Shadow IT: the invisible risk of applications your employees use without control

This phenomenon is known as Shadow IT: the use of applications, devices, cloud services or technology tools without supervision from the systems, security or management department. It may seem like a practical solution for working more efficiently, but it can also open the door to data leaks, uncontrolled access, duplicated costs and regulatory non-compliance.

In this article, we explain what Shadow IT is, why it appears, what risks it creates and how a company can control it without blocking the productivity of its teams.

What is Shadow IT?

Shadow IT refers to any technology used within a company without approval, knowledge or control from the IT department. It does not always come from bad intentions. In many cases, it appears because employees need to solve a specific task and look for the fastest tool.

It can include storage applications, AI tools, messaging platforms, task managers, browser extensions, personal accounts, personal devices or cloud services contracted directly by a department.

Some common examples of Shadow IT are:

• Storing company documents in personal Google Drive, Dropbox or WeTransfer accounts.
• Using generative AI tools with internal or confidential information.
• Creating workgroups in external applications without corporate control.
• Sharing passwords through spreadsheets or personal notes.
• Contracting a SaaS tool without reviewing conditions, security or data location.
• Using personal devices to access corporate information.
• Installing browser extensions without technical validation.

The problem is not that employees want to work better. The problem is that the company loses visibility over where its data is, who has access, which applications are being used and what risks are accumulating.

Why Shadow IT appears in companies

Shadow IT usually appears when there is a gap between the real needs of teams and the official tools provided by the company. If users feel that the internal system is slow, limited or too rigid, they will look for alternatives.

This is especially common in companies that have grown quickly, adopted cloud tools without a clear strategy or failed to properly define their internal processes.

The most common causes are:

• Lack of suitable corporate tools.
• Approval processes that are too slow.
• Lack of awareness of risks among users.
• Need for fast collaboration with clients or suppliers.
• Growing use of easy-to-contract SaaS applications.
• Absence of clear policies on permitted technology.
• Lack of an updated inventory of applications and access.
• Disorganised growth of Microsoft 365, Teams, SharePoint or cloud services.

In other words: Shadow IT does not appear for no reason. It is usually a symptom that the company needs to improve its IT governance, internal communication and ability to offer useful solutions to the business.

Main risks of Shadow IT

Shadow IT can go unnoticed for months or years. The problem appears when there is an information leak, a poorly managed employee departure, a forgotten external access or a critical tool that nobody knows how to administer.

Below, we look at the most important risks.

Loss of control over data

When documents are stored outside corporate systems, the company no longer knows where its information is. This affects contracts, customer data, financial documentation, internal projects, credentials or sensitive information.

The risk increases when personal accounts or free platforms are used without business-grade security, encryption, retention or access control policies.

If an employee leaves the company, they may still have documents in their personal account. If an external tool suffers a breach, the company may not find out. If a public link is shared, information may be exposed without anyone detecting it.

Regulatory non-compliance and data protection

Shadow IT can also create compliance problems. If a company processes personal data, confidential information or sensitive documentation, it must know where it is stored, who can access it and under what conditions.

Using unauthorised applications can cause data to be transferred to unreviewed providers, unsuitable countries or services without sufficient guarantees.

This can affect GDPR compliance, confidentiality agreements, contractual requirements with clients or sector-specific regulations.

That is why it is important to combine technology, processes and document review. At Inmove IT, this type of control is directly related to services such as GDPR data protection for companies, especially when corporate information is spread across multiple tools.

Increased attack surface

Every uncontrolled application is a potential entry point. It may have weak passwords, users without MFA, excessive permissions, insecure integrations or unmanaged vulnerabilities.

Microsoft, within its Zero Trust approach, highlights the importance of discovering Shadow IT, reviewing permissions within applications and applying least privilege principles in cloud environments. Source: Microsoft Learn

The problem is simple: you cannot protect what you do not know exists. If the IT department does not know that a tool exists, it cannot review it, configure it, monitor it or remove it properly.

Hidden costs and tool duplication

Shadow IT is not only a security risk. It also generates unnecessary costs.

It is common to find several tools doing the same thing: one for file sharing, another for task management, another for video calls, another for storing documentation and another for sending large files. Each department contracts what it needs, but nobody reviews the whole picture.

This leads to:

• Duplicated licences.
• Active users who no longer use the tool.
• Recurring payments without centralised control.
• Solutions overlapping with Microsoft 365 or other corporate platforms.
• Lack of global negotiation with suppliers.
• Difficulty knowing which tools are truly critical.

In medium-sized companies, this cost can grow without management noticing until invoices, renewals and access are reviewed.

Dependence on specific people

Another common risk is that a key tool depends on a single person. That person knows how to access it, how to configure it, where the data is and how it is billed.

If they change role, leave the company or go on holiday, the service can become blocked. Nobody knows who the administrator is, how to recover the account or how to cancel the subscription.

