Somewhere in your organisation right now, an employee is uploading a client spreadsheet to their personal Google Drive. Another is managing a project in an unapproved task management app. A third has signed up for an AI writing tool using their work email address. None of these actions are malicious — in fact, each employee is simply trying to get their work done more efficiently. But collectively, these unapproved tools and services constitute shadow IT, and they represent one of the most pervasive and underestimated security threats facing businesses today.
TL;DR — Key Takeaways
- ✓Understand what shadow IT is, why employees use unapproved tools, the security risks it creates, and practical strategies to discover and manage it
- ✓What Is Shadow IT and why it matters for your security posture
- ✓Understand why Shadow IT Flourishes
Visual Overview
flowchart TD
A["Employee Needs Tool"] --> B["Uses Unapproved SaaS"]
B --> C["Company Data Uploaded"]
C --> D["No IT Visibility"]
D --> E["Data Leak Risk"]
D --> F["Compliance Violation"]
E --> G["Discovery & Governance"]
F --> G
In this article we explore what shadow IT is, why it flourishes, the specific risks it creates, how to discover it within your organisation, and practical policy approaches that balance security with productivity.
What Is Shadow IT?
Shadow IT refers to any technology — hardware, software, cloud services, or applications — used within an organisation without the knowledge, approval, or oversight of the IT department or security team. It exists in the shadows, outside the visibility and governance structures that protect the rest of your technology environment.
Shadow IT is not limited to tech-savvy employees going rogue. It encompasses a wide range of everyday behaviours:
- Personal cloud storage: Employees using Dropbox, Google Drive, iCloud, or OneDrive personal accounts to store or share work files.
- Unapproved SaaS applications: Teams signing up for project management, design, communication, or productivity tools without IT approval.
- Messaging platforms: Using WhatsApp, Telegram, or other personal messaging apps for work communication.
- AI tools: Employees pasting sensitive data into AI chatbots, writing assistants, or code generators.
- Browser extensions: Installing extensions that can access browsing data and potentially intercept credentials.
- Personal devices: Using personal laptops, phones, or tablets for work tasks without BYOD policy controls in place.
- USB devices: Transferring data via personal USB drives or external hard drives.
- Unauthorised integrations: Connecting third-party apps to corporate email or cloud platforms using OAuth tokens.
Why Shadow IT Flourishes
Understanding why employees turn to unapproved tools is essential for addressing shadow IT effectively. In most cases, the root cause is not malice — it is frustration with officially sanctioned alternatives.
Slow Procurement Processes
When an employee needs a tool to meet a deadline and the official approval process takes weeks, they will find a workaround. The faster it is to sign up for a free SaaS tool compared to submitting an IT request, the more likely shadow IT becomes.
Inadequate Approved Tools
If the officially sanctioned tools are clunky, outdated, or poorly suited to the task, employees will seek better alternatives. Shadow IT often reveals genuine gaps in your technology stack.
Remote and Hybrid Work
The shift to remote work has dramatically accelerated shadow IT. Employees working from home are more likely to blur the lines between personal and professional technology, using home networks, personal devices, and familiar consumer tools for work tasks.
Lack of Awareness
Many employees simply do not realise that using an unapproved tool poses any risk. They see no difference between using a free file-sharing service and the company's official platform. Without security awareness training that specifically addresses shadow IT, employees remain unaware of the implications.
Departmental Autonomy
In many organisations, individual departments have their own budgets and the authority to purchase software independently. Marketing might adopt one analytics platform while sales uses another, and neither informs IT.
The Security Risks of Shadow IT
Shadow IT creates security risks precisely because it operates outside your organisation's governance, monitoring, and protective controls. Here are the most significant threats.
Data Leakage and Loss
When employees store company data in unapproved services, that data falls outside your data classification and protection controls. You cannot apply encryption policies, access controls, or data loss prevention (DLP) rules to systems you do not know about. If an employee leaves the organisation, data stored in their personal cloud accounts goes with them.
Research consistently shows that the average organisation uses three to four times more cloud services than IT is aware of. Each unknown service is a potential data leakage point that exists entirely outside your security perimeter.
Compliance Violations
Regulations such as GDPR, HIPAA, and PCI DSS impose strict requirements on how and where data is stored, processed, and transmitted. Shadow IT frequently violates these requirements. Personal cloud storage may host data in jurisdictions that breach data residency rules. Unapproved tools may lack the encryption or access controls required by regulation. Your organisation remains liable for these violations regardless of whether IT knew about the tools.
Expanded Attack Surface
Every unapproved application represents an additional entry point for attackers. These tools are not subject to your patch management processes, security assessments, or monitoring. If a shadow IT service is compromised, attackers may gain access to company data or credentials that grant access to your core systems.
Credential Exposure
Employees frequently reuse passwords across services. When they sign up for unapproved tools using their work email and a familiar password, a breach of that third-party service can expose credentials that work on your corporate systems. This is particularly dangerous when combined with credential stuffing attacks.
Lack of Visibility
You cannot protect what you cannot see. Shadow IT creates blind spots in your security monitoring. If data is exfiltrated through an unapproved cloud service, your security tools may never detect it. If an insider threat uses shadow IT to move data out of the organisation, traditional monitoring approaches will miss it entirely.
Integration Risks
When employees connect unapproved applications to corporate platforms using OAuth authorisation, they often grant broad permissions — read email, access files, send messages — to third-party services that have not been vetted. These integrations persist even after the employee stops using the tool, creating long-lived access points that are difficult to discover and manage.
