BYOD and shadow IT

bYOD and shadow IT: where they overlap

BYOD refers to the practice of employees using personal devices to access company systems. The device is personal; the access is to company resources. Most companies with a BYOD program have some form of mobile device management or conditional access policy that governs how those devices connect.

Shadow IT enters through BYOD in a specific way: personal devices are where employees are most likely to use personal accounts for work tasks, install browser extensions without an IT review, and run AI tools in a personal profile that is entirely invisible to the managed environment.

The distinction matters because BYOD governance focuses on the device: encryption, remote wipe, application management on the enrolled device. Shadow IT governance focuses on the behaviour: what accounts access company data, what extensions have permission to read or modify that data, and what AI tools are processing it.

These are separate problems. A well-configured BYOD policy does not automatically address the shadow IT behaviour that happens through it.

why personal devices are a shadow IT accumulation point

Personal devices are where the friction between official tools and personal preference is highest. Employees who find the company-approved browser, productivity tool, or communication app slower or less capable than their preferred alternative will often use the personal version in their personal profile on their personal device, even when accessing company resources.

Browser extensions are a particular accumulation point. An AI writing assistant, a tab manager, an email productivity tool: each can be installed in a personal Chrome or Edge profile in seconds, without any endpoint management tool seeing it, without any IT review, and with permissions that may include reading the current page, accessing the user's mailbox, or injecting content into the browser session.

When that browser session is also accessing company email, internal documents, or business SaaS tools, the extension's permissions apply to company data. The extension was never reviewed. IT is unaware it exists.

the specific risks BYOD shadow IT creates

Data exfiltration via personal accounts. An employee who uses a personal Dropbox, Google Drive, or OneDrive account to transfer files between their personal device and work is creating a data pathway that bypasses your DLP controls, your backup policies, and your data classification. When that employee leaves, the data stays in their personal account.

Browser extension access to company data. Extensions installed in a personal profile can read and modify the content of pages the user is visiting, including company web apps. An extension that has been granted "read all page data" permission has access to whatever the user can see in the browser, including authenticated sessions in company SaaS tools.

AI tools in personal profiles. Personal AI accounts used to process work documents, summarize company emails, or assist with internal communication create data flows to external models without a DPA, without data classification, and without IT knowledge. Microsoft finds that 78% of people who use AI at work bring their own tools (Microsoft, 2024). Many of those tools run in personal profiles on personal devices.

Credential overlap. Employees who use the same password for personal and work accounts, or who store work credentials in a personal password manager, create a credential risk that does not appear in your identity posture until a personal account is compromised.

what works

The governance that holds in BYOD environments shrinks the overlap between personal behaviour and company data without trying to instrument personal profiles, which no policy survives attempting. Managed browser profiles carry most of the weight. When access to company SaaS runs through a managed profile, separate from the personal one, extensions can be controlled, work and personal contexts stay apart, and the arrangement works the same on a personal laptop as on a corporate one. An extension policy follows naturally from there: a short allowlist for profiles that access company systems cuts the shadow-extension surface to a fraction of what an unmanaged browser carries.

Conditional access closes the loop from the identity side. IdP policies that grant access to company resources only under defined conditions, a compliant device or a managed profile, keep personal-device use possible while making the terms explicit. On the AI front, a published acceptable use policy naming which tools are approved for which data types removes most of the ambiguity that personal AI use with company data thrives in; where the sanctioned answer is known, the personal workaround loses its appeal.

None of this reaches the grants that already exist, which is why environments that govern BYOD well also run a periodic OAuth review through the IdP. Shadow grants created from personal accounts can persist after the person's employment ends, and the grant list surfaces them regardless of which device created them.