This dependence creates operational fragility. And in many cases, it is not detected until there is an emergency.

Shadow IT and Microsoft 365: a more common problem than it seems

Many companies believe that, because they use Microsoft 365, everything is already under control. However, Shadow IT can also appear within the Microsoft ecosystem itself.

For example:

• Teams created without structure.
• Channels with external users without review.
• SharePoint folders shared with anonymous links.
• Duplicated documents in personal OneDrive accounts.
• Microsoft 365 groups without a clear owner.
• Applications connected through OAuth permissions.
• Automations created by users without documentation.
• Shared mailboxes without access control.

The problem is not Microsoft 365, but the lack of governance. A powerful platform needs configuration, policies and periodic review.

That is why controlling Shadow IT must include an audit of users, groups, permissions, connected applications, devices and access rules. This work fits with services such as IT audits for companies, which help detect risks before they become incidents.

Shadow IT and Shadow AI: the new added risk

In recent years, a particularly sensitive variant has appeared: Shadow AI. This happens when employees use artificial intelligence tools without authorisation to process corporate information.

It can be as simple as copying into an external tool:

• A contract.
• A commercial proposal.
• A customer list.
• A financial report.
• Source code.
• Internal production data.
• Emails.
• Human resources information.

The risk is that the company may lose control over the information entered, its subsequent processing and the provider’s conditions.

This does not mean that AI should be banned. It means it must be regulated. The company must define which tools can be used, with what data, under what conditions and with what level of supervision.

A clear AI usage policy can prevent many problems without slowing innovation.

How to detect Shadow IT in your company

Detecting Shadow IT requires combining technical review, process analysis and conversations with teams. It is not enough to review a list of installed programs, because many current tools work directly from the browser.

A good starting point is to review:

• SaaS applications paid for with corporate cards.
• Tools linked to company email accounts.
• Applications with permissions over Microsoft 365 or Google Workspace.
• Installed browser extensions.
• Cloud services used to share files.
• Personal devices connected to corporate resources.
• Externally shared links.
• External users in Teams, SharePoint or other platforms.
• Tools used by departments such as marketing, sales, administration or human resources.

It is also useful to ask teams which tools they actually use to work. The goal should not be to point fingers, but to understand needs.

Many times, Shadow IT reveals that the company needs a better, more agile or better-communicated official solution.

How to reduce Shadow IT without blocking productivity

Eliminating Shadow IT completely is not always realistic. The most important thing is to reduce risk, gain visibility and create a secure usage framework.

1. Create a real application inventory

The first step is knowing which tools are being used. This inventory must include official and unofficial applications, owners, users, cost, type of data processed and criticality.

There is no need to start with a complex model. The most important thing is to have a clear view:

• Which tool is used.
• What it is used for.
• Who administers it.
• What data it stores.
• Who has access.
• How much it costs.
• Which corporate alternative exists.
• Whether it meets minimum security requirements.

This inventory should be reviewed periodically, not just once a year.

2. Define a permitted applications policy

The company needs a clear policy on which tools can be used and which cannot. This policy should be written in simple language and be easy to apply.

It should answer questions such as:

• Which applications are approved?
• Who can request a new tool?
• Which data cannot be uploaded to external services?
• Which AI tools are permitted?
• What requirements must a SaaS provider meet?
• How are external users managed?
• What happens when an employee leaves?

The policy must be practical. If it is too rigid, users will look for shortcuts. If it is too vague, it will not help make decisions.

3. Provide useful corporate alternatives

Many times, employees turn to Shadow IT because the official tools do not properly solve their needs.

For example, if the company bans WeTransfer but does not offer a convenient way to send large files, the problem will continue to exist. If it blocks AI tools but does not explain which alternative can be used, users will look for another way.

The key is to replace “you cannot do this” with “this is the secure way to do it”.

4. Review permissions and access periodically

Shadow IT becomes more serious when permissions accumulate without control. That is why it is advisable to review the following periodically:

• Active and inactive users.
• External access.
• Security groups.
• Teams and SharePoint owners.
• Applications connected to Microsoft 365.
• Accounts with administrative permissions.
• Shared mailboxes.
• Public or anonymous links.

This work reduces risks and improves traceability. It also prevents former employees, suppliers or collaborators from keeping unnecessary access.

5. Apply MFA and least privilege

Access control is one of the most important measures. All critical applications should use MFA, especially if they contain corporate information or allow remote access.

In addition, each user should only have the permissions they need to work. No more and no less.

This principle of least privilege helps reduce the impact if an account is compromised. It also facilitates internal control and improves the overall security of the environment.

6. Train users with real examples

Shadow IT cannot be corrected with technology alone. Awareness is also needed.

Employees must understand that uploading a file to an external tool, using a personal account or connecting an unreviewed application can create real risks.

Training must be clear and accessible. It is better to explain specific cases than to use generic messages.

