Shadow IT in the enterprise: the CIOs' action plan to regain control

Shadow IT is no longer a minor issue hidden away in a corner of the information system.

In many companies, it's everywhere.

A marketing department opens an account on an emailing tool. A sales team adds an AI extension to its CRM. HR tests a SaaS application to track interviews. A manager creates an Airtable database to manage their projects. An employee connects an automation tool to their Drive.

None of this stems from bad intentions.

Teams want to move fast. They want to avoid delays. They want to solve a concrete problem. And often, they're right in principle: the official tool doesn't meet the need well enough, or fast enough.

But for an IT department, shadow IT creates a blind spot. Unauthorized SaaS tools accumulate. Accesses become scattered. Data moves outside the intended framework. GDPR compliance becomes harder to prove. IT security relies on practices that no one truly sees.

The issue, therefore, isn't to "hunt down" shadow IT as an anomaly. The real challenge is to regain control without stifling business momentum.

This is where the IT department's role changes. It can no longer just say yes or no. It must understand, prioritize, secure, rationalize, and propose better options.

‍

What exactly is shadow IT?

Shadow IT refers to all tools, software, SaaS applications, accounts, scripts, automations, or cloud services used within a company without validation or oversight from the IT department.

This can be very simple.

A file shared outside the official Drive. A project management tool paid for with a team credit card. A Zapier or Make connector created without oversight. An AI application used to process internal documents. A parallel CRM created in Notion. An administrator account retained after an employee's departure.

Shadow IT, therefore, doesn't only concern large corporations. It also affects SMEs, mid-sized companies, and growing organizations.

The more SaaS applications a company uses, the higher the risk. The Cloud Security Alliance states in its 2025 SaaS Security Report that companies face issues with visibility, shadow IT, overly broad access, and poorly controlled third-party integrations. The report also highlights that 86% of organizations now place SaaS security as a high priority.

The important point is simple: shadow IT isn't a specific tool. It's a gray area.

And a gray area, within an IS, often ends up becoming a risk zone.

‍

Why business units create shadow IT

To regain control over shadow IT, one must first accept a somewhat uncomfortable idea: if business units bypass the IT department, it's often because they're trying to solve a real problem.

A salesperson doesn't install a prospecting tool to create a security vulnerability. They do it because they want to sell better.

An HR manager doesn't create a tracking spreadsheet outside the official system to jeopardize GDPR compliance. They do it because the official process is too slow.

A product team doesn't test an AI application to complicate IT governance. They do it because they want to save time.

In many cases, shadow IT reveals three things.

First, official tools don't adequately cover on-the-ground needs.

Second, business requests take too long to be processed.

Finally, IT rules are sometimes misunderstood, too abstract, or perceived as a hindrance.

That's why a pure 'hunt and block' strategy rarely works. Blocking all unauthorized SaaS tools can give an illusion of control. But the practices don't always disappear. They shift. They move to personal accounts, unmanaged devices, or data exports.

The right approach is to turn shadow IT into a signal. Every undeclared tool says something about a business pain point.

When multiple teams use parallel tools to manage simple tasks, the problem might not be discipline. The problem might be poor process automation.

When a department creates its own CRM in Notion, Airtable, or Excel, the problem might stem from an official CRM that is too rigid. In this case, working on a custom CRM for SMEs might be more useful than a simple reminder of the rules.

‍

What shadow IT really costs the company

The risks of shadow IT are not always visible at first.

A free tool seems inconsequential. A small automation seems convenient. A SaaS application used by three people seems too minor to interest the IT department.

Then time passes.

Customer data ends up in multiple tools. Access rights are no longer revoked when an employee leaves. SaaS contracts multiply. Duplicates appear. Sensitive information circulates in unapproved spaces. Teams make decisions with partial data.

The cost of shadow IT manifests on several levels.

First, there's the IT security risk. An unsanctioned tool may have a weak security policy. It might not properly manage authentication, roles, exports, or logs. It could also be connected to critical applications.

Then there's the GDPR compliance risk. If a company doesn't know where its data goes, who accesses it, and how long it's retained, it will struggle to demonstrate control.

There's also the operational risk. A workflow created by an employee can become critical without documentation. The day that person leaves the company, no one knows how the process works.

Finally, there's the financial risk. SaaS sprawl, meaning the proliferation of SaaS applications, creates unnecessary subscriptions, redundant tools, and expenses that are difficult to track.

The issue becomes even more sensitive with AI. IBM states in its 2025 Cost of a Data Breach Report that the global average cost of a breach reaches $4.4 million. The same report highlights a governance gap around uncontrolled AI uses.

