Who is responsible for managing records created in SaaS apps the records team didn't approve?
When an employee spins up a cloud or SaaS application without the records team’s sign-off, a common assumption follows: because the tool was never approved, no one “owns” the records inside it. That assumption is wrong, and it creates real legal exposure.
The short answer: the agency still owns the records
A record’s status depends on its content and function, not on where it lives or whether the platform was sanctioned. If information documents the organization’s business, decisions, or transactions, it is a record subject to the same retention, access, and disposition rules as anything in an approved system. Using an unapproved app does not remove the obligation to manage what it holds. In practice, responsibility is shared:
- The agency or organization remains legally accountable for capturing, retaining, and producing those records for audits, litigation, and public-records or FOIA requests.
- The records or information governance (IG) officer is responsible for the program that identifies these systems, brings their content under control, and applies the correct schedule.
- The individual employee who created the records is responsible for not letting them live solely in an unmanaged tool, and for surfacing them to the records program.
Why “shadow IT” doesn’t shift the burden
Records created in unsanctioned SaaS apps are often called shadow IT or unmanaged records. The risk is that they sit outside backup, retention, and legal-hold controls, so they can be lost, prematurely deleted, or made undiscoverable. None of that excuses the organization from its recordkeeping duties; if anything, courts and oversight bodies expect agencies to know where their records reside.
What to do about it
- Find and inventory the app and the records it contains.
- Assess whether those records can stay or must be migrated into a managed repository.
- Apply the schedule and any legal holds, then dispose only as authorized.
- Close the gap with policy, training, and an intake path so future tools are reviewed before use, not after.
The guiding principle: approval governs the tool, but the law governs the record. For more, see the federal records hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management (NARA) — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Who is responsible for managing records created in SaaS apps the records team didn't approve?. Records Management University. https://www.recordsmgmt.org/questions/who-manages-records-in-unapproved-saas-apps/
MLA
RM University Editorial. "Who is responsible for managing records created in SaaS apps the records team didn't approve?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-manages-records-in-unapproved-saas-apps/.
Related questions
- Are records created by federal contractors considered federal records?
- Big-bucket vs item-level retention schedules: how do I decide which approach to use?
- Can a federal employee be personally fined or jailed for deleting government records?
- Can federal employees conduct official business on personal devices or apps?
- Can I delete old federal records to free up storage space when our shared drive gets full?