Shadow IT vs sanctioned IT

defining both ends of the spectrum

Sanctioned IT is technology that IT manages, monitors, and is responsible for. It has been reviewed before adoption, operates under a data processing agreement where required, is included in the offboarding process, and has an internal owner. When something goes wrong with a sanctioned tool, someone is accountable and the response process is defined.

Shadow IT is technology that none of the above applies to. It may be in active daily use. It may process sensitive data. It may hold OAuth access to your directory. From an IT governance perspective, it does not exist.

Most companies have both, and most tools do not sit cleanly at either end. Between full governance and complete invisibility there is a wide middle ground that includes tools that are tolerated without being reviewed, apps that were once approved and have since drifted out of compliance, and integrations that were built by people who no longer work at the company.

the grey zone is where accumulation happens

The most risk-significant category is often the tools IT is vaguely aware of but has never formally reviewed, rather than the tools it has never heard of. These tools exist in a grey zone: not shadow IT in the sense of being entirely hidden, not sanctioned IT in the sense of being governed.

This category includes tools that were approved informally by a manager without IT involvement, tools that cleared a security review two or three years ago and have not been re-reviewed since, free trials that became permanent without ever going through procurement, and integrations that were built with IT awareness but without a formal review of the access they required.

Grey-zone tools are harder to manage than fully shadow tools because they generate a false sense of coverage. If IT is aware of a tool, there is an assumption it has been reviewed, even if it has not.

why the spectrum matters for risk and compliance

The position of a tool on the spectrum directly affects the risk it represents.

A fully sanctioned tool has a defined owner, a known access model, and a process for changing or revoking access. Its risks are bounded and manageable.

A fully shadow tool has none of that. Its access model is unknown. Its data handling may contradict your policies. When the employee who adopted it leaves, nobody knows the offboarding task exists.

Grey-zone tools carry a specific compliance risk: they are present in your environment but absent from your records. An auditor asking for evidence of access control will not accept "we knew about it informally" as a documented control. GDPR data processing registers, NIS2 supply chain assessments, and DORA ICT third-party registers all require formal documentation. Informal awareness does not satisfy these requirements.

what works

Many shadow tools turn out to be appropriate, useful, and worth keeping. What changes is their position on the spectrum: across the threshold into formal governance, where consistent controls apply. The movement starts with a complete list, and in cloud environments the most efficient source is an OAuth grant audit through the IdP; decisions made from a partial inventory tend to recreate the grey zone they were meant to close.

Assessment then runs on what each tool handles and holds. Personal data without a DPA marks the urgent tier, while tools with limited scope and no personal data can wait for a scheduled review. Every tool that stays gets a named internal owner who carries the review, the offboarding hook, and future decisions about the tool, because grey-zone tools are precisely the ones nobody owned. The review itself ends in one of three places: tools that pass enter the sanctioned list, tools that cannot meet the criteria are retired, and tools nobody actively uses are simply removed.

What prevents the spectrum from repopulating is an approval process faster than the workaround. Governance that loses a speed contest with a free-trial signup will keep losing it, so the practical benchmark for the review is the five minutes the signup takes.