This figure doesn't mean every company will experience a crisis of this magnitude. But it shows one thing: blind spots are costly when they involve data, access, and ungoverned uses.

‍

Action Plan for CIOs: Regaining Control in 6 Steps

Regaining control over shadow IT doesn't mean launching a major punitive operation.

It means building a clear approach that is acceptable to business units and sustainable for IT.

1. Start with uses, not just tools

The first mistake would be to start with a blacklist.

Before blocking, you need to understand.

Which tools are being used? By which teams? For what use cases? With what data? With what access? For how long? Is it an isolated test or a tool already integrated into daily operations?

This phase must be conducted calmly. If teams feel that the audit is only for punitive purposes, they will hide their usage.

The objective is instead to say: “We want to understand what truly helps you, what hinders you, and what needs to be secured.”

This shift in stance is essential to reconcile IT and business units.

IT is not here to take back control from the teams. It is here to re-establish a framework around existing uses.

2. Create a realistic application mapping

Application mapping is the foundation.

Without a clear inventory, effective governance is impossible.

It is necessary to list validated SaaS applications, unauthorized SaaS tools, administrator accounts, integrations, automations, databases, storage spaces, AI tools, and critical workflows.

This mapping must also specify the level of risk.

A tool that does not process any sensitive data does not carry the same weight as an application containing customer, HR, or financial data.

Effective mapping should not be a static document. It must become a living tool. It can be maintained in an internal repository, an ITSM tool, a structured database, or a dedicated business application.

This work is part of a broader topic: digital sovereignty for SMEs. A company cannot control its IT system if it doesn't know where its data is, which tools process it, and what dependencies it accepts.

3. Categorize tools according to actual risk

Not all instances of shadow IT warrant the same response.

An effective IT Department must avoid two pitfalls.

The first is to treat everything as a critical threat.

The second is to tolerate everything in the name of agility.

The right approach is to classify tools into four categories.

Acceptable tools can be retained with minimal rules.

Useful but risky tools must be secured, formalized, or replaced.

Redundant tools must be rationalized.

Dangerous tools must be removed with a transition plan.

This classification must be clear to business units. It's not enough to simply say "tool forbidden." The "why" must be explained.

Sensitive data. Lack of SSO. No granular rights management. Problematic hosting. Vague terms of use. Uncontrolled exports. Connections to critical tools. Lack of logs.

When a rule is clear, it's better accepted.

4. Create a catalog of validated tools

You don't reduce shadow IT with nothing.

If business units have no simple alternative, they will recreate workarounds.

The IT department must therefore offer a catalog of validated tools. This catalog can include SaaS applications, internal tools, workflow templates, automation solutions, and governed AI components.

The idea is not to over-centralize everything. The idea is to create simple paths.

A department wants to automate a repetitive task? It needs to know who to turn to.

A team wants to test AI for document analysis? It needs to know the authorized framework.

A manager wants to track a business process? They need a more robust option than a shared Excel file.

This is where the IT department can become a visible partner again. It doesn't block innovation. It offers safer options.

For AI topics, an enterprise AI support helps to frame usage, distinguish real needs from trends, and then define a clear trajectory with the teams.

5. Regain control over access

Access management is one of the most sensitive aspects of shadow IT.

A tool might seem low-criticality at first. But if it contains internal data and access isn't controlled, the risk quickly increases.

The IT department must take back control over a few simple areas.

Who can create an account? Who can invite a user? Who can export data? Who can connect a third-party application? Who can be an administrator? What happens when someone leaves the company?

These questions must become second nature.

SSO, MFA, regular rights reviews, deletion of inactive accounts, and the principle of least privilege are useful foundations. But they are not enough if some tools remain off the radar.

The 2025 1Password report indicates that 52% of employees have already downloaded applications without IT validation, and that 42% bypass IT to improve productivity.

This confirms an important point: access is no longer governed solely within official tools. It must be considered in a much more distributed SaaS environment.

6. Establish continuous IT governance

Shadow IT always resurfaces when IT governance becomes an annual event.

A mapping done once and then forgotten is not enough.

What's needed is continuous, simple, and operational governance.

This can be achieved through a concise committee involving CIOs, CISOs, procurement, and business representatives. Not a cumbersome committee that blocks everything. A regular meeting to address new tools, recurring requests, risks, and decisions.

IT governance must also be documented.

A short sheet per tool can suffice: usage, business owner, IT owner, data processed, risk level, contract, access, integrations, review date.

This discipline changes a lot. It allows for a shift from a reactive IT system to a managed one.

It also allows for better tool rationalization. Two teams using two solutions for the same need? It becomes possible to make a decision. A tool is no longer used? It can be terminated. An automation has become critical? It can be documented and made reliable.

