56% of higher education staff are using SaaS and AI tools their institution has not approved. That is not just a productivity issue — it is a FERPA exposure risk. Here is how IT leaders are closing the gap.
You already know the number of SaaS applications running across your campus has grown faster than your team can track. What you may not know is how many of those are AI-powered tools your faculty, staff and graduate researchers adopted quietly — through a personal credit card or a free tier that never touched procurement.
Research from Gartner found that a significant share of enterprise employees use AI tools their organizations have not sanctioned. In higher education, where departments operate with high autonomy and IT visibility into shadow tools is often limited, that exposure is amplified. One recent survey found that 56% of higher education staff report using AI tools not approved by their institution. Every one of those tools is a potential FERPA liability. By the way – FERPA stands for the Family Educational Rights and Privacy Act. It is a U.S. federal law enacted in 1974 that protects the privacy of students’ education records.
FERPA does not care whether the tool was free. It does not care whether the faculty member thought it was harmless. If student data touches an unsanctioned platform — even incidentally — the institution carries the exposure. And without a centralized view of every active SaaS application on campus, you have no way to know which tools are running, who is using them or what data they are accessing.
Enterprise SaaS governance is hard enough in a stable headcount environment. Higher education is not that. Every semester, hundreds or thousands of accounts — students, adjuncts, visiting researchers, part-time staff — need to be provisioned, and then deprovisioned again. In most institutions, that process is manual, inconsistent and slow.
The result is predictable: orphaned accounts that remain active well past the end of the semester. Former students with live access to collaboration platforms. Departed adjuncts still on productivity software licenses. Those inactive accounts are not just wasted spend — they are open access points. And in an environment where departments are buying SaaS independently, IT has no reliable way to know what those accounts can reach.
This is not a theoretical problem. It is the operational reality at most institutions right now.
At a well-resourced enterprise, this problem gets solved with ServiceNow or a mature SAM infrastructure. Most higher education institutions are not there yet. License tracking lives in spreadsheets. SaaS discovery is reactive, not automated. And when a department head buys a new tool without going through IT, there is no process to catch it until it shows up in an audit or a breach.
The gap between what your institution actually has deployed and what IT knows about is almost certainly larger than your team estimates. Research consistently shows that 30 to 40% of SaaS usage in complex organizations qualifies as shadow IT. On a campus with multiple colleges, research centers and administrative units all buying independently, that number does not get smaller.
The case for SaaS management in higher education is not abstract. It is operational. Here is what changes when IT has a complete, real-time view of every application running across campus:
The instinct in higher education is often to resist centralization — and that instinct is not wrong. Faculty and department heads need flexibility. The goal of SaaS governance is not to take that away. It is to give IT the visibility to protect the institution without slowing down the people doing the work.
A well-implemented SaaS management platform runs in the background. It does not require faculty to change how they work. It gives IT the data it needs to make informed decisions — about risk, about spend, about what to approve and what to flag for review. The governance question shifts from 'did anyone check this?' to 'we already know.'
That is the practical case for SaaS visibility in higher education. Not compliance theater. Operational control in an environment that was never designed to be easy to govern.
Want to see what your SaaS footprint actually looks like? Request a demo and we'll walk through the discovery process with your environment in mind.