Shadow IT in companies: the CIO action plan to regain control

Shadow IT is no longer a small, hidden issue in a corner of the IT system.

In many companies, it’s everywhere.

A marketing team opens an account on an emailing tool. A sales team adds an AI extension to its CRM. HR tests a SaaS application to track interviews. A manager creates an Airtable database to manage projects. An employee connects an automation tool to their Drive.

None of this comes from bad intentions.

Teams want to move fast. They want to avoid delays. They want to solve a concrete problem. And often, they’re right at the core: the official tool doesn’t meet the need well enough, or fast enough.

But for a CIO, shadow IT creates a blind spot. Unauthorized SaaS tools pile up. Access becomes scattered. Data moves outside the intended framework. GDPR compliance becomes harder to prove. Cybersecurity relies on usage that no one truly sees.

The issue, then, isn’t to “hunt down” shadow IT as an anomaly. The real issue is to regain control without stifling business momentum.

This is where the CIO’s role changes. They can no longer just say yes or no. They must understand, prioritize, secure, rationalize, and offer better alternatives.

‍

What exactly is shadow IT?

Shadow IT refers to all the tools, software, SaaS applications, accounts, scripts, automations, or cloud services used within the company without validation or oversight from the IT department.

It can be very simple.

A file shared outside the official Drive. A project management tool paid for with a team credit card. A Zapier or Make connector created without oversight. An AI application used to process internal documents. A parallel CRM created in Notion. An admin account retained after an employee leaves.

Shadow IT, therefore, isn’t just a concern for large corporations. It also affects SMEs, mid-sized companies, and growing organizations.

The more SaaS applications a company uses, the higher the risk. The Cloud Security Alliance’s 2025 SaaS Security Report highlights that companies face visibility issues, shadow IT, overly broad access, and poorly controlled third-party integrations. The report also notes that 86% of organizations now rank SaaS security as a high priority.

The key point is simple: shadow IT isn’t a specific tool. It’s a gray area.

And a gray area in an IT system often ends up becoming a risk zone.

‍

Why business teams create shadow IT

To regain control over shadow IT, you must first accept an uncomfortable idea: if business teams bypass the IT department, it’s often because they’re trying to solve a real problem.

A salesperson doesn’t install a prospecting tool to create a security vulnerability. They do it because they want to sell better.

An HR manager doesn’t create a tracking spreadsheet outside the IT system to jeopardize GDPR compliance. They do it because the official process is too slow.

A product team doesn’t test an AI application to complicate IT governance. They do it because they want to save time.

In many cases, shadow IT reveals three things.

First, official tools don’t cover on-the-ground needs well enough.

Second, business requests take too long to be processed.

Finally, IT rules are sometimes poorly understood, too abstract, or perceived as a hindrance.

This is why a pure crackdown strategy rarely works. Blocking all unauthorized SaaS tools can create an illusion of control. But usage doesn’t always disappear. It shifts. It moves to personal accounts, unmanaged devices, or data exports.

The right approach is to turn shadow IT into a signal. Every undeclared tool says something about a business pain point.

When multiple teams use parallel tools to manage simple tasks, the problem may not be discipline. The problem may be poor process automation.

When a department builds its own CRM in Notion, Airtable, or Excel, the issue may stem from an official CRM that’s too rigid. In this case, working on a custom CRM for SMEs may be more useful than simply reminding people of the rules.

‍

What shadow IT really costs the company

The risks of shadow IT aren’t always visible at first.

A free tool seems harmless. A small automation seems practical. A SaaS app used by three people seems too minor to interest the IT department.

Then time passes.

Customer data ends up in multiple tools. Access rights aren’t revoked when an employee leaves. SaaS contracts multiply. Duplicates appear. Sensitive information circulates in unapproved spaces. Teams make decisions with partial data.

The cost of shadow IT operates on several levels.

First, there’s the cybersecurity risk. An unreferenced tool may have weak security policies. It may not properly handle authentication, roles, exports, or logs. It may also be connected to critical applications.

Then there’s the GDPR compliance risk. If a company doesn’t know where its data goes, who accesses it, or how long it’s stored, it will struggle to demonstrate control.

There’s also the operational risk. A workflow created by an employee can become critical without documentation. The day that person leaves the company, no one knows how the process works.

Finally, there’s the financial risk. SaaS sprawl—the proliferation of SaaS applications—creates unnecessary subscriptions, redundant tools, and hard-to-track expenses.

The issue becomes even more sensitive with AI. IBM’s 2025 report on the cost of data breaches states that the global average cost of a breach reaches $4.4 million. The same report highlights a governance gap around unregulated AI usage.

This figure doesn’t mean every company will face a crisis of this scale. But it shows one thing: blind spots are costly when they involve data, access, and ungoverned usage.

