- Detecting Missing Systems and Shadow IT
- 1 Purpose
- 2 The Problem with Visibility
- 3 Philosophy: Detect → Validate → Govern
- 4 Coverage Metrics
- 5 Detection Signals & Sources
- 6 Graph-Based Reconciliation
- 7 Human-in-the-Loop Validation
- 8 Predictive Coverage Model
- 9 Automated Remediation Paths
- 10 Coverage Assurance Dashboard
- 11 Sovereign Cloud & Privacy Controls
- 12 KPIs for Visibility Maturity
- 13 Common Pitfalls
- 14 Organizational Value
- 15 Takeaway
Detecting Missing Systems and Shadow IT #
1 Purpose #
A beautiful graph with missing nodes is a beautiful lie.
Coverage assurance ensures that EA 2.0’s “digital twin” truly mirrors the enterprise — every capability, every app, every risk.
Ghost-app discovery exposes the unregistered, unsanctioned, and ungoverned systems that silently drain security, budget, and compliance.
The goal: no blind spots, no surprises.
2 The Problem with Visibility #
Most organizations think their CMDB is complete.
In practice:
- 10 – 30 % of running workloads aren’t catalogued.
- Business units deploy SaaS tools without IT approval.
- Cloud resources spin up faster than governance updates.
- Finance renews contracts no one remembers owning.
EA 2.0 treats this not as negligence but as signal — data waiting to be correlated.
3 Philosophy: Detect → Validate → Govern #
- Detect: use telemetry and external signals to find anomalies.
- Validate: confirm legitimacy through owners or policies.
- Govern: onboard, retire, or monitor permanently.
This continuous loop keeps the architecture current without manual audits.
4 Coverage Metrics #
| Metric | Definition | Target |
|---|---|---|
| Capability Coverage % | % of business capabilities linked to ≥ 1 application | ≥ 95 % |
| Application Coverage % | % of running apps represented in CMDB/Graph | ≥ 98 % |
| Data Asset Coverage % | % of datasets tagged with owner + sensitivity | ≥ 90 % |
| Ghost-App Rate | % of active systems not in inventory | ≤ 2 % |
| Coverage Freshness SLA | Age of last cross-check | ≤ 30 days |
These KPIs drive quarterly architecture maturity scoring.
5 Detection Signals & Sources #
EA 2.0 cross-correlates multiple telemetry streams to expose gaps:
| Signal Source | Detection Logic | Example Outcome |
|---|---|---|
| Cloud Billing Accounts | Compare billed SKUs vs. CMDB assets | VM ID not found → ghost compute instance |
| Network Traffic Logs | Identify outbound SaaS domains | Repeated traffic to “asana.com” → unsanctioned SaaS |
| Endpoint Agents | List running executables not in CMDB | New process “PayrollLite.exe” on 20 machines |
| Finance Ledger / Procurement | Vendor payments not tied to asset record | Subscription renewal for “SurveyMonkey” |
| IAM Logs | Active service accounts with no app mapping | Unused client ID → potential ghost API |
| Data Catalog vs. Storage Scan | Files without catalog entry | 200 GB data bucket unclassified |
| Email Domain Analysis | External MX records | Shadow marketing tool detected |
Each anomaly feeds the Coverage Dashboard as a “suspect node.”
6 Graph-Based Reconciliation #
- Ingest all known apps and infra nodes.
- Load secondary sources (billing, logs, sensors).
- Run matching algorithm on keys (name, host, IP, owner).
- Nodes with no match → flag as “orphan” or “ghost.”
- Score confidence (0–1) and rank for review.
Example Cypher pattern:
MATCH (i:Infrastructure)
WHERE NOT (i)<-[:hosts]-(:Application)
RETURN i.name AS Unlinked, i.region, i.last_seen_at;
This simple query finds infrastructure running with no app mapping — the classic ghost signal.
7 Human-in-the-Loop Validation #
Ghost detection is AI-assisted, not AI-decided.
EA 2.0 auto-assigns validation tasks in ServiceNow:
- Owner confirmation (“Is this your system?”)
- Classification (Critical / Non-Critical)
- Action (Retire / Onboard / Ignore)
Responses update the graph automatically and train the predictive model.
8 Predictive Coverage Model #
EA 2.0 learns over time what “complete” looks like:
- Patterns of expected app density per capability
- Frequency of new resource types
- Historical owner accuracy
Using these, it predicts where coverage will decay next — before it does.
Example insight:
“Finance capabilities show 25 % higher ghost-app probability next quarter due to new SaaS adoption trend.”
9 Automated Remediation Paths #
| Type | Trigger | Action |
|---|---|---|
| Infra Ghost | VM not in CMDB > 7 days | Create ServiceNow task “Register Infrastructure Asset” |
| SaaS Ghost | Detected domain not in approved list | Send notification to Security Ops |
| Data Ghost | Unclassified blob container | Apply default label “Restricted” + alert Data Steward |
| User Ghost | Orphan service account | Disable after approval period |
This closes the loop — detection → action → governance.
10 Coverage Assurance Dashboard #
Key views in Power BI / Grafana:
- Coverage % by domain & trend line
- Ghost nodes by risk level and business unit
- Time-to-closure of ghost incidents
- Map of unlinked infrastructure regions
- Confidence score heatmap
Each metric feeds EA 2.0’s Governance Layer for executive visibility.
11 Sovereign Cloud & Privacy Controls #
- Ghost-app scanning restricted to metadata only (no payloads).
- Data residency preserved — analysis runs inside tenant boundaries.
- Detection algorithms use hashed identifiers (IP, hostnames).
- Exception list for classified systems excluded from scan.
These safeguards satisfy government and regulatory constraints while retaining full detection coverage.
12 KPIs for Visibility Maturity #
| KPI | Target | Insight |
|---|---|---|
| Ghost-App Rate ↓ | < 2 % | Visibility improving |
| Validation Closure Time | < 5 days | Response discipline |
| Coverage Trend Slope | Positive month-over-month | Architecture currency |
| Automated Detection Recall | > 85 % | AI efficiency |
| Manual Audit Reduction | > 50 % YoY | Governance automation ROI |
13 Common Pitfalls #
| Mistake | Consequence | Remedy |
|---|---|---|
| Treating ghost apps as IT problem only | Misses business-owned SaaS | Include finance and procurement feeds |
| Over-aggressive scanning | False positives, alert fatigue | Weight signals by confidence score |
| Ignoring temporary sandbox systems | Inflated ghost rate | Exclude TTL ≤ 7 days |
| Lack of owner data | Unresolved incidents | Enrich with HR role graph |
14 Organizational Value #
- Risk Reduction: Eliminates unmonitored attack surface.
- Financial Efficiency: Identifies redundant licenses and contracts.
- Governance Credibility: Improves audit confidence.
- Cultural Change: Encourages responsible ownership of technology sprawl.
15 Takeaway #
Visibility is a governance function, not a network scan.
When EA 2.0 knows what’s missing and acts on it,
the enterprise stops operating in the dark and starts evolving by illumination.
