Shadow IT refers to information technology systems, devices, software, applications, and services that are used within an organization without explicit approval from the IT department or management. As TechTarget's definition notes, "Shadow IT is hardware or software within an enterprise that is not supported by the organization's central IT department." These are the cloud storage services, collaboration tools, messaging apps, and software subscriptions that employees adopt on their own.
These technologies operate in the shadows of official IT infrastructure, invisible to those responsible for maintaining security, compliance, and data governance across the organization. TechTarget points out that while "the label itself is neutral, the term often carries a negative connotation because it implies that the IT department has not approved the technology or doesn't even know employees are using it."
Shadow IT isn't a new concept, but its prevalence has increased in recent years. According to Gartner research cited in Mary K. Pratt's article What are the pros and cons of shadow IT, "Forty-one percent of employees acquired, modified or created tech outside of IT's visibility in 2022... That number will climb to 75% by 2027."
Recent research in Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs reveals more figures: "A 2019 study found that most organizations across all major industries... are using nearly 2,000 cloud services, on average, with 90% of these services being adopted by employees without the approval or knowledge of the company's IT department."
A study by Mario Silic and Andrea Back, published in Computers & Security, provides evidence of Shadow IT's pervasiveness. Their analysis of a Fortune 500 company with over 10,000 employees revealed that 15% of all installed software was unapproved, representing 2,965 unique versions of illegal software applications out of 19,633 total applications scanned. The researchers found that employees had installed these unauthorized applications more than half a million times across 10,000 different endpoint devices.
Several factors have contributed to this growth. The consumerization of technology has made powerful, user-friendly tools readily available to anyone. Cloud-based software requires no complex installation or IT support, making it easier for employees to sign up and start using a new service.
According to TechTarget, the nature of shadow IT has evolved, "With the consumerization of IT and cloud computing, however, the meaning expands to cloud services that meet the unique needs of a particular business division and are supported by a third-party service provider or in-house group instead of by corporate IT."
Shadow IT takes many forms in modern organizations. Personal cloud storage services like Dropbox, Google Drive, or OneDrive are among the most common examples. An employee might upload sensitive company documents to their personal account to access them from home, creating potential data security risks. TechTarget highlights this exact scenario as a compliance concern "when an employee stores corporate data in their personal Dropbox account."
Communication and collaboration tools represent another category. Teams might adopt Slack, Discord, or WhatsApp for project communication without IT approval, potentially exposing confidential business conversations to security vulnerabilities. TechTarget notes that "popular shadow apps include Google Docs and instant messaging services such as Slack."
Silic and Back's research identified three primary categories of Shadow IT software that dominate organizational environments. The largest category, which they term "greynet," includes networking applications that use evasive techniques to traverse networks—instant messaging, web conferencing, and peer-to-peer file sharing tools. Their study found that 58.97% of employees were using greynet applications, with Apple products (particularly iTunes) representing over 32% of this usage, while Skype, Google Talk, and Facebook video calling were the three main communication tools employees adopted without approval.
The second major category, "content apps," includes tools for viewing and creating content. Silic and Back discovered that 48% of employees used 206 different versions of unapproved PDF tools—meaning nearly one out of every two employees had independently installed PDF creation or editing software. The third category, "utility tools," includes PC optimization software, codecs, and video converters, with 22.5% of employees using these applications to manage their computers independently of IT support.
According to Watch out - your workers might be pasting company secrets into ChatGPT, ChatGPT and other Generative Artificial Intelligence (GenAI) tools are transforming what the "risk of Shadow IT" means. As reported in that article, 45% of enterprise employees are now using generative AI in one form or another. Of those, more than three-quarters (77%) have been copying and pasting data into the tool, and almost a quarter (22%) have done the same with PII/PCI, with 82 percent of pastes coming from unmanaged personal accounts.
Project management tools, file-sharing services, code repositories, marketing automation platforms, and even simple browser extensions can all constitute shadow IT when used without official sanction. Personal technology also falls into this category, including "personal smartphones, tablets and USB flash drives" that employees use at work, sometimes as part of a bring-your-own-device policy.
Silic and Back note in their research, employees generally "do not have any malicious intentions" when installing unapproved software and often "believe that they are not doing anything illegal especially when installing open-source software." Instead, these behaviors are driven by genuine productivity needs that official IT systems aren't adequately meeting.
According to Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs, "Research suggests that one in five companies has faced a cybersecurity incident linked to shadow IT, imposing an average cost of over $4.88 million in 2024."
Security vulnerabilities top the list of concerns. As TechTarget explains, "Shadow IT can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies." Unsanctioned applications may lack proper security controls, making them attractive targets for cybercriminals. Without IT oversight, these tools may not receive regular security updates, leaving known vulnerabilities unpatched.
Silic and Back's research confirms that data integrity and information leakage represent the biggest threats from Shadow IT. Their interviews with IT executives revealed that greynet applications "have very strong roots in organisational information systems and by the same token, they produce the biggest threats for information security and privacy."
The UK's National Cyber Security Centre (NCSC) emphasizes the visibility problem that shadow IT creates. In their blog post “Strengthening national cyber resilience through observability and threat hunting," NCSC Chief Technical Officer Ollie Whitehouse warns that "without this visibility, some areas of the system remain hidden – 'dark corners' – making it harder to spot unusual or malicious activity, or investigate suspected breaches." The NCSC specifically identifies shadow IT as one of these dangerous blind spots: "These dark corners can include user account activity, devices, networks, applications, and cloud services. They may also involve unapproved or unknown technologies or systems, or unofficially-operating 'shadow IT'."
