If the Business Solve It without IT, That's Still an IT Problem

Shadow IT is just unsanctioned problem solving.

That sounds more generous than “people using random tools without telling IT,” but in most cases, it’s also more accurate.

It rarely starts with someone trying to break the rules. It starts with friction.

A team needs to share files more easily. A manager wants better reporting. Someone needs a way to collect data, move it between systems, get a document signed, or automate something small but repetitive.

Nothing particularly innovative. Just work that needs to happen.

And when the official route feels slow, unclear, or overly complicated, people don’t stop. They adapt.

They find another way.

How Shadow IT Actually Starts

Most Shadow IT doesn’t begin with a grand decision. It begins with a workaround.

• “I’ll just use this tool for now.”
• “This is quicker than raising a request.”
• “We’ll fix it properly later.”

And for a while, it works.

Work gets done faster. Teams feel less blocked. There’s momentum again. No waiting weeks for approvals or sitting through meetings that don’t move things forward.

From the outside, it can even look like progress.

But underneath, something else is forming.

Data starts living in places no one is really tracking. Access is granted quickly, but not always cleanly. Processes begin to rely on tools that don’t formally exist from an organisational perspective.

And by the time anyone notices, those tools aren’t optional anymore. They’re embedded.

That’s usually when it becomes “a problem.”

The Scale of the Problem

If this feels familiar, it’s because it’s widespread.

Research consistently shows that organisations have far less visibility than they think:

• IT teams are aware of only about one third of SaaS applications in use
  Source: https://www.bettercloud.com/monitor/the-state-of-saas-sprawl/

• Shadow IT accounts for 30–40% of IT spend in large enterprises
  Source: https://www.gartner.com/en/documents/3898386

• Around 41% of employees use technology IT doesn’t see, with projections rising to 75% by 2027
  Source: https://www.gartner.com/en/newsroom/press-releases

• 69% of employees knowingly bypass cybersecurity guidance
  Source: https://www.gartner.com/en/articles

• 70% of employees using AI tools like ChatGPT do so without approval
  Source: https://www.salesforce.com/news/stories/generative-ai-workplace-study/

This isn’t edge-case behaviour. It’s normal behaviour in an environment where the official path doesn’t quite work.

And the tension is clear:

• Employees want to move quickly
• IT needs to manage risk
• The operating model often struggles to support both

Why Shadow IT Exists

It’s easy to frame Shadow IT as a behaviour problem.

People breaking the rules. Ignoring policy. Taking shortcuts.

But that’s rarely the full picture.

Shadow IT tends to grow where:

• approved tools take too long to obtain
• governance processes are unclear or difficult to navigate
• IT teams are stretched thin
• the business doesn’t know where to go for help
• the official route feels harder than the workaround

In other words, there’s a gap.

And when there’s a gap, something fills it.

Often, that “something” is a SaaS tool.

The Risks (That Show Up Later)

The risks associated with Shadow IT aren’t new, but they are becoming more visible.

Some of the most common patterns:

• Data exposure
  Files shared to personal accounts or stored in unmanaged platforms
  Source: https://www.ibm.com/reports/data-breach

• Access control issues
  Former employees retaining access to systems
  Source: https://www.varonis.com/blog/employee-data-access-report/

• Unmanaged integrations and APIs
  Up to 68% of organisations have exposed shadow APIs
  Source: https://www.cequence.ai/resources/reports/

• SaaS sprawl and inefficiency
  Organisations spending on tools that are duplicated or unused
  Source: https://www.capterra.com/resources/saas-spend-report/

• Security incidents
  Over 55% of organisations have experienced SaaS-related security issues
  Source: https://www.adaptivemobile.com/blog/

Individually, these issues often seem small. But collectively, they create real exposure.

And the more useful a tool becomes, the harder it is to remove later.

The Human Side of the Problem

One of the more interesting tensions in the data is this:

• 97% of IT professionals believe employees are more productive with preferred tools
  Source: https://www.gartner.com/en/articles

At the same time:

• 76% of SMBs believe Shadow IT is a security threat
  Source: https://www.capterra.com/resources/shadow-it-survey/

So we’re left with a contradiction:

The same behaviour that creates risk also creates productivity.

That’s why blunt approaches don’t work.

If IT becomes the function that simply says “no,” people don’t stop solving problems—they just stop being visible about it.

Why “Banning It” Fails

On paper, banning Shadow IT sounds straightforward.

In practice, it usually leads to:

• less visibility
• more workarounds
• increased risk

Because the underlying need hasn’t gone away.

People still need to get their work done. If the official route doesn’t support that, they’ll find one that does.

Just more quietly.

A More Practical Approach

The organisations that handle this well don’t try to eliminate Shadow IT entirely.

They manage it.

That usually means shifting the focus:

1. Understand the demand

What are people actually trying to do?
Where is the friction?

2. Separate innovation from risk

Not all Shadow IT is bad. Some of it highlights better ways of working.

3. Bring good tools into governance

If something works, support it properly. Secure it. Own it.

4. Address genuinely risky cases

Not everything can stay. Some tools introduce unacceptable risk.

5. Fix the operating model

Make the approved route faster, clearer, and easier to follow.

The Direction Things Are Moving

There’s a broader shift happening here.

More organisations are starting to adopt human-centric security models—designing controls around how people actually work, rather than how we’d like them to work.

• By 2027, 50% of CISOs are expected to adopt human-centric security practices
  Source: https://www.gartner.com/en/newsroom

The goal isn’t to remove control.

It’s to reduce friction.

Because when the secure path is also the easiest path, most people will take it.

Final Thought

Shadow IT isn’t going away.

If anything, it’s accelerating—driven by SaaS, low-code tools, and now AI.

The question isn’t whether it exists in your organisation.

It’s whether you understand it well enough to manage it.

Because underneath it all, Shadow IT is just people trying to do their jobs.

And that’s not something you fix by saying no.