Discovering Shadow IT in Your Organisation
Before you can manage shadow IT, you need to find it. Several techniques can help illuminate what is lurking in the shadows.
Network Traffic Analysis
Review firewall and proxy logs to identify outbound connections to cloud services. Cloud access security brokers (CASBs) are specifically designed to discover and catalogue cloud service usage across your organisation, providing visibility into both sanctioned and unsanctioned applications.
SSO and Identity Provider Logs
If you use single sign-on (SSO) or a corporate identity provider, review authentication logs for OAuth grants and third-party application authorisations. This reveals which external applications employees have connected to your corporate identity.
Expense Reports and Credit Card Statements
SaaS subscriptions often appear on corporate credit cards or expense reports. Regular review of these financial records can reveal tools that were purchased outside of IT procurement processes.
Employee Surveys
Sometimes the simplest approach is the most effective: ask. Conduct anonymous surveys asking employees what tools they use to accomplish their work. Frame the survey positively — the goal is to understand their needs, not to punish them — and you will be surprised by what emerges.
Endpoint Monitoring
Endpoint detection and response tools can identify applications installed on company devices, browser extensions in use, and connections to unapproved services. This provides device-level visibility that complements network-level discovery.
DNS Analysis
Monitoring DNS queries from your network reveals which domains your users are accessing. Categorising these domains can identify cloud services, SaaS applications, and other tools that fall outside your approved inventory.
Policy Approaches: Balancing Security and Productivity
The worst response to shadow IT is a blanket ban on all unapproved tools. This approach fails because it ignores the legitimate productivity needs that drove employees to shadow IT in the first place. They will simply find ways around the restrictions, driving the behaviour further underground and making it harder to discover.
Instead, adopt a balanced approach that acknowledges employee needs while maintaining appropriate security controls.
1. Create a Streamlined Approval Process
Make it easy and fast for employees to request new tools. Establish a lightweight vetting process that can assess security, privacy, and compliance implications within days rather than weeks. The easier it is to get tools approved, the less incentive employees have to go rogue.
2. Develop an Acceptable Use Policy
Publish a clear acceptable use policy that defines what types of tools are permitted, what types require approval, and what types are prohibited. Ensure the policy is practical and explains the reasoning behind restrictions — employees are more likely to comply when they understand why rules exist.
3. Maintain an Approved Tools Catalogue
Create and publicise a catalogue of pre-approved tools for common needs: file sharing, project management, communication, design, and other frequent use cases. When employees can quickly find an approved tool that meets their needs, they are far less likely to seek alternatives.
4. Implement Technical Controls
Deploy appropriate technical controls to complement your policies:
- Cloud access security brokers (CASBs): Monitor and control cloud service usage.
- Data loss prevention (DLP): Prevent sensitive data from being uploaded to unapproved services.
- OAuth application controls: Review and restrict which third-party applications can integrate with your corporate platforms.
- Browser management: Control which extensions can be installed on corporate browsers.
- Network segmentation: Limit access to sensitive resources from unmanaged devices.
5. Educate, Do Not Punish
Incorporate shadow IT awareness into your security training programme. Help employees understand the specific risks — data leakage, compliance violations, credential exposure — through practical examples relevant to their roles. When employees understand the "why," they become allies rather than adversaries.
6. Listen to Employee Feedback
Shadow IT is often a symptom of unmet needs. Use discovery findings as a feedback mechanism: if multiple departments have adopted the same unapproved tool, investigate whether it should become an officially supported solution. The goal is to channel innovation through secure pathways rather than suppressing it entirely.
7. Conduct Regular Audits
Shadow IT discovery is not a one-time exercise. Schedule quarterly audits to identify new unapproved tools, review OAuth grants, and assess the effectiveness of your policies and controls. As your organisation evolves, so will its shadow IT landscape.
Shadow IT and Third-Party Risk
Shadow IT is closely related to third-party risk management. Every unapproved tool is an unvetted third party with potential access to your data. Integrating shadow IT discovery into your broader vendor risk management programme ensures that all third-party relationships — whether officially sanctioned or not — receive appropriate security scrutiny.
Pay particular attention to shadow IT tools that process sensitive data categories such as customer personal information, financial records, health data, or intellectual property. These represent the highest-risk instances and should be prioritised for remediation or formal approval.
The Special Challenge of AI Tools
The rapid proliferation of AI tools has created a new wave of shadow IT that deserves special attention. Employees are increasingly pasting sensitive information — customer data, financial figures, proprietary code, strategic documents — into AI chatbots and writing assistants without considering the data handling implications.
Develop specific policies for AI tool usage that address data input restrictions, approved AI platforms, and acceptable use cases. As AI tools become more prevalent, organisations that proactively manage their adoption will be far better positioned than those that discover misuse after a data incident.
Key Takeaways
Shadow IT is not going away. In an era of abundant cloud services, easy self-service sign-ups, and distributed workforces, employees will always find ways to adopt tools that help them work more effectively. The question is whether your organisation manages this reality proactively or discovers it only after a breach.
The most effective approach combines visibility (discover what shadow IT exists), governance (clear policies and approval processes), technical controls (CASB, DLP, endpoint monitoring), and education (security awareness training that specifically addresses shadow IT risks). By treating shadow IT as a management challenge rather than a disciplinary one, you can reduce risk while preserving the innovation and productivity that employees are ultimately seeking.
Start with a discovery exercise this quarter. You may be surprised — and slightly alarmed — by what you find. But knowledge is the first step towards control, and control is the foundation of security.