Shadow IT

Shadow IT is any software, hardware, cloud service or integration used inside an organization without IT department approval or oversight.

Shadow IT is any software, hardware, cloud service or integration used inside an organization without the knowledge, approval or oversight of the IT department. It is rarely malicious. Employees adopt tools to work faster, and every unsanctioned signup quietly expands the company's attack surface.

Key facts

Common examples of shadow IT

CategoryTypical examplesWhy it appears
File storage and sharingPersonal Dropbox, Google Drive, WeTransferSharing large files quickly with externals
CommunicationWhatsApp, Telegram, personal emailFaster than sanctioned channels
Productivity and project toolsTrello, Notion, Airtable on personal accountsTeam wants features IT has not provided
SaaS signupsAny free-tier tool registered with a work emailFree, instant, no procurement needed
OAuth integrationsThird-party apps granted access to Google Workspace or Microsoft 365One-click connections to calendar, mail or drive
AI tools (shadow AI)ChatGPT on personal accounts, AI meeting notetakers, AI email assistantsAI capability missing from the sanctioned stack
DevicesPersonal laptops, phones and USB drives handling company dataConvenience, remote work

Why shadow IT happens

Employees and teams route around IT for three predictable reasons: the approved toolset lacks something they need, procurement takes too long, or they already use a tool privately and bring it to work. SaaS made this effortless. Anyone with a browser and an email address can deploy new software in minutes, and free tiers mean no expense report ever betrays the signup. Punishing employees for it treats the symptom; the cause is almost always a gap between what people need and what IT provides.

The risks of shadow IT

Invisible attack surface

Security teams cannot patch, monitor or configure what they do not know exists. Every unsanctioned account is a set of credentials, often reused and without MFA, that nobody is watching.

Data loss and data sprawl

Company data stored in personal accounts is not backed up, not covered by retention policies, and stays accessible to employees after they leave.

Persistent OAuth access

Third-party apps granted mailbox, drive or calendar scopes keep that access until someone revokes it. Abandoned grants pile up for years, and a breach at any of those vendors becomes a breach of your data. Attackers exploit the same mechanism directly through OAuth consent phishing, tricking employees into granting mailbox access to a malicious app, a technique increasingly seen alongside business email compromise.

Compliance exposure

GDPR and industry regulations follow personal data wherever employees put it. Unsanctioned tools rarely meet the processing, residency and deletion requirements the organization has committed to, and "we did not know" is not a defense auditors accept.

Compounding costs

Duplicate subscriptions, data scattered across tools with no single source of truth, and expensive migrations when a shadow tool becomes load-bearing for a whole team.

How to detect shadow IT in 30 minutes

Most shadow IT announces itself in the email and identity layer, which makes it detectable without new infrastructure:

  1. Audit OAuth grants (10 min). In Google Admin (Security > API controls > App access control) or Microsoft Entra (Enterprise applications), list every third-party app with granted scopes. Sort by mail, drive and calendar access. Flag anything nobody approved.
  2. Search inbound welcome emails (10 min). Search company inboxes for common signup phrases ("verify your email", "welcome to", "confirm your account") from the last 90 days. Every unsanctioned SaaS tool sent one on day zero.
  3. Scan billing signals (5 min). Search for receipt and invoice emails from SaaS vendors that finance does not recognize.
  4. Review your SSO and password manager logs (5 min) for apps employees access outside the sanctioned catalog.
  5. Repeat continuously. A one-off audit captures a snapshot. New signups happen weekly, and the OAuth grants they create persist.

Manage it, don't ban it

Organizations that ban shadow IT outright push it further underground. A better approach: publish a short acceptable-use policy that names approved tools and the data types that must never leave them, make the request path for new tools fast (days, not months), provide sanctioned alternatives for the most common shadow categories including AI, review every app before it receives OAuth scopes on company accounts, and revoke unused grants on a schedule.

How Sentaro sees shadow IT

Nearly every SaaS tool an employee adopts announces itself in email: a welcome message, a verification link, a receipt, or an OAuth consent against Google Workspace or Microsoft 365. That makes the mailbox the earliest and most complete detection point for shadow IT. Sentaro's shadow IT discovery tool uses App and Domain Intelligence to monitor these signals continuously, surfacing new app signups, new OAuth grants and consent phishing attempts disguised as legitimate apps, so security teams see shadow IT as it appears instead of during the next annual audit.

FAQ

What does shadow IT mean?

Shadow IT is any technology (software, cloud services, devices or integrations) used within an organization without the IT department's knowledge or approval. The term covers everything from a personal Dropbox account used for work files to entire SaaS tools adopted by a team without review.

Is shadow IT illegal?

No, but it can put the organization in breach of GDPR, industry regulations or customer contracts if company or personal data is processed in tools without proper controls. The organization remains legally responsible regardless of whether IT knew about the tool.

What is the difference between shadow IT and shadow AI?

Shadow AI is the AI-specific subset of shadow IT: unsanctioned AI chatbots, meeting notetakers and AI assistants. It carries extra risk because AI tools ingest data as prompts, may retain or train on it, and often gain broad access through OAuth permissions.

What are the most common examples of shadow IT?

Personal cloud storage (Dropbox, Google Drive), messaging apps (WhatsApp, Telegram), free-tier SaaS tools registered with work emails, third-party apps connected via OAuth to Google Workspace or Microsoft 365, and increasingly AI tools.

How do I detect shadow IT in Google Workspace or Microsoft 365?

Audit third-party OAuth grants in the admin console, search inboxes for welcome and verification emails from unrecognized services, and check for SaaS receipts finance does not know. Continuous monitoring of the email layer catches new tools within minutes of signup.

Is shadow IT ever a good thing?

It signals real unmet needs and often surfaces better tools than the sanctioned stack. The productive response is to treat shadow IT as free product research: identify what employees adopted, vet it, and sanction what passes review, while closing the security gaps it created.

See every app and OAuth grant touching your inbox

Sentaro deploys on Google Workspace and Microsoft 365 in minutes and surfaces every new SaaS signup, AI tool and third-party integration in your email environment.

See shadow IT discovery