What counts as shadow IT?

Anything used without the knowledge or approval of the IT department: SaaS tools, self-built automations, AI agents, but also Excel spreadsheets with complex logic or mappings that control business-critical processes.

Is shadow IT illegal or a GDPR problem?

Not automatically, but potentially. As soon as company data flows into external systems without checking where that data is processed and stored, a GDPR risk arises. This applies especially to AI tools that process documents, emails or customer data.

How do you find out how much shadow IT exists in the company?

An honest conversation with the business units is usually enough. We have found that ten minutes at the coffee machine brings more to light than any formal audit.

How do you create a framework that prevents shadow IT without slowing down innovation?

By making the official path as simple as the unofficial one. Clear contacts, fast decisions, realistic security requirements. And the willingness to acknowledge that business units often have better ideas than any IT committee.

Challenge

Shadow IT: Not a compliance problem. A signal.

When departments build their own tools, train their own AI agents and maintain their own Excel worlds without IT knowing, that is not a revolt. That is frustration. And frustration is solvable.

The reality

Shadow IT did not start with ChatGPT. But AI has made it less visible.

Shadow IT refers to all systems, tools and processes that employees use without the knowledge or approval of the IT department. This ranges from spreadsheets with embedded logic to self-built AI agents in product management. Since AI tools became accessible to everyone, the problem has not reinvented itself, but it has massively accelerated.

Shadow IT is as old as IT itself. The spreadsheet with embedded macros that nobody except one person understands. The Access database that has been running since 2009 and that half the department's processes depend on. The Notion workspace that sales built themselves because the official CRM was too cumbersome.

That has always been the case. And it has always been a signal: somewhere in the company someone wants to move faster than the official channels allow. Since AI tools became available to everyone, the speed of this signal has tripled. Product management builds an AI agent that summarises tickets. Marketing automates content workflows with a self-built GPT. Sales uses an AI tool that analyses customer data. All sensible. All without IT. All with company data.

65%of employees use tools that have not been approved by IT, according to studies.

3xfaster shadow IT is growing since AI tools became available to non-technical users.

1spreadsheet with embedded logic is technically already shadow IT. Most companies have hundreds of them.

Recognise this?

Three signs that shadow IT is growing in your company.

We see these situations in almost every company that comes to us.

IT is the last to find out

Product, sales and marketing solve daily problems with tools they evaluated, introduced and paid for themselves. The IT department has no overview of which systems are running, where data flows, which APIs are connected. The security risk grows in the dark.

The result: When something goes wrong, nobody has an overview of where the problem is.

AI agents in the grey zone

One team builds an assistant that processes customer data daily. Another automates internal reports. A third has contract templates generated by an AI model. Everyone means well. Nobody checked which data is being transferred to external systems.

The result: GDPR risks, data leaks and uncontrolled dependencies on external providers.

The knowledge carrier leaves the company

The spreadsheet with the complex mapping logic, the self-built Zapier workflow, the no-code tool nobody else understands. When the person who built it leaves, the knowledge leaves with them. No backup. No documentation. No handover.

The result: Critical processes depend on single individuals and undocumented systems.

The typical mistake

Banning shadow IT. As if that were the solution.

The classic IT response: block access, ban tools, tighten policies. That does not solve the problem. It drives it deeper underground.

Because the cause remains. The department had a real problem. The problem is not gone now, just the tool. So the next tool comes. Or it keeps being used quietly.

Combating shadow IT with bans is combating the symptom. The real question is: why was the official path too slow, too cumbersome or non-existent? And how can it be designed so departments use it voluntarily?

The other perspective

Those who want to drive progress are a resource. Not a risk.

Here is the truth that is missing from many IT discussions: when someone in product management builds an AI agent that saves two hours of work every day, that person has solved a real problem. That is good. That is exactly the energy companies need.

The task is not to stop that energy. The task is to give it a safe framework. What that means in practice: creating a process for how departments can introduce new tools and AI solutions without having to start months-long IT projects. Clear rules about which data can go into which systems. A contact who helps instead of blocks. And an IT department that is seen as an enabler, not a brake.

Those who are open to solutions from the business units can accelerate progress in the company instead of containing it.

From practice

Turning shadow IT into an official solution. In two weeks.

A marketing team has been using an AI tool for content creation for months. Three different subscriptions, paid on employees' credit cards, company data being uploaded. IT finds out by chance.

Instead of banning the tool, we look together at exactly what is being used, which data is affected, and whether there is a privacy-compliant alternative that lets the team work just as fast.

Inventory: which tools, which data, which risks
GDPR-compliant alternative evaluated and introduced
Team continues working with AI support, now properly
IT has overview and control without slowing the team down
Process documented as template for other departments
Three further shadow IT areas identified and addressed

“When someone on the team starts building their own tools, that is not a problem. That is a cry for help. And cries for help should be answered.”

Frequently asked questions

What you usually ask us about shadow IT.

SOMEONE IN YOUR COMPANY WANTS TO DRIVE PROGRESS. HELP THEM DO IT.

If you want to know where shadow IT exists in your company and how to create a safe framework for it, talk to us. Ten minutes is usually enough for a first overview.

Let's talk More about software consulting