Shadow IT examples

what shadow IT looks like in practice

Shadow IT examples tend to be mundane. Most do not involve deliberate workarounds or security-aware decisions. They reflect how people solve problems at work: quickly, with tools that are available, without always knowing or caring about the IT implications.

The patterns below sit in three domains: identity (accounts and access), SaaS (applications and integrations), and AI (data flows through AI tools). They appear with regularity across industries, company sizes, and IT maturity levels.

why these patterns persist

Shadow IT persists because each individual instance appears small in isolation. One former employee whose account was not fully closed. One OAuth grant created during a proof-of-concept. One AI tool adopted by a team because it was faster than the approved process.

The governance gap is created by the aggregate of instances that no single review process catches, because no single process spans identity, SaaS, and AI simultaneously.

shadow IT in identity

Former employee accounts still active. The directory is closed on the departure date. The CRM, the GitHub organization, the analytics tool, the finance system: each has its own user database, and offboarding did not reach all of them. Beyond Identity finds that 83% of employees admit they still have access to at least one account from a previous employer (Beyond Identity, 2022, self-reported).

Contractor accounts that outlived the project. A contractor engaged for six months. The project ran longer, then wound down. The contractor's accounts in the project management tool, the document system, and the communication platform were never formally closed.

Admin accounts used for daily work. A member of the IT team was granted admin rights to investigate a problem and continued using the admin account for routine tasks. The account holds more access than the daily role requires, and every action taken through it is attributed to a shared or elevated credential.

Service accounts without a named owner. A developer created a service account to connect two systems. The developer has since moved to a different company. The account is still active, connected to a production system, with no owner on record.

Shared credentials to a vendor portal. Finance and procurement share a login to a supplier portal. Multiple people know the password. Nobody has changed it in a long time, and nobody is certain which team member last updated it or whether it is still the correct one.

shadow IT in SaaS

OAuth grants to forgotten tools. A developer authorized a third-party code review tool to access the company GitHub during a trial. The trial ended. The tool was never adopted. The OAuth grant, and its read access to the repository, is still active.

Free trials that became permanent. A team lead signed up for a project management tool on a free trial to assess it. The trial converted to a free tier. Months later, the team still uses it. It holds task data, internal notes, and a connection to company systems. IT has never reviewed it.

Duplicate tools in different teams. Two teams independently adopted tools that serve the same function. Both have OAuth connections to the company directory. One is on the approved list. The other was adopted by a team that did not know the approved version existed.

Integration built by an ex-employee. An internal connector pulls data from two company systems and combines it in a shared dashboard. The person who built it has left. The integration is still running, still holds OAuth access to both source systems, and nobody currently employed knows how it works or who owns it.

SaaS apps connected to the IdP for SSO without a security review. An app requested SSO setup so employees could use their company login. IT added the connection for convenience. The app was never formally assessed, and the data it stores was never classified.

shadow IT in AI

Personal AI accounts used for work tasks. Employees use personal AI accounts to draft internal communications, summarize meeting notes, and assist with document writing. The documents and notes contain company-confidential information. No data processing agreement is in place. Consumer account data handling terms apply.

AI browser extensions with mailbox access. An email productivity extension is installed in several employees' browsers. It was granted permission to read and compose emails. It processes email content to generate summaries and suggested replies. IT was not informed when it was installed. The extension vendor's data handling has not been reviewed.

AI tools with training clauses on submitted data. A team adopted an AI writing tool that, per its terms of service, may use submitted content to improve its models. The terms were not reviewed at adoption. Internal documents submitted to the tool may be used beyond the stated purpose.

AI connectors pulling internal documents. A team connected a Notion workspace or document store to an AI assistant to enable it to answer questions about internal content. The connector has read access to the connected document store. The scope of that access was broader than intended and was not reviewed before setup.

Microsoft finds that 78% of people who use AI at work bring their own tools (Microsoft, 2024), and in most environments at least some of that usage involves data flows nobody has reviewed.