August 12, 2025
Shadow IT is an unavoidable feature of the modern workplace.
As teams adopt tools outside IT’s oversight, organisations lose visibility, introduce avoidable risk and spend money they can’t properly track.
What begins as a seemingly harmless shortcut of “we just needed something quickly” grows into a blind spot hiding security, compliance and financial issues.
This article explains why Shadow IT takes hold so easily, what it costs and how organisations can regain control without slowing your business down.
What is Shadow IT?
Shadow IT is any hardware, software, cloud service or SaaS application used without IT’s knowledge or approval.
Sometimes it’s minor. A team signs up for a free project tool to avoid waiting for a formal request so they can test it.
Sometimes it’s more serious. A department moves customer data into an unapproved database (or an AI tool) to meet a deadline.
However small the initial decision, the moment a tool sits outside your governance framework, no one can confirm who has access to it, where the data is stored, or whether the service meets your security and compliance requirements.
The growing scale of Shadow IT in numbers
Shadow IT is now common across most organisations:
- 80% of workers use SaaS tools not approved by IT
- 30–40% of enterprise IT spend sits in Shadow IT
- 69% of tech executives view Shadow IT as a top security concern, with 59% struggling with SaaS sprawl
Some studies go further.
One analysis found the average enterprise uses 108 approved cloud services, and 975 unapproved ones.
In practice, IT might believe the business uses a controlled set of 40 applications.
Finance data may reveal three times that number.
Much of the technology environment remains effectively invisible.
The hidden costs of Shadow IT
1. Financial waste
When teams purchase tools independently, spending loses structure. Duplicate subscriptions, unused licences and silent renewals accumulate unnoticed.
A common example is a marketing team paying for a reporting platform, product teams adopt similar tools, IT already has an enterprise analytics suite, and finance sees all three renewals with no explanation for what each one is.
According to one Gartner study, the average organisation wastes up to 30% of its SaaS spend on improper licence management and duplicate tools.
2. Security vulnerabilities
Unapproved applications can bypass security controls. Weak or absent Multi-Factor Authentication, unencrypted data, unvetted integrations and uncontrolled access combine to widen the attack surface.
This could be something like a team storing a customer’s information in an unapproved note-taking app because it helps them co-ordinate.
But this app also integrates with dozens of third-party services by default. And because IT doesn’t know about it, they don’t review the connections.
If a breach occurs now, the data is already out of your control before you even know about it.
And the consequences are huge. The average data-breach costs £4.4m, according to a report by IBM.
It’s not that this is an unknown risk either.
More than three quarters of SMBs see Shadow IT as a moderate to severe cybersecurity threat to their company.
As Adam Fletcher, CISO at Blackstone puts it: “Cybersecurity isn’t about avoiding risk. It’s about managing it intelligently.
“The future belongs to leaders who make cyber resilience a competitive advantage.”
3. Compliance & audit exposure
Shadow IT also creates regulatory danger.
Unapproved systems may store data in the wrong jurisdiction, lack proper audit trails or fail to meet standards such as GDPR, HIPAA or PCI-DSS.
Imagine a salesperson syncs EU customer data into a US-hosted plugin because it works better with gmail. That transfer happens immediately, and the compliance breach is always there.
Without reliable discovery mechanisms, IT cannot detect personal licences holding corporate data, nor the risks associated with them.
Regulators increasingly expect board-level involvement.
Colin Low, Independent Board Director, AET, says: “If cybersecurity isn’t on the board calendar, it won’t get the attention it deserves.”
4. Operational inefficiency
Shadow IT fragments workflows. Service desks must support unfamiliar tools. Integrations break. Data spreads across multiple platforms with no agreed source of truth.
Even straightforward collaboration becomes cumbersome:
Which tool is your team using?
Do I have access?
Where’s the latest version?
Repeated across departments, this friction adds up to significant productivity loss.
Why Shadow IT happens
Shadow IT almost never comes from deliberate concealment. It happens when formal processes introduce more friction than teams want.
Most employees simply want to move quickly.
If getting IT sign off is slow, or overly controlled, departments will just find their own tools.
Scott Brinker, a martech commentator says employees often introduce Shadow IT with the best intentions:
“The motive behind Shadow IT is good. Employees simply want to use their preferred technologies in the workplace to get their jobs done.”
Freemium SaaS models accelerate this behaviour.
Hybrid work makes it easier to operate outside IT’s line of sight. And without dedicated discovery tools, IT finds new software only when something breaks or unexpected costs appear.
How to regain control over Shadow IT
1. Discover what’s being used
Visibility is the foundation. Few organisations appreciate the extent of their Shadow IT until they start looking, and the results are rarely small.
Modern discovery tools analyse identity platforms, expense records, network activity, browser extensions and CASB data to surface every application in use.
When combined, these sources produce a single, reliable inventory showing what tools exist, who uses them and how data flows through them.
2. Centralise visibility and ownership
Once your landscape is visible, each application must have a clearly accountable owner.
Someone needs to understand its purpose, usage, cost and risk level.
This doesn’t mean removing autonomy from departments. Instead, it creates a shared responsibility model.
Teams keep control of their tools, while IT ensures the wider environment remains safe, compliant and coherent.
3. Build practical governance policies
With ownership established, governance becomes a matter of clarity.
Policies should define how new tools are purchased, which risks require review, how data is handled, how access is granted and removed, and how renewals are evaluated.
Not every application needs the same level of scrutiny. High-risk systems that handle sensitive data need deeper assessment. Low-risk internal tools can follow lighter workflows.
4. Enable teams, don’t restrict them
Shadow IT grows when teams can’t get the tools they want quickly enough. Solving this means improving adoption, not tightening control.
With visibility you can create catalogues of approved tools. You can speed up approval cycles to stop people acting independently.
Having this clear guidance on when tools require more review can remove guesswork and improve how new tools are added to your hybrid IT environment.
When IT provides speed and transparency, teams are more likely to follow approved processes, rather than going rogue with their own tools.
5. Review and optimise continuously
Shadow IT isn’t a one-time clean-up.
Quarterly reviews allow you to retire unused licences, consolidate vendors, reassess risks and maintain alignment with evolving regulatory requirements.
Regular optimisation also reveals when teams consistently adopt the same types of tools, prompting IT to expand the approved catalogue before workarounds reappear.
Get visibility and control of Shadow IT
Shadow IT thrives when it delivers the tools faster than IT departments can.
But left unchecked, it drains budgets, weakens security and scatters data across an opaque landscape.
The long-term solution is not to restrict teams but to meet them where they are – by improving visibility, offering clear guardrails and making the sanctioned route faster than the alternatives.
Every major shift in enterprise technology has followed the same pattern.
Users moved first, governance adapted later.
Shadow IT is no different.
Organisations that succeed are those that learn from this history, reduce friction and design processes that enable people rather than impede them.ent from chaotic to confident.
The times, they are ‘a’ changing, I’ve witnessed many step changes that IT Teams fought against only to realise the change was inevitable. Think hard on how you can adapt your processes to combat the inevitable risks with Shadow IT.
Scott Massey – Customer Relationship Manager
Scott is one of Certero’s earliest team members and a long-time expert in IT Asset Management, Software Asset Management, and FinOps. With over 16 years of hands-on experience helping organisations navigate audits, gain control of their environments, and improve visibility, Scott brings a practical, real-world perspective to solving discovery challenges in modern IT.
