What Is Shadow IT? The Hidden Risk Draining Security

The Salesforce Instance Nobody Knew About

In 2022, a mid-size healthcare company discovered that one of its marketing teams had been running an entirely separate Salesforce instance — for eleven months. Patient-adjacent data sat in an environment with no encryption at rest, no access controls, and no logging. The IT security team had no idea it existed until a phishing email compromised an employee's credentials and a threat actor walked right into a system that was never on anyone's radar.

That's the real answer to the question what is shadow IT — and it's uglier than most definitions suggest. It's not just someone using Dropbox instead of SharePoint. It's entire workflows, platforms, and data stores operating outside your security perimeter. And if you think it's not happening in your organization, I'd bet money you're wrong.

This post breaks down what shadow IT actually looks like in 2023, why it's a growing threat vector, and what practical steps your security team can take to find it and fix it — without becoming the department that says no to everything.

What Is Shadow IT, Really?

Shadow IT refers to any hardware, software, SaaS application, or cloud service used within an organization without the explicit knowledge or approval of the IT department. It ranges from an employee signing up for a project management tool with a corporate email to an entire department spinning up AWS instances on a company credit card.

The common thread: your security team can't protect what it can't see.

According to Gartner research, large enterprises use an estimated 1,000+ cloud applications — and IT departments are typically aware of only about a third. That gap represents a massive, unmonitored attack surface where data breach risks multiply silently.

Why Shadow IT Is Exploding in 2023

Remote work removed the guardrails

The pandemic-era shift to remote and hybrid work obliterated whatever perimeter controls organizations had left. Employees working from home started downloading collaboration tools, file-sharing apps, and AI-powered assistants without a second thought. Three years later, those habits are entrenched.

Most SaaS tools let anyone create an account with just an email address and a credit card. No procurement process. No security review. No IT ticket. A department head can have a new CRM running by lunch.

Generative AI accelerated the problem

2023 brought an explosion of generative AI tools. Employees across every department began experimenting with ChatGPT, Bard, and dozens of niche AI services — many of which ingest and store the data you paste into them. Samsung learned this the hard way when employees leaked proprietary source code through ChatGPT in early 2023.

IT is seen as a bottleneck

Here's the uncomfortable truth: shadow IT thrives because official IT processes are often slow. When a team needs a tool now and the procurement cycle takes six weeks, they route around IT. I've seen this pattern in organizations of every size, from 50-person startups to Fortune 500 companies.

The $4.45M Blind Spot in Your Security Posture

IBM's 2023 Cost of a Data Breach Report found the global average cost of a data breach hit $4.45 million — the highest ever recorded. Shadow IT contributes to these numbers in specific, measurable ways.

When applications sit outside your security monitoring, they don't get patched. They don't get covered by your endpoint detection. They don't have multi-factor authentication enforced. They become the path of least resistance for any threat actor looking for entry.

The Verizon 2023 Data Breach Investigations Report confirmed that 74% of all breaches involved the human element — including social engineering, errors, and misuse. Shadow IT amplifies every one of those categories. An employee who falls for a phishing email might hand over credentials to a system your security team doesn't even know exists, making incident response a nightmare.

What Shadow IT Looks Like Day-to-Day

It helps to move beyond abstract risk and look at what I actually encounter during security assessments. Here's a practical list:

Unauthorized SaaS apps: Trello, Notion, Slack workspaces, Airtable databases — all holding project data, client names, or internal strategy documents.
Personal cloud storage: Employees syncing work files to personal Google Drive or iCloud accounts.
Browser extensions: Grammarly, screenshot tools, and productivity extensions that can read every page the browser displays — including your intranet.
Messaging apps: Teams using WhatsApp or Signal for work conversations, putting sensitive discussions outside your retention and compliance policies.
AI tools: Employees pasting customer data, code, or financial information into generative AI platforms with no data processing agreements in place.
Rogue cloud infrastructure: Developers or data teams spinning up AWS, Azure, or GCP instances outside the company's managed environment.

Every item on that list is something I've personally found during engagements in the last twelve months.

Shadow IT and Compliance: A Regulatory Minefield

If your organization is subject to HIPAA, PCI DSS, SOX, GDPR, or any state privacy law, shadow IT isn't just a security problem — it's a compliance violation waiting to be discovered by an auditor or regulator.

The FTC has taken enforcement action against companies for failing to maintain reasonable security practices, including inadequate asset inventory and access controls. "We didn't know that system existed" is not a defense that regulators accept.

