What is shadow IT

shadow IT, in plain language

Shadow IT is the portion of your technology environment that operates outside formal IT management. That includes any application an employee signed up for without going through IT or procurement, any device connected to company systems without enrollment, any OAuth integration authorized without a security review, and any AI tool handling business data without a data processing agreement in place.

The word "shadow" describes a visibility gap rather than intent. An employee who signed up for a project tool to solve a real problem did not intend to create a security risk. They solved a problem. The IT consequence is that the tool, its access, and its data flows are now invisible to the people responsible for keeping the environment secure.

Shadow IT goes well beyond consumer apps. It includes trial SaaS subscriptions a team forgot to cancel, integrations built between tools by a developer who has since left, shared credentials to a vendor portal, and browser-based AI extensions installed on managed devices without a policy review.

shadow IT is a growth problem

Shadow IT is most accurately understood as a structural outcome of organizational growth. The faster a company scales, the wider the gap between what IT governs and what the business uses.

Small teams manage tooling informally. One person knows every app, can run offboarding in an afternoon, and keeps the full picture in their head. That model breaks at a threshold that is different for every company, but breaks for all of them.

As headcount increases, buying decisions decentralize. Teams adopt tools to solve their own problems. Procurement can happen on a company card without an IT review. A tool can go from "someone's idea" to "the whole team's workflow" in days. This is how growing businesses operate, and none of it is reckless.

The problem is what accumulates invisibly: accounts that outlive the people who opened them, OAuth grants that hold access to sensitive systems, AI tools processing data nobody classified. The gap between what IT manages and what the business uses does not close on its own.

what shadow IT actually costs

The cost of shadow IT settles in three places: security exposure, compliance liability, and operational drag.

Security. Every unsanctioned app is a potential breach path. OAuth grants give third-party tools access to your directory, mailboxes, and documents. When an employee authorizes a grant, accepts loose data handling terms, or uses a personal account for work, the exposure is invisible until something goes wrong. IBM data puts the average time to identify and contain a breach at 241 days.

Compliance. GDPR requires you to know where personal data is processed and by whom. NIS2 and DORA extend those requirements to supply chain and third-party access. Shadow IT creates data flows you cannot audit, third-party relationships you did not agree to, and access you cannot account for.

Operational. Duplicate tools, redundant licenses, and shadow subscriptions add direct cost. More significantly, they create an environment that is hard to harden. You cannot enforce a consistent security policy across tools you don't know about.

what works

No single method catches everything, so discovery that holds up layers several views of the same environment. The highest-signal starting point in cloud-first companies is the OAuth grant list: a read-only look at the IdP enumerates every third-party application granted access, with the scopes it holds and the person who authorized it. Companies running this for the first time routinely find dozens of apps nobody reviewed, some still carrying scopes granted years ago.

Web traffic adds the layer the directory cannot see. Outbound DNS and proxy logs show the domains employees visit consistently, and anything off the approved list is a candidate for investigation; this is where browser-based tools and personal AI accounts surface. The money leaves a third trail: expense claims and company card statements reconciled against the approved software list turn unrecognized line items into direct evidence of unsanctioned spend.

The tools that leave no technical or financial trace still answer to one method. An anonymized employee survey, positioned as support rather than audit, asks which tools each team relies on and cannot work without, and the answers regularly include software IT has never seen. Companies that keep the picture current treat discovery as a recurring cycle rather than a one-off project, because the inventory starts aging the day it is finished.