‍

Action plan for CIOs: regain control in 6 steps

Taking back control of shadow IT doesn’t mean launching a punitive crackdown.

It means building a clear, business-acceptable method that the IT department can sustain.

1. Start with use cases, not just tools

The first mistake would be to begin with a blacklist.

Before blocking, you need to understand.

Which tools are being used? By which teams? For what use cases? With what data? With what access? For how long? Is this an isolated test or a tool already embedded in daily operations?

This phase must be conducted calmly. If teams feel the audit is only meant to punish, they’ll hide their usage.

The goal is rather to say: “We want to understand what truly helps you, what’s holding you back, and what needs to be secured.”

This shift in approach is essential to reconcile IT and business teams.

The IT department isn’t here to take power away from teams. It’s here to establish a framework around existing practices.

2. Create a realistic application mapping

Application mapping is the foundation.

Without a clear inventory, governance is impossible.

You need to list validated SaaS applications, unauthorized SaaS tools, admin accounts, integrations, automations, databases, storage spaces, AI tools, and critical workflows.

This mapping must also specify the level of risk.

A tool that processes no sensitive data doesn’t carry the same weight as an application containing customer, HR, or financial data.

A good mapping shouldn’t be a static document. It must become a living tool. It can be maintained in an internal repository, an ITSM tool, a structured database, or a dedicated business application.

This work ties into a broader issue: digital sovereignty for SMEs. A company cannot control its IT system if it doesn’t know where its data is, which tools process it, and which dependencies it accepts.

3. Classify tools based on actual risk

Not all shadow IT uses deserve the same response.

An effective IT department must avoid two pitfalls.

The first is treating everything as a critical threat.

The second is tolerating everything in the name of agility.

The right approach is to categorize tools into four groups.

Acceptable tools can be kept with minimal rules.

Useful but risky tools must be secured, contracted, or replaced.

Redundant tools must be rationalized.

Dangerous tools must be removed with a transition plan.

This classification must be clear to business teams. It’s not enough to just say “tool forbidden.” You need to explain why.

Sensitive data. No SSO. No fine-grained permissions. Problematic hosting. Unclear terms of use. Uncontrolled exports. Connections to critical tools. Lack of logs.

When the rule is clear, it’s better accepted.

4. Create a catalog of approved tools

You don’t reduce shadow IT with nothing.

If business teams have no simple alternatives, they’ll create workarounds again.

The IT department must therefore provide a catalog of approved tools. This catalog can include SaaS applications, internal tools, workflow templates, automation solutions, and controlled AI components.

The goal isn’t to over-centralize everything. The goal is to create simple pathways.

A team wants to automate a repetitive task? They need to know who to turn to.

A team wants to test an AI to analyze documents? They need to know the approved framework.

A manager wants to track a business process? They need a more robust option than a shared Excel file.

This is where the IT department can become a visible partner again. It doesn’t block innovation. It offers safer alternatives.

For AI-related topics, an enterprise AI support program helps precisely frame usage, distinguish real needs from trends, and define a clear roadmap with teams.

5. Regain control of access

Access management is one of the most sensitive aspects of shadow IT.

A tool may seem non-critical at first. But if it contains internal data and access isn’t controlled, the risk grows quickly.

The IT department must take back control of a few simple areas.

Who can create an account? Who can invite a user? Who can export data? Who can connect a third-party app? Who can be an admin? What happens when someone leaves the company?

These questions must become second nature.

SSO, MFA, regular rights reviews, deactivating inactive accounts, and the principle of least privilege are useful basics. But they’re not enough if some tools remain off the radar.

1Password’s 2025 report shows that 52% of employees have already downloaded apps without IT approval, and 42% bypass IT to boost productivity.

This confirms a key point: access is no longer governed solely within official tools. It must be managed across a much broader SaaS ecosystem.

6. Implement continuous IT governance

Shadow IT always resurfaces when IT governance becomes an annual event.

A one-time mapping that’s then forgotten isn’t enough.

You need continuous, simple, and operational governance.

This can take the form of a short, regular committee involving IT, CISO, procurement, and business representatives—not a cumbersome committee that stalls everything. A recurring meeting to address new tools, recurring requests, risks, and trade-offs.

IT governance must also be documented.

A brief sheet per tool can suffice: use case, business owner, IT owner, data processed, risk level, contract, access, integrations, review date.

This discipline changes a lot. It shifts the IT system from being endured to being actively managed.

It also helps rationalize tools more effectively. Two teams using two different solutions for the same need? Decisions can be made. A tool no longer in use? It can be decommissioned. An automation has become critical? It can be documented and secured.

‍

The special case of shadow AI

Since 2023, a new form of shadow IT has been growing rapidly: shadow AI.

The principle is the same. Employees use AI tools without