Under GDPR, data processed through an unapproved tool without a data processing agreement can trigger fines of up to 4% of global annual revenue. In my experience, most shadow IT apps have zero contractual data protection provisions.

How to Discover Shadow IT in Your Environment

Start with your network

Deploy a Cloud Access Security Broker (CASB) or analyze firewall and proxy logs. These tools identify outbound connections to cloud services and flag the ones IT hasn't sanctioned. You'll be surprised — or horrified — by the results.

Audit your SSO and identity provider

Check which OAuth authorizations employees have granted through Google Workspace or Microsoft 365. Every "Sign in with Google" click creates a connection your security team should review.

Review expense reports

This is low-tech but effective. Search for recurring charges to SaaS vendors in corporate credit card statements and expense reports. If someone's billing $49/month for a tool you've never heard of, that's shadow IT.

Ask your employees directly

Run an anonymous survey. Ask teams what tools they use daily. In my experience, employees aren't hiding shadow IT maliciously — they genuinely don't realize it's a problem. This is a security awareness gap, not a malice problem.

Fixing Shadow IT Without Killing Productivity

The worst approach is to discover shadow IT and immediately block everything. That just drives it further underground. Here's what actually works.

Build a rapid approval process

If your security review takes six weeks, employees will route around it every time. Create a fast-track evaluation process for low-risk SaaS tools. Set clear criteria: Does it handle sensitive data? Does it support SSO and MFA? Does it have SOC 2 certification? If a tool checks those boxes, approve it within days, not months.

Adopt a zero trust architecture

Zero trust assumes no user, device, or application should be inherently trusted. By implementing zero trust principles — continuous verification, least-privilege access, microsegmentation — you limit the blast radius even when shadow IT exists. NIST's Special Publication 800-207 provides the foundational framework.

Enforce multi-factor authentication everywhere

If your identity provider requires MFA for all OAuth connections, even unauthorized SaaS tools get an extra layer of credential theft protection. It won't solve the data governance problem, but it significantly raises the bar for threat actors.

Train your people — continuously

Shadow IT is fundamentally a human problem. Employees don't think about security implications when they sign up for a new tool because nobody has explained why it matters. Effective cybersecurity awareness training that covers shadow IT risks closes that gap. Make it part of onboarding and reinforce it quarterly.

Simulate the attacks that exploit shadow IT

Credential theft through phishing is the most common way threat actors exploit unknown systems. If an employee uses the same password for an unsanctioned app and their corporate account — and they fall for a social engineering attack — your entire environment is at risk. Regular phishing awareness training for organizations tests whether employees can spot these attacks before credentials get stolen and used against systems you can't monitor.

Shadow IT and Ransomware: A Connection Most Miss

Here's something I don't see discussed enough. Ransomware operators increasingly target the weakest entry point in an environment. Shadow IT — unpatched, unmonitored, often running with excessive permissions — is exactly that weak point.

An unsanctioned remote access tool or file-sharing service can give a ransomware gang initial access without triggering any of your detection systems. From there, they move laterally using credential theft techniques until they reach something valuable enough to encrypt.

The FBI's IC3 received 2,385 ransomware complaints in 2022 alone, with adjusted losses exceeding $34 million. Many of those attacks started with a foothold in a system the victim organization didn't know it had.

A Shadow IT Discovery Checklist

Use this as a starting point for your next security review:

Deploy or configure a CASB to inventory cloud application usage.
Review OAuth app authorizations in your identity provider monthly.
Audit corporate credit card and expense data for SaaS subscriptions.
Conduct quarterly employee surveys on tool usage.
Cross-reference discovered apps against your approved software inventory.
Evaluate each shadow IT app for data sensitivity, authentication controls, and compliance requirements.
Create a fast-track approval process so employees have a legitimate alternative to going rogue.
Update your security awareness program to explicitly address shadow IT risks.

The Bottom Line on Shadow IT Risk

Understanding what is shadow IT is the easy part. Acting on it is where most organizations stall. Every unsanctioned app is an unmonitored doorway. Every unreviewed SaaS tool is a potential data breach. Every AI chatbot an employee pastes client data into is a compliance incident waiting to happen.

You can't secure what you can't see. Start with discovery, move to governance, and invest in the ongoing security awareness training that turns your employees from your biggest vulnerability into your first line of defense. The organizations that treat shadow IT as a solvable problem — rather than an inevitable one — are the ones that avoid becoming the next breach headline.