What you'll do
You'll work through your app inventory, set approval statuses, assign technical contacts for key apps, and use filters to break the list into manageable pieces. By the end, you'll have a clear picture of what's sanctioned, what's not, and what you can safely ignore.
Before you start
Make sure you have your existing list of approved or centrally managed apps handy. Whether that's a spreadsheet, a procurement tool, or a supplier register. You'll use it as your starting point.
Step 1: Mark your approved apps
Start with what you already know. Open your App Inventory (the Apps page in the left nav) and search for the apps your organization centrally manages and procures. For each one:
Click into the app record.
Set the Approval Status to Approved.
Set a Technical Contact - the person on your team who manages that app. This is who you'll reach out to for things like removing accounts when someone leaves the organization.
Do this for every app on your existing approved list. If you have fewer than 100, this shouldn't take long. If you have more, prioritize the ones with the most users first.
Why start here? Setting approved apps first removes them from the "unreviewed" pile, clears them from the Shadow Apps dashboard, and establishes your baseline. Everything else gets easier once you know what's sanctioned.
Step 2: Mark not-permitted apps (with approved alternatives)
Next, think about apps you don't want people using—especially where you already have an approved alternative. Common examples:
ChatGPT or other AI tools when you've standardized on a specific provider (like Gemini or Glean)
Competing file storage tools when you're a Google Workspace or Microsoft 365 shop
Shadow communication tools (WhatsApp, Telegram) when you have an official messaging platform
For each of these:
Search for the app in your inventory.
Set the Approval Status to Not Permitted.
Note the approved alternative - you'll use this when setting up rules in the next guide.
Step 3: Mark not-permitted apps (without alternatives)
Some apps simply shouldn't be used with a corporate email, and there's no alternative to point people toward. Think of things like:
AI tools with concerning data handling practices (e.g., DeepSeek)
Apps built/headquartered in sensitive or embargoed countries
Anything your security or compliance team has flagged
Set these to Not Permitted as well. You'll set up rules to nudge users to delete their accounts for these apps.
Step 4: Decide what to ignore
You'll inevitably find apps that aren't a security concern and aren't worth managing - shopping sites, food delivery, travel booking, and similar consumer apps that people sign up for with their work email. You have two options:
Set to Acceptable if you want to acknowledge them but not police them.
Ignore them if you don't want them cluttering your inventory at all.
Ignoring an app hides it from your inventory by default and removes its data from your dashboards and spend analysis. You can always change the filter to see ignored apps again later.
This is a judgment call. Some organizations say "don't sign up for anything personal with your corporate email, period." Others don't want to police shopping habits.
Choose what's right for your culture.
How to break the list down
A thousand apps is a lot to look at. Here's how to make it manageable using the filters on your App Inventory page.
Filter by category
Click the Category filter to zero in on specific types of apps. Useful categories to review early:
Dating, Gaming, Public VPN - these are almost always worth marking as not permitted.
Lifestyle, Shopping - usually candidates for ignoring.
AI - important to review given the pace of GenAI adoption.
Developer Tools, Productivity - often where shadow IT hides in plain sight.
Filter by last activity
Not every discovered app is actively in use. Use the Last Account Activity filter to focus on what's current:
Less than 3 months shows only apps with recent activity. For most organizations, this cuts the list by 50–70%.
Less than 6 months catches seasonal or occasional use.
More than 12 months surfaces stale apps that might be candidates for cleanup.
Use the Shadow Apps dashboard
Go to Dashboards > Shadow Apps in the left nav. This dashboard shows only apps that have access to sensitive data through OAuth grants - things like access to your organization's files, email, and calendar.
This is a high-signal view. Apps on this dashboard tend to be the ones that matter most from a security standpoint. As you set approval statuses, approved apps drop off this list automatically.
The dashboard also shows:
Apps by OAuth permission type — which apps can access files, email, etc.
Apps in sensitive countries — apps headquartered in countries on the ITAR embargoes list.
Recommended approach
If you're not sure where to start, here's a practical sequence:
Mark your known approved apps and set technical contacts. (30 minutes to an hour, depending on your list size.)
Filter by category and quickly ignore or mark not-permitted the obvious ones (dating, gaming, public VPN, shopping).
Filter by last activity < 3 months and work through the remaining active apps.
Review the Shadow Apps dashboard to catch anything with sensitive OAuth grants you may have missed.
Come back to the long tail later - apps with no recent activity and no sensitive access can wait.
You don't have to do this all in one sitting. Most teams work through this over their first week or two, revisiting the inventory as they get more familiar with the data.
What's next
Once you've set approval statuses for your key apps, move on to Setting up rules and alerts to start automating how Nudge Security responds when people sign up for new apps or use apps you've marked as not permitted.