How do I keep records under control when employees keep spinning up new cloud and SaaS apps?
When employees adopt cloud and SaaS tools on their own, the records those tools create rarely disappear. They simply land outside your governance program. This is often called “shadow IT,” and the core problem is not the technology itself but the fact that record-bearing content is being created in places your retention schedules, search capabilities, and security controls do not reach.
The good news is that the same records principles you already apply to email and shared drives apply to cloud apps. You do not need a separate program for every tool. You need to extend your existing one.
Start with policy and partnership
Records control begins before the app is adopted, not after. Work with IT, security, procurement, and legal so that any new system has to clear a basic review. A short, well-publicized policy that explains what a record is, that records can live in any system, and that unsanctioned tools create real legal exposure does more than after-the-fact cleanup.
Frame this as enablement, not prohibition. Employees turn to new apps because approved tools are missing something. Give them a fast, predictable path to request and onboard a tool so the answer is “let’s review it,” not a silent workaround.
Apply records requirements to every system
For any cloud or SaaS app that holds records, confirm it can support the basics:
- Apply your retention and disposition schedules.
- Export records in a usable, complete format (content plus metadata).
- Search, place legal holds, and respond to FOIA, Privacy Act, or discovery requests.
- Protect access and produce audit trails.
If a tool cannot meet these needs, that is a signal to choose a different one or to designate a system of record where the official copy is captured.
Inventory, then bring it under control
Discover what is already in use through network and spend data, and survey staff without blame. Map each tool to a records owner, decide which is the authoritative system, and either onboard the rest into your program or retire them and migrate the records.
Treating cloud sprawl as an ongoing inventory-and-governance cycle, rather than a one-time cleanup, keeps electronic records defensible as tools come and go. For related guidance, see the electronic records hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management (NARA) — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). How do I keep records under control when employees keep spinning up new cloud and SaaS apps?. Records Management University. https://www.recordsmgmt.org/questions/how-to-control-records-when-employees-spin-up-new-cloud-saas-apps/
MLA
RM University Editorial. "How do I keep records under control when employees keep spinning up new cloud and SaaS apps?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-control-records-when-employees-spin-up-new-cloud-saas-apps/.
Related questions
- Are digital signatures legally valid on records?
- Are spreadsheets and database entries considered records I need to retain?
- Can a company be sanctioned for not preserving electronic records when it should have anticipated litigation?
- Can I just save a file as a PDF and call it a permanent electronic record?
- Can I store official records in the cloud?