‍

The specific case of shadow AI

Since 2023, a new form of shadow IT is rapidly advancing: shadow AI.

The principle is the same. Employees use AI tools without clear company validation.

This can be a public chatbot, a browser extension, a meeting assistant, an automatic summarization tool, a code generator, an AI connector in a business SaaS, or an agent linked to internal documents.

Shadow AI is more sensitive than traditional shadow IT for a simple reason: users can copy very rich data into it.

A contract. A customer database extract. An HR report. A commercial proposal. A strategic document. A financial export.

The risk doesn't just come from the tool. It comes from the type of data entrusted to the tool, the storage location, the processing conditions, access rights, and the lack of traceability.

The answer cannot simply be “prohibit AI use”.

In practice, teams will continue to look for ways to save time. The right strategy involves governing AI usage, offering approved tools, training teams, and creating useful use cases.

In this regard, the IT department can play a crucial role: transforming uncontrolled adoption into managed adoption.

This requires a clear framework, but also a deep understanding of business operations. Some needs are AI-related. Others are more about process automation, the redesign of an internal tool, or the modernization of a legacy IT system.

What's more, when teams create numerous parallel solutions to compensate for an old, slow system, the issue goes beyond shadow IT. It can evolve into a major undertaking for legacy IT system modernization.

‍

Automate without creating new shadow IT

Automation is often a highly effective solution to shadow IT.

When business teams cobble things together, it's often because they are repeating too many manual tasks.

Copying data between two tools. Generating documents. Following up with clients. Updating a spreadsheet. Creating a task. Sending a notification. Consolidating files.

These needs can be effectively addressed with tools like Make, n8n, or internal workflows.

But beware: poorly governed automation can become shadow IT itself.

A Make scenario created in a personal account. An n8n workflow without documentation. An API key stored in a text field. A trigger that processes sensitive data. A critical automation without monitoring.

To avoid this, the IT department must govern automations as true components of the IT system.

It's essential to define service accounts, permissions, logs, owners, naming conventions, environments, tests, and recovery procedures.

This is precisely what distinguishes a useful workaround from a reliable system.

At Scroll, discussions aroundn8n automation are often addressed with this approach: starting from the business need, but building a maintainable, clear, and integrated solution within the IT system.

‍

How to get business units to embrace change

Shadow IT isn't just solved with tools.

It's solved with a new relationship between IT and business units.

Business units need to understand that IT governance isn't a hindrance. It protects customers, employees, data, and business continuity.

But the IT department also needs to accept one thing: speed matters.

If a simple request takes three months, workarounds will reappear. If every tool has to go through a vague process, teams will find another way.

The solution involves simple rules.

An experimentation framework to test quickly, but properly.

A short process for registering a new tool.

A catalog of validated alternatives.

Validation models based on risk level.

Quick responses for simple needs.

Genuine listening to business pain points.

This last point is often the most important. Shadow IT decreases when teams feel that the IT department understands their reality.

Regaining control doesn't mean removing all autonomy. It means providing autonomy within a clearer framework.

‍

The right metrics to track

To manage shadow IT, the IT department needs to choose a few simple metrics.

The number of SaaS applications identified.

The share of tools with an identified owner.

The share of tools connected to SSO.

The number of redundant tools removed.

The number of orphaned accounts closed.

The number of documented automations.

The number of validated AI tools.

The average validation time for a new tool.

These indicators help make the topic tangible. They prevent discussions from remaining too general about the risks of shadow IT.

They also show progress.

A company doesn't go from 200 scattered tools to perfect governance in two weeks. That's not the goal.

The goal is to reduce blind spots, step by step.

‍

Regaining control, without becoming the department that always says no

Shadow IT is a security problem, but not only that.

It's also an internal experience problem.

If official tools are too cumbersome, teams will find workarounds.

If processes are too slow, teams will bypass them.

If IT doesn't offer alternatives, business units will find their own solutions.

The right answer, therefore, isn't to hunt down every tool as a mistake. The right answer is to transform shadow IT into an entry point towards a clearer, more useful, and better-governed information system.

For an IT department, it's an opportunity.

The opportunity to reconnect with the business.
The opportunity to streamline SaaS applications.
The opportunity to secure access.
The opportunity to better govern AI.
The opportunity to replace fragile makeshift solutions with robust internal tools.
The opportunity to restore order without slowing down the business.

At Scroll, we help companies that want to modernize their tools, govern their AI usage, automate their processes, and regain control over systems that have become too fragmented.

The starting point can be simple: map usage, identify risky tools, understand business needs, then define a realistic roadmap. Not to start from scratch. Not to hinder teams. But to build a system that is more reliable, more transparent, and more useful day-to-day.