For example:

• “Do not upload contracts to unapproved AI tools”.
• “Do not share folders with public links”.
• “Do not use personal accounts for company documents”.
• “Do not install extensions without validation”.
• “Request a tool before contracting it yourself”.

When users understand the reason, it is easier for them to collaborate.

What role does the IT department play?

The IT department should not act only as a brake. Its role should be to help the company work securely.

To do this, it must:

• Listen to the needs of departments.
• Offer suitable corporate tools.
• Define agile request processes.
• Evaluate SaaS providers.
• Review permissions and configurations.
• Document critical applications.
• Support users through change.
• Maintain a global view of the technology environment.

Shadow IT is not fought only by blocking. It is fought by providing alternatives, visibility and control.

How an IT audit can help

An IT audit helps detect applications, access and risks that do not always appear in day-to-day operations. It is especially useful when a company has grown quickly, incorporated many cloud tools or lacks updated documentation.

A Shadow IT-oriented audit can review:

• Application inventory.
• Microsoft 365 status.
• Users and permissions.
• Connected applications.
• Devices.
• Contracted SaaS tools.
• Licences and costs.
• External access.
• Security policies.
• User onboarding and offboarding procedures.

From there, a realistic improvement plan can be established, prioritising the most important risks and avoiding sudden changes that affect daily work.

This approach fits with a broader vision of IT maintenance for companies, where the goal is not only to resolve incidents, but to prevent problems before they impact the business.

Signs that your company may have a Shadow IT problem

It is not always easy to detect Shadow IT from a management perspective. But there are clear signs that should trigger a review:

• Nobody has a complete list of applications being used.
• Each department contracts its own tools.
• There are corporate documents in personal accounts.
• There are external users that nobody reviews.
• There is no centralised licence control.
• AI tools are used without an internal policy.
• Employees share files using public links.
• There is no formal process for approving new applications.
• User departures are managed manually and without a checklist.
• There are critical tools administered by a single person.

If several of these situations exist in your company, Shadow IT probably already exists. The question is not whether it is happening, but how much risk it is creating.

Basic checklist to start controlling Shadow IT

Before implementing complex solutions, a company can start with a simple review.

Recommended steps:

1. Create a list of applications used by each department.
2. Identify which tools store sensitive data.
3. Review who administers each application.
4. Check whether there are external users or former employees.
5. Review recurring payments for SaaS tools.
6. Define which applications are permitted.
7. Create a process to request new tools.
8. Establish rules for the use of AI.
9. Review permissions in Microsoft 365.
10. Train users with practical examples.

This checklist does not eliminate all risks, but it helps gain visibility and start organising the environment.

Conclusion

Shadow IT is not just a technical problem. It is a problem of control, security, costs and organisation.

When a company does not know which applications are being used, where its data is or who has access to what information, the risk of data leaks, regulatory non-compliance, duplicated costs and dependence on specific people increases.

The solution is not to ban everything, but to create a balanced model: useful corporate tools, clear policies, permission reviews, application control, training and periodic auditing.

In an environment where more and more processes depend on cloud services, SaaS, Microsoft 365 and artificial intelligence, controlling Shadow IT has become an essential part of business IT security.

If you are not sure which applications, access or cloud services are actually being used in your company, it may be a good time to review the environment with an organised and practical approach.

An IT review helps detect risks, identify duplicated tools, improve permissions and establish a safer technology usage policy without slowing productivity.

At Inmove IT Solutions, we help companies organise, protect and document their technology environment through audits, maintenance, cybersecurity and systems management.

You can contact our team to review your current situation and define a plan adapted to your company’s real needs.

Frequently asked questions about Shadow IT

Is Shadow IT always dangerous?

It does not always start as something dangerous, but it does create risk when the company lacks visibility and control. A useful application can become a problem if it stores sensitive data, does not have MFA, is not documented or depends on a personal account.

Why do employees use unauthorised applications?

They usually do it to work faster, collaborate better or solve a need that official tools do not cover. That is why it is important to listen to teams and provide secure corporate alternatives.

What is the relationship between Shadow IT and Microsoft 365?

Microsoft 365 can reduce many risks if it is properly configured, but it can also create disorder if permissions, external users, groups, shared links and connected applications are not reviewed. The problem is not the tool, but the lack of governance.

How can a company start controlling Shadow IT?

The first step is to create an inventory of applications and access. Then it is advisable to review permissions, define permitted tools, establish an approval process and train users.

Is the use of AI tools also Shadow IT?

Yes, when unapproved AI tools are used to process corporate information. In this case, we also talk about Shadow AI, a particularly sensitive variant because it may involve internal data, contracts, customer information or confidential documentation.

Is it necessary to block all external applications?

Not necessarily. The most important thing is to assess risks and define clear rules. Some external tools may be valid if they meet security, privacy, access control and continuity requirements.