Unauthorized use of tech and data, aka shadow IT and shadow AI, has bedeviled security teams and compliance officers for decades. “Individual workers may decide to use it without telling anyone and may even hide their use from their coworkers. Its stealth usage adds to the risks associated with it,” explains Kris Bondi, CEO and co-founder of Mimoto AI. Unfortunately, tech teams are losing the fight, especially with the onslaught of cheap and easily accessible AI. The gate has finally crashed, and the gatekeepers must now take a new approach.
The Futility of Shadow IT Elimination
“We often see shadow IT as an elimination game, where organizations are trying to eliminate these services one by one. This is an ever-losing battle. Security teams can work to eliminate these services with automation, but this can lead to many broken workflows and an additional burden to already very overwhelmed analysts,” says Kyle Kurdziolek, BigID’s VP of security.
The stakes couldn’t be higher. Security threats and compliance penalties are soaring, and shadow IT adoption is fueling both.
A Skyhigh Security report found over 320 unsanctioned AI apps in use per enterprise, with AI app traffic jumping 200% last year (versus just 23% for non-AI apps). Worse, 11% of files uploaded to AI contain sensitive corporate data.
A LayerX Security report reveals further widespread shadow AI infiltration:
-
18% of employees paste data into GenAI tools, with 50% of that being company information
-
20% of enterprise users have installed GenAI browser extensions
-
58% of these extensions have high or critical permissions
-
5.6% are outright malicious, capable of data theft
Meanwhile, a Harness survey revealed that “only 48% of developers use IT-approved AI tools.” The rest, it appears, are all in on using AI in the shadows.
“From my experience, the main issue is misplaced priorities and investments [on the employer side]. Recently, we’ve seen the launch of many AI tools — code assistants, for example — that aim to speed up development time. But many developers still spend a significant portion of their day on tasks they don’t enjoy, like babysitting deployments or waiting for tests to finish,” says Nick Durkin, field CTO at Harness, an AI-native software delivery platform.
Demand exceeds fear of the command, therefore, “resistance is futile,” as the Borg were fond of saying in Star Trek.
Stop Fighting, Start Adapting
“We need to stop fighting against and start working with shadow IT. Sure, blacklist dodgy apps and data black boxes, but don’t enforce codes of silence. Digging into the what and the why of shadow IT goes a long way to nipping the problem in the bud,” says Apu Pavithran, founder and CEO of Hexnode, a provider of unified device management.
Yet many still try to prop up the broken gate, pretending business as usual will work.
“A zero-use mandate backfires. It just drives stealth usage up,” warns Bondi. “The financial fallout varies, but unauthorized AI can lead to regulatory fines, breaches, and IP loss.”
From Gatekeeper to Innovator
So how do CIOs pivot from enforcers to enablers? Start by reframing rogue tech.
“What starts as shadow IT could be untapped innovation,” says Amit Basu, CIO/CISO of International Seaways, one of the largest tanker companies transporting crude oil and refined petroleum products worldwide. “Rather than shutting it down, forward-thinking organizations identify what works, assess risks, and scale the best tools.”
He’s not alone.
“As a healthcare IT leader, I see shadow IT less as a threat and more as a pulse check on where our internal systems fall short,” says Riken Shah, founder and CEO of OSP Labs, a provider of healthcare IT solutions. “Now, we monitor usage patterns, validate them, and formalize compliant solutions.”
If you think about it, this is the answer to the age-old problem of IT trying (and often failing) to correctly match business processes and use cases to tech options.
“Empowering real users, who best understand their own use cases, increases the chances of AI [and tech] success and can give organizations a meaningful edge in the race for innovation,” adds Basu.
The Smarter Risk Approach
“Instead of eliminating risk entirely, focus on minimizing damage when things go wrong,” suggests Ilia Badeev, head of data science at Trevolution Group, one of the largest travel ticket consolidators in the US for niche markets. “Build resilience, not just restriction.”
“When we first scaled, our creative team quietly adopted their own AI image-enhancement tools — unsanctioned, technically “shadow IT.” At first, I saw it as a governance headache,” says Kaz Marzo, operations manager at Image Acquire, an image resource platform where images are curated by photography experts, and a hub for photography enthusiasts and professionals.
“But as I dug in, I realized this rogue tech was solving real pain points faster than our approved stack ever could. Instead of shutting it down, we formalized a vetting path for emerging tools, turning what could have been a liability into a pipeline for innovation,” Marzo adds.
The lesson? Shadow IT isn’t the enemy; it’s your secret weapon. The real risk isn’t rogue tech; it’s refusing to adapt.