You don’t have 6,000 Apps. You have 60

In part three of our series "Closing the IT Data Trust Gap: From Raw Records to Decision‑Grade Intelligence" we address how application intelligence separates the tools your team actually uses from the noise in your logs.

Run a CASB discovery in any mid-size enterprise and you’ll get a number that makes no sense. 600 apps. 1,800 apps. 4,000 apps. The number is technically accurate — your CASB detected that many services touching your network — but it has almost no relationship to the number of applications your employees actually use for work.

And somewhere in that list, Cloudflare, Akamai, and accounts.google.com are flagged as Shadow IT. Which they obviously aren’t.

This is the application version of the identity inflation problem we covered in the previous post. And it’s arguably more damaging, because it directly undermines the two workflows enterprises care most about: Shadow IT detection and license optimization.

What Your CASB Actually Discovers

CASB and network discovery tools detect every service touching your environment. That includes:

• User-facing apps that employees use directly for work (Slack, Zoom, Figma, Notion)

• Admin consoles for configuring services (Azure Portal, AWS Console)

• Infrastructure and cloud services (AWS, Azure, GCP)

• Platform components with no user interface (AWS Lambda, Azure Functions)

• Browser extensions running inside the browser (LastPass, Grammarly)

• CDNs and caching layers that appear in logs (Cloudflare CDN, Akamai Edge)

• Auth endpoints that handle login flows, not applications (accounts.google.com)

• SDK/API clients, connectors, system services, and mobile app variants

Without a curated knowledge base that understands what each of these services actually is, every platform is forced to treat them equally — or worse, flag them all as potential Shadow IT.

The Application Funnel

The same progressive funnel concept that works for identity works for applications:

All Discovered Apps → User-Facing Apps → Paid Apps

All Discovered Apps includes everything seen across CASB, IAM, network logs, and endpoint data. User-Facing Apps filters to applications humans interact with, removing infrastructure, CDNs, auth endpoints, and system services. Paid Apps narrows to applications with active entitlements — the set most relevant for license optimization and spend management.

This isn’t about hiding data. It’s about classifying it so the default view answers the question IT leaders actually ask: “What software are my people using, and what am I paying for?”

Shadow IT That’s Actually Actionable

Shadow IT detection should surface genuine risk: user-facing applications that employees are actively using without approved entitlements. When you classify applications by type, you can exclude infrastructure services, CDN providers, auth endpoints, and apps already licensed through bundles. What remains is a focused, actionable list.

The difference is dramatic. Instead of a 400-item list that nobody reviews, you get a 15-item list of genuinely unapproved apps that your security team can actually act on.

Business Function Classification

For user-facing and paid apps, classification goes one level deeper: business function. Is this a Collaboration tool, an Engineering tool, an IT & Security tool, a Business System? This layer enables portfolio analysis — understanding not just what you’re spending, but where the spending concentrates across organizational functions.

None of this is possible without a knowledge graph that understands the global SaaS landscape. Your CASB doesn’t know that Cloudflare is a CDN, not a productivity app. Your procurement system doesn’t know that “Jira Service Management” is an Atlassian product in the Engineering & DevOps category. That knowledge has to come from somewhere.

Without curated knowledge of what Cloudflare, Akamai, and accounts.google.com actually are, every platform is forced to flag them as unknown, or worse, as Shadow IT.