You may have heard the phrase ‘shadow IT’ before. Just the phrase sound suspicious – and it is something that can put your business at significant risk.

However, unlike many forms of cyber attack, it doesn’t refer to the activity of criminals. Instead, it’s something that your very own employees could be doing.

In this blog, we explain what shadow IT is and why it puts your business at risk. More crucially, we’ll also dive into how to tackle it before the worst happens.

What is shadow IT?

In simple terms, shadow IT refers to technology solutions being used by employees that bypass controls or limitations within the managed IT estate. Typically, this means apps, tools and websites that are not approved by the company or that go against policy.

But it’s not just unapproved applications. It could be any form of IT that’s being used by employees without the knowledge of the IT team.

Users often turn to shadow IT activity because they can’t get what they need from the applications authorised within the business. In some cases, the controls placed on IT may limit them.

Shadow IT isn’t typically a malicious activity.  More likely, it’s borne out of frustration with limitations hindering productivity. People may not understand the security implications associated, which makes it particularly difficult to tackle.

However, it does leave your business vulnerable, especially if the wrong tools and apps are used.

What are the risks of Shadow IT?

Security risks

A lot of the time, controls exist to protect users and company data. Blocking sharing of data, access to certain types of website or preventing the use of specific applications are important to prevent malware or ransomware infections. They also prevent people doing things by accident and  maintain the visibility of data within your business.

As soon as uncontrolled applications come into the mix, everything put in place to comply with security policies or maintain compliance becomes ineffective.

Hidden IT costs

Often, users will be paying subscription or usage fees for the shadow IT systems they may be using. It’s coming out of a budget somewhere, but not necessarily allocated to IT.

This raises challenges with understanding the return on investment with solutions your business has paid for. If users are bypassing such systems, the implementation and running costs are being wasted as it’s hard to assign value to the right places.

It can also lead to duplicate subscriptions if people do not know which tools are already being used, as well as bloat across your business as more and more tools are incorporated.

Blocking progress

No digital transformation strategy will work if users seek out and implement tools that enable them to maintain old, inefficient ways of working. If your staff are using these tools to bypass processes you’ve set, it makes it extremely difficult to get the results you seek.

Encouraging adoption of new solutions through effective training is vital to ensure the success of such strategies without losing the support of the user base.

Why is shadow IT on the rise?

With the changes in working practices that have come about during the last few years, specifically following the coronavirus pandemic, users working remotely have been faced with more challenges than ever before. The effect of that has been a sharp increase in the use of shadow IT. Check out some of the statistics:

• 59% increase in shadow IT use since the beginning of the COVID-19 pandemic
• 35% of employees admit they have had to work around security policies to get their work done
• 67% of teams have introduced their own collaboration tools
• 83% of IT professionals reported that users have been known to store company data in unapproved cloud services
• 1 in 5 organisations have suffered a cyber-attack as a direct result of shadow IT use

With teams now working remotely, it’s also harder to keep tabs on what IT devices and tools they are using.

The rise of AI is also fuelling the fire of shadow IT. There are now countless AI tools available, giving your employees even more apps to choose from. Not all of them will be safe.

Many organisations do not have a specific AI policy, which often leads to staff using tools in secret. However, some of these tools don’t protect commercial data accurately, leaving you vulnerable to data breaches.

Due to the rise of shadow IT, it’s crucial to take action now to protect your business.

How to avoid shadow IT

There are a few steps you should take to minimise the risk of shadow IT.

The most crucial is having a good grasp of the tools across your organisation. If you provide people with the solutions, they need, they won’t be tempted to go elsewhere. So, spend time understanding what apps are required and any obstacles that users face.

Similarly, regularly seek feedback across your IT infrastructure and tools to uncover any frustrations, such as those posed by controls.

Once you better understand your user needs, it’ll be easier to seek secure tools that comply with business policy and address staff requirements. Common examples of tools you might utilise include:

• Messaging apps, like WhatsApp or Snapchat
• Cloud storage such as Dropbox, Google Drive and personal Microsoft OneDrive accounts
• Personal communication apps, likeTeams, Skype, other VOIP platforms
• Productivity tools, like Slack or Trello

Once you have built your stack of tools, make it very clear what is authorised and why they should be used. You should also make your employees aware of the risk of using non-approved tools or bypassing controls, so they understand the consequences explicitly. Remember to also document this as part of your business policy.

Combat shadow IT with the right approach

Shadow IT isn’t just an IT visibility issue — it’s a trust issue.

When users work around controls, it’s often a signal that security and productivity aren’t aligned. But the risks are real. Unapproved apps, unmanaged identities and invisible data flows create gaps that traditional perimeter‑based security simply can’t keep up with — especially as AI tools and automation become more accessible to end users.

That’s why tackling Shadow IT isn’t about locking everything down or saying “no” more often. It’s about adopting a security model that assumes complexity, expects change and verifies everything — without getting in the way of how people actually work.

This is where Zero Trust becomes critical. And in an age of AI, it’s evolving fast.

Join Infinity Group and Microsoft for a video deep dive into how Zero Trust architecture is evolving with the rise of AI.

In this on‑demand session, our experts break down:

• Microsoft’s Zero Trust methodology
• How AI is changing identity, access and threat detection
• How Microsoft Copilot, Agentic AI and security automation can be used to implement and strengthen Zero Trust in real‑world environments