This principle is captured in the NCSC's warning, "You can't hunt what you can't see." When organizations lack visibility into the tools their employees are using, they cannot effectively monitor for threats or investigate security incidents.
"Watch out - your workers might be pasting company secrets into ChatGPT" warns that enterprises have little to no visibility into what data is being shared, creating a blind spot for data leakage and compliance risks. The article reveals that roughly two in five files uploaded to generative AI sites also contain this type of information, while 39% of these uploads came from non-corporate accounts.
Kayne McGladrey, field CISO at Hyperproof, warns in Mary K. Pratt's article that, "Shadow IT might make it harder for the company to even know it has been breached." This lack of visibility creates blind spots that attackers can exploit, leaving organizations vulnerable without even knowing they're at risk.
Data governance and compliance present another challenge. When employees use unauthorized tools to store or process sensitive information, organizations lose visibility into where their data resides and how it's being protected. The NCSC notes that "in many cases, organisations' access to data about their digital estate is patchy or incomplete." This is problematic for companies subject to regulatory requirements like GDPR, HIPAA, or other regulations.
TechTarget further warns that "technologies that operate without the IT department's knowledge can negatively affect the user experience of other employees by using up network bandwidth and creating situations in which network or software application protocols conflict." Unofficial tools often don't integrate with existing systems, leading to data silos and inefficient workflows. The lack of centralized management means IT cannot provide adequate support when things go wrong, and there's no consistent backup or disaster recovery strategy for data stored in these systems.
Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs notes that, "Shadow IT can also increase employees' effectiveness." It often signals genuine gaps in the organization's official technology stack. Employees adopt these tools because they need them to do their jobs effectively, suggesting that IT isn't fully meeting business needs.
Sue Bergamo, CIO and CISO at BTE Partners, offers a perspective in Mary K. Pratt's article, "Too many people, and CIOs in particular, put too much emphasis on the reasons why not to allow shadow IT. But if they understand how to work with their business partners to secure and control what happens, they could embrace shadow IT and see some positives."
John Annand, research director at Info-Tech Research Group, points out a practical reality in the article, "Enterprise IT has more than enough interesting work to do, and IT doesn't have the time to serve those hundreds, or even thousands, of smaller jobs anyway." This perspective suggests that shadow IT can actually free up IT resources to focus on more strategic initiatives.
Another advantage, as Annand notes in the same article, is the clarity it brings: "With shadow IT, nothing is lost in translation." When employees solve their own problems directly, there's no miscommunication between business needs and technical implementation.
TechTarget captures this debate well, stating that "Some IT administrators fear that if shadow IT is allowed, end users will create data silos and prevent information from flowing freely throughout the organization. Other administrators believe that in a fast-changing business world, the IT department must embrace shadow IT for the innovation it supplies, and create policies for overseeing and monitoring its acceptable use."
Research in "Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs" identifies two distinct user groups that organizations must understand and manage differently.
The first group, called "goal-oriented actors" (GOAs), are characterized by their tech-savviness and cybersecurity expertise. As the research explains, GOAs "are tech-savvy and cybersecurity-savvy and deliberately use shadow IT to perform their job duties more effectively. Another characteristic of GOAs is that they take special care to minimize cybersecurity risks to their employer." These employees understand the risks they're taking and actively work to mitigate them, often distinguishing between sensitive and less sensitive data in their shadow IT usage.
The second group, "followers," presents a different challenge. According to the research, "Followers simply mimic the shadow IT use of GOAs. Because followers understand cybersecurity poorly, they often are unaware that certain data or actions are not suitable for shadow IT use." These users pose a higher risk to organizations because they lack the knowledge and judgment to use shadow IT safely, even though they may have observed others using it successfully.
"Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs" states, "There is neither a universal solution for managing shadow IT nor can IT leaders fully control or eliminate shadow IT use." Instead, organizations need a balanced approach that addresses security concerns while acknowledging legitimate business needs.
The research is clear about the consequences of ignoring user needs, "It is crucial that IT allows users to complete their work efficiently and effectively. When this does not happen, employees often attempt to use shadow IT—or leave the company altogether." This shows that it goes beyond security to include employee satisfaction and retention.
As Sue Bergamo advises in Mary K. Pratt's article, "CIOs need to partner with the business and agree on what should be done, where IT should extend a hand and where the business needs to extend a hand back." This collaborative approach recognizes that shadow IT is a shared challenge requiring mutual understanding and compromise.
IT departments should actively work to identify shadow IT through network monitoring, cloud access security brokers, and open communication with employees. Once identified, organizations should conduct risk assessments to prioritize which shadow IT applications pose the most threats. Some tools might be acceptable with minor modifications, while others require immediate action.
Organizations should also consider sanctioning popular shadow IT tools that meet security standards. According to "Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs," "Actions that reduce the use of shadow IT are actions that acknowledge and strive to meet users' needs without compromising the firm's cybersecurity."
The research also recommends creating dedicated user experience (UX) teams focused on understanding and meeting employee IT needs, using well-designed chatbots to provide support and gather feedback, and even rewarding employees who bring valuable shadow IT solutions to light. By taking a balanced, user-centric approach to shadow IT management, organizations can reduce security risks while maintaining employee productivity and satisfaction.
By using network monitoring tools, cloud access security brokers, and periodic IT audits.
Yes, it can lead to noncompliance with regulations like HIPAA, or data protection laws.
They can focus on educating employees, setting clear policies, and approving safe alternatives to popular tools.
BYOD involves approved personal devices under policy, while Shadow IT refers to unauthorized technology use.