Shadow IT – the unauthorized systems or apps employees use without IT’s approval – has long been a worry on the minds of IT workers. Now, with AI, cloud, and SaaS sprawl, in the mix, the shadow IT risks are only climbing fast. Unless CIOs find a data-driven approach to improve visibility, shadow IT will continue to eat into company profits and employee productivity.
Kong’s 2024 API Impact Report paints a familiar but troubling picture of shadow IT on the rise: 80% of organizations have set guidelines for technology use and governance, yet 60% of employees still manage to move past them.
“Teams and individuals tend to adopt new tools on the sly, especially with the rise of bottom-up movements like generative AI,” says Jeff Watkins, CTO at CreateFuture. “Things are moving so fast that policies can barely keep up.”
When you lack oversight, malware, and spyware can sneak in through unpatched vulnerabilities linked to unapproved apps, lying dormant for years before launching a massive attack. Just ask Okta, which faced a serious breach in 2023 exposing customer data – a harsh reminder of the chaos that can arise from unauthorized access.
“We’ve all seen it –someone spins up a cloud service for a ‘quick fix,’ and before you know it, attackers have a way in,” says Watkins. As firms look to implement generative AI, a new avenue of shadow AI is also opening on top of legacy applications that workers may be using without IT’s knowledge.
That’s why IT teams need to tackle shadow IT head-on and stamp it out before it spirals out of control, and following are four actionable strategies to make that happen, and completely erase shadow usage.
1. Automate SaaS discovery to identify rogue apps
Rightsizing your app inventory requires ongoing visibility into all the SaaS apps floating around your organization. Automated discovery through a mix of browser extensions, API connectors, and rule-based discovery in network management can help you cross-reference app usage from an already pre-populated app profile.
Once you’ve gathered that data, sync it up with reports from your organization’s single sign-on (SSO) system for a unified, 360-degree view of your unused licenses, and duplicate apps.
It’s a bit ironic—using more apps to control the spread of shadow apps. But with budgets stretched thin and the risk that admin access to these tools could create its own security backdoors, Watkins recommends balancing it out with annual audits where IT sits down with department leaders to review all installed software.
“Each area should go through a yearly audit to understand what’s been implemented, whether it’s new software or third-party SaaS tools that could be sharing data, even if it’s unintentional.”
2. Design people-centric IT workflows
Ilia Sotnikov from Netwrix points out that IT teams often have a bloated sense of their monitoring and analytics solutions against shadow IT, while completely missing the bigger question: why is it spreading like wildfire in the first place? She believes it’s often because employees are just trying to get their work done, especially when they feel IT isn’t giving them the support they need. To fix this, she says, we have to meet employees right where they are.
“The strategy to address shadow IT needs to be two-fold,” says Sotnikov. “We need to raise awareness and embrace an ‘IT security as a business enabler’ mindset where IT can step in to help users and departments see how security risks directly affect their roles or business processes.”
To put Sotnikov’s approach into practice, create a sandbox environment where employees can test out new tools safely while providing IT with visibility into what’s actually being used. If a tool proves useful, IT can then work on getting it officially approved.
Watkins also pitches in, suggesting we design self-service IT workflows with centralized management for software requests and approvals, where zero trust architecture,multi-factor authentication, and SSO are embedded by design.
3. Configure open source package managers
Public package repositories like npm, PyPI, or Maven contain thousands of packages, some of which may have security vulnerabilities, licensing issues, or simply be unnecessary. At times, they can also distribute stand-alone applications (like coding tools or build utilities) with limited access to secured registries.
Henrik Plate, a security expert at Endor Labs, has a straightforward fix: set up open source package managers on developer machines to exclusively draw from private, vetted registries of libraries, frameworks, and components, and protect against risky downloads on developer machines.
While closed repos are a solid foundation, they may not be entirely foolproof. Automated updates can slip in new security vulnerabilities that your system isn’t prepared to tackle. Use version pinning to lock in specific package versions and keep your development environments aligned. Marry the process with continuous monitoring and automated alerts to thwart attempts to pull dependencies from public repos, and nudge IT/security teams whenever something goes sideways.
4. Gatekeep data to resist shadow IT
For Sotnikov, you can’t fully manage shadow IT without a continuous data discovery process. “Our ability to spot sensitive data slipping outside secure zones is directly linked to how well we quarantine networks from shadow access,” she explains.
This is where data loss prevention (DLP) steps in to add some guardrails. When users attempt to upload files through unapproved apps, DLP uses predefined rules to check if the content is sensitive—based on file types, compliance regulations like HIPAA, or content patterns—and decides whether to block or allow it.
Choose a DLP that comes with both data-at-rest and at-transit scans, so you can search employees’ devices for sensitive data and secure or delete it if needed. These tools also help protect USB drives and portable devices by encrypting transferred information, improving data resilience, and cutting down on potential shadow IT risks.
Combine that with identity and access management, and you can tightly control user roles, ensuring access to critical systems or data is given only when needed, and only with proper approval, keeping everything under close watch.
“There’s no silver bullet for eliminating shadow IT,” Sotnikov admits. “But a strong mix of controls can help guide users and minimize the damage from any uninformed or accidental actions.”
