the TSA runs that is fine, because the seller keeps paying the bills and the access stays live, so nothing breaks. The danger is purely a timing one: the day the seller stops paying, every undocumented dependency is exposed at once.
That is why discovery cannot wait for exit. A subscription billed on the seller's name disappears when the seller cancels it. An account on a seller managed platform dies when identities are deprovisioned. A server hosting a quiet but load bearing process goes dark at decommissioning. Find these dependencies while the seller is still paying and you have time to act. Find them at the cut and you have an outage.
The hiding places are predictable once you know to look. Departmental SaaS is the largest category: tools bought by a function, paid on expense or a corporate card, never routed through procurement. Marketing, finance, HR, and sales operations all tend to run a small constellation of subscriptions that IT has never inventoried, and any one of them can be holding data the business needs.
Then there is the integration layer. Scripts, scheduled jobs, and point to point connections that move data between systems are rarely documented and almost never owned. They sit on a server somewhere, often built by someone who has since left, and they keep two systems in sync without anyone thinking about them. When the underlying credentials or hosting belong to the seller, that connection is shadow IT with a deadline.
The last category is the human one. Personal accounts used for business, files held in someone's individual cloud storage, automations built in a no code tool by a power user, and the workbook that one analyst maintains as the real system of record. These are invisible to any technical scan that only looks at managed estate, and they often carry the most operational risk because the knowledge lives in one head.
No single method finds everything, so discovery has to be triangulated. The technical view comes from network traffic analysis and SaaS discovery tools that watch which applications the business actually connects to, and from identity logs that show which accounts touch which systems. This surfaces the live, in use estate regardless of whether anyone documented it, and it is the fastest way to a first list.
The financial view is just as important and often catches what the technical scan misses. The seller's accounts payable ledger and the expense and card data show every subscription being billed, including ones that run quietly in the background. Cross referencing what is being paid for against what the technical tools see in use produces a far more complete picture than either source alone, and the gaps between the two lists are exactly where shadow IT lives.
The third view is human, and it is the one teams skip because it is slow. Structured interviews with the people who run each function, asking what they actually use to do their jobs day to day, surface the spreadsheets, personal accounts, and undocumented workarounds that no tool will ever catch. Combine all three and you get a dependency map you can trust. Rely on any one and you will miss the item that hurts.
A discovery list is only useful if every item gets a decision. The mistake is treating the inventory as the deliverable. The deliverable is a disposition for each dependency, made deliberately, before the TSA ends. Three outcomes cover almost everything you will find, and assigning one to each item turns a frightening list into a finite plan.
Retire the redundant. A surprising share of shadow IT is duplicate or abandoned: two tools doing the same job, a subscription nobody has opened in a year, an integration feeding a report no one reads. These get switched off, which both removes risk and stops a cost. Replace the risky but needed. Where a dependency matters but cannot or should not continue as it is, stand up a sanctioned alternative in your own name with enough runway to migrate before the cut.
Formalize the load bearing. Where a tool is genuinely doing important work and is fit to continue, the task is to move it from the shadows into a contract in your own name, with a named owner, a funded subscription, and a documented place in the estate. The point of the exercise is that nothing the business depends on exits the TSA still running silently on the seller's account, waiting to fail.
Discovery and triage create the plan. Execution is sequencing each disposition against the dates the seller's coverage actually ends. A subscription you intend to keep needs to be re contracted in your own name before the seller cancels it. A process running on a seller account needs its replacement live before identities are deprovisioned. Each item carries its own deadline, and the deadlines are set by the exit calendar, not by your convenience.
That makes shadow IT remediation a tracked stream alongside the rest of the exit, not a side task. Every dependency gets an owner, a target date, and a status, and the work is reviewed at the same governance cadence as the formal services. The few items that genuinely cannot be resolved in time become deliberate, scoped extensions on a single service, not an accidental reliance on systems the seller is about to switch off.
Done well, this turns an invisible risk into a closed list. A buyer that discovers early, triages honestly, and sequences the fixes against the cut exits the TSA knowing what it runs on and owning all of it. Building that discovery and remediation into the separation plan is part of our TSA Exit Acceleration work, because the systems nobody wrote down are exactly the ones that decide whether an exit is clean.
Any application, account, subscription, or data store the carved-out business depends on that does not appear in the formal service catalog or the seller's documented IT estate. It is the spreadsheet that runs a process, the departmental SaaS bought on a credit card, and the integration nobody listed. In a carve-out it matters because anything undocumented is unfunded by the TSA and at risk of vanishing at exit.
Because while the TSA runs the seller keeps paying the bills and the access stays live, so nothing breaks and nobody notices. The dependency only becomes visible when a seller subscription is cancelled, an account is deprovisioned, or a server is switched off at exit and a process the business relied on stops working. Discovery before the cut is what prevents that surprise.
Combine the technical and the financial views. Network and SaaS discovery tools surface applications in use, identity logs show which accounts touch which systems, and the seller's accounts payable and expense data reveal subscriptions billed on the seller's name. Each source catches what the others miss, and the overlap between them is where the real estate sits.
Triage each item: retire what is redundant, replace what is risky but needed, or formalize what is genuinely load bearing into a contract in your own name. The goal is that every dependency the business actually relies on exits the TSA with a clear owner, a funded subscription, and a controlled path, with nothing left running on the seller's account by accident.
Reconciling entitlements so you neither lose access nor pay twice.
Read the article →Removing every seller identity and access path at the cut.
Read the article →Shutting down seller infrastructure cleanly once you are off it.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Senior operators on day one. Fixed-fee engagements. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up standalone IT before the TSA meter and the seller's dependencies compound against you.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →