The 47 AI Tools You're Paying For (And Don't Know About)

Zylo's 2026 SaaS Management Index reports that AI-native application spend grew 108% year-over-year. The average company now manages 291 SaaS applications. IT directly owns 15% of total SaaS spend. The remaining 85% is owned by lines of business and individual employees, often through expensed personal subscriptions.

The implication: if your IT and finance teams are operating from a list that originated in IT, that list is wrong by an order of magnitude. The AI tools are not on it. The expensed monthly subscriptions are not on it. The browser extensions that bill annually to personal cards and reimburse through expense reports are not on it.

Traditional SaaS adoption follows a pattern that IT can see: a vendor sells to a department head, the department head requests procurement support, IT runs a security review, the tool gets SSO and a contract. AI tools skip every step. An engineer signs up at $20 per month with a personal card. A marketing analyst expenses a $40-per-month research tool. A product manager pays $50 for a meeting note-taker. None of these touch IT.

The price points are deliberate. Most AI tools are designed to be procurable on personal authority, under the threshold that triggers expense approval, under the threshold that requires IT review. Multiply that by hundreds of employees and you have a procurement layer that no one in finance, IT, or ops can currently see.

There are five common hiding places. Expense reports are the largest: employees pay personally and reimburse, so the spend never touches a vendor management system. Corporate cards are next: individual employees with cards bypass procurement for anything under their limit. Department budgets account for another large slice: a marketing team head signs up for an AI tool from their own budget.

The smaller but still meaningful sources are browser extensions billed annually (often invisible because they bill once a year and look like a personal subscription), and free-tier creep where a tool starts free, gets adopted broadly, and then converts to a paid plan one team at a time.

Pick a 90-minute block and look in five places. First, pull 12 months of corporate card statements and search for any vendor name that includes AI, GPT, Copilot, Cursor, Notion AI, ChatGPT, Claude, Perplexity, Anthropic, OpenAI, or any tool you recognise as AI-related. Second, search your expense reimbursement system for the same keywords. Third, ask your SSO admin for a list of applications with active sessions in the last 30 days. Fourth, ask three or four department heads what their team is paying for that you might not know about. Fifth, check your accounts payable system for any vendor that has billed under $200 in the last 12 months.

You will find more than you expect. The point is not to confiscate anything, it is to make the invisible visible. Once you have the list, you can decide what to consolidate, what to formalise, and what to ignore.

For each AI tool you discover, ask three questions: Is more than one person using it? Is the total spend across the company more than a single team could justify on its own? Does the vendor handle sensitive data?

Two or more 'yes' answers means the tool should be formalised: brought under contract, given proper procurement review, and ideally consolidated into a centrally managed account. A single 'yes' usually means leave it alone, but track it. Zero yes answers means it is a personal productivity tool, not a company concern.

The wrong move is to ban individual AI tool subscriptions. The right move is to make formal procurement faster than the workaround. If an employee can get an AI tool approved through your formal process in less than a week, they will use the process. If it takes a month, they will keep using their personal card.

Pair faster procurement with a simple monthly reconciliation: anyone expensing an AI tool gets flagged automatically, given the option to roll it into a managed subscription, and ignored if the spend is below a threshold. The goal is visibility, not control.