Shadow IT
Shadow IT is any software, hardware, cloud service or integration used inside an organization without IT department approval or oversight.
Shadow IT is any software, hardware, cloud service or integration used inside an organization without the knowledge, approval or oversight of the IT department. It is rarely malicious. Employees adopt tools to work faster, and every unsanctioned signup quietly expands the company's attack surface.
Key facts
- Around 80% of employees admit to using applications at work that IT has not approved, according to Cisco.
- Gartner estimates that 38% of technology purchases are managed and controlled by business leaders rather than IT.
- 41% of employees have acquired, modified or created technology without their IT team's knowledge, according to IBM research.
- The fastest-growing form of shadow IT today is shadow AI: unsanctioned AI chatbots, notetakers and OAuth-connected AI assistants.
Common examples of shadow IT
| Category | Typical examples | Why it appears |
|---|---|---|
| File storage and sharing | Personal Dropbox, Google Drive, WeTransfer | Sharing large files quickly with externals |
| Communication | WhatsApp, Telegram, personal email | Faster than sanctioned channels |
| Productivity and project tools | Trello, Notion, Airtable on personal accounts | Team wants features IT has not provided |
| SaaS signups | Any free-tier tool registered with a work email | Free, instant, no procurement needed |
| OAuth integrations | Third-party apps granted access to Google Workspace or Microsoft 365 | One-click connections to calendar, mail or drive |
| AI tools (shadow AI) | ChatGPT on personal accounts, AI meeting notetakers, AI email assistants | AI capability missing from the sanctioned stack |
| Devices | Personal laptops, phones and USB drives handling company data | Convenience, remote work |
Why shadow IT happens
Employees and teams route around IT for three predictable reasons: the approved toolset lacks something they need, procurement takes too long, or they already use a tool privately and bring it to work. SaaS made this effortless. Anyone with a browser and an email address can deploy new software in minutes, and free tiers mean no expense report ever betrays the signup. Punishing employees for it treats the symptom; the cause is almost always a gap between what people need and what IT provides.
The risks of shadow IT
Invisible attack surface
Security teams cannot patch, monitor or configure what they do not know exists. Every unsanctioned account is a set of credentials, often reused and without MFA, that nobody is watching.
Data loss and data sprawl
Company data stored in personal accounts is not backed up, not covered by retention policies, and stays accessible to employees after they leave.
Persistent OAuth access
Third-party apps granted mailbox, drive or calendar scopes keep that access until someone revokes it. Abandoned grants pile up for years, and a breach at any of those vendors becomes a breach of your data. Attackers exploit the same mechanism directly through OAuth consent phishing, tricking employees into granting mailbox access to a malicious app, a technique increasingly seen alongside business email compromise.
Compliance exposure
GDPR and industry regulations follow personal data wherever employees put it. Unsanctioned tools rarely meet the processing, residency and deletion requirements the organization has committed to, and "we did not know" is not a defense auditors accept.
Compounding costs
Duplicate subscriptions, data scattered across tools with no single source of truth, and expensive migrations when a shadow tool becomes load-bearing for a whole team.
How to detect shadow IT in 30 minutes
Most shadow IT announces itself in the email and identity layer, which makes it detectable without new infrastructure:
- Audit OAuth grants (10 min). In Google Admin (Security > API controls > App access control) or Microsoft Entra (Enterprise applications), list every third-party app with granted scopes. Sort by mail, drive and calendar access. Flag anything nobody approved.
- Search inbound welcome emails (10 min). Search company inboxes for common signup phrases ("verify your email", "welcome to", "confirm your account") from the last 90 days. Every unsanctioned SaaS tool sent one on day zero.
- Scan billing signals (5 min). Search for receipt and invoice emails from SaaS vendors that finance does not recognize.
- Review your SSO and password manager logs (5 min) for apps employees access outside the sanctioned catalog.
- Repeat continuously. A one-off audit captures a snapshot. New signups happen weekly, and the OAuth grants they create persist.
Manage it, don't ban it
Organizations that ban shadow IT outright push it further underground. A better approach: publish a short acceptable-use policy that names approved tools and the data types that must never leave them, make the request path for new tools fast (days, not months), provide sanctioned alternatives for the most common shadow categories including AI, review every app before it receives OAuth scopes on company accounts, and revoke unused grants on a schedule.
How Sentaro sees shadow IT
Nearly every SaaS tool an employee adopts announces itself in email: a welcome message, a verification link, a receipt, or an OAuth consent against Google Workspace or Microsoft 365. That makes the mailbox the earliest and most complete detection point for shadow IT. Sentaro's shadow IT discovery tool uses App and Domain Intelligence to monitor these signals continuously, surfacing new app signups, new OAuth grants and consent phishing attempts disguised as legitimate apps, so security teams see shadow IT as it appears instead of during the next annual audit.
FAQ
What does shadow IT mean?
Shadow IT is any technology (software, cloud services, devices or integrations) used within an organization without the IT department's knowledge or approval. The term covers everything from a personal Dropbox account used for work files to entire SaaS tools adopted by a team without review.
Is shadow IT illegal?
No, but it can put the organization in breach of GDPR, industry regulations or customer contracts if company or personal data is processed in tools without proper controls. The organization remains legally responsible regardless of whether IT knew about the tool.
What is the difference between shadow IT and shadow AI?
Shadow AI is the AI-specific subset of shadow IT: unsanctioned AI chatbots, meeting notetakers and AI assistants. It carries extra risk because AI tools ingest data as prompts, may retain or train on it, and often gain broad access through OAuth permissions.
What are the most common examples of shadow IT?
Personal cloud storage (Dropbox, Google Drive), messaging apps (WhatsApp, Telegram), free-tier SaaS tools registered with work emails, third-party apps connected via OAuth to Google Workspace or Microsoft 365, and increasingly AI tools.
How do I detect shadow IT in Google Workspace or Microsoft 365?
Audit third-party OAuth grants in the admin console, search inboxes for welcome and verification emails from unrecognized services, and check for SaaS receipts finance does not know. Continuous monitoring of the email layer catches new tools within minutes of signup.
Is shadow IT ever a good thing?
It signals real unmet needs and often surfaces better tools than the sanctioned stack. The productive response is to treat shadow IT as free product research: identify what employees adopted, vet it, and sanction what passes review, while closing the security gaps it created.
See every app and OAuth grant touching your inbox
Sentaro deploys on Google Workspace and Microsoft 365 in minutes and surfaces every new SaaS signup, AI tool and third-party integration in your email environment.