IT OPS

Catch shadow SaaS signups from welcome emails and triage them

Monitors a shared IT inbox for SaaS welcome and verification emails sent to company addresses, uses an LLM to identify the vendor and the employee.

CategoryIT Ops

Enginesim

Difficultyintermediate

Triggerevent

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerNew email in monitored IT inboxGmail
ActionExtract vendor and employee with OpenAIOpenAI
LogicKeep only genuine new-account signups
ActionOpen Zendesk triage ticketZendesk
OutputPost alert with ticket link to SlackSlack

What it does

When an employee signs up for a new tool with their work email, the welcome email is the earliest possible signal. This workflow watches a forwarded IT mailbox, uses an LLM to read each message and extract the vendor, the recipient, and whether it's a genuine new-account signup, then files a Zendesk ticket and alerts security so the tool can be vetted before it spreads.

When to use it

Use it when you can route a copy of inbound mail (via a Gmail filter or alias) to a monitored address. Ideal for catching free-tier and self-serve signups that never touch SSO or a corporate card and would otherwise stay invisible.

How it works

1A new message arriving in the monitored Gmail inbox triggers the run.
2An OpenAI step classifies the email and extracts vendor name, the employee, and signup intent.
3A logic step drops anything that isn't a real new-account signup.
4A Zendesk ticket is opened for the security triage queue with the extracted details.
5Slack posts an alert linking the ticket so the team can act quickly.

Set it up

What you configure once, before turning it on.

1
Connect GmailRead, draft, send, label.
2
Connect OpenAIModels, embeddings, files.
3
Connect ZendeskTickets, queues, knowledge base.
4
Connect SlackChannels, DMs, threads, mentions.
5
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
6
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
7
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More IT Ops workflows

Recurring Sensor Fault Root-Cause Investigator

On a schedule, an agent reviews recent Monday work orders and BigQuery telemetry to identify equipment with repeating faults, drafts a root-cause hypothesis with a recommended fix.

Daily Building Anomaly Digest to MS Teams

Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.

Agentic Inactive-Seat Reclamation Review

An agent investigates each idle SaaS seat by correlating SSO login gaps with HR status and ticket history, classifies it as reclaim, hold, or escalate, and drafts a reasoned…

Reconcile SSO logins against expense spend to find unmanaged tools

Joins SSO usage data with expense/payment records in Snowflake to surface tools that are being used but not paid for, or paid for but never logged.

Approved-Seat Deprovision Execution

Fires when an IT approver confirms a seat for removal, then executes deprovisioning via the IdP API and logs the action to an audit table and a Linear cleanup ticket.

HVAC Anomaly Detection to Severity-Routed Work Orders

Ingests building HVAC telemetry via webhook, flags out-of-band temperature, pressure, or runtime readings.

Browse all IT Ops →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Sales

Real Estate Sales Desk

Prospecting, outreach, follow-up, and closing assist.

Support

Customer Support Hub

Tier-1, tier-2, refunds, and escalations — same-hour.

Operations

Recruiting Agency

Source, screen, schedule — without the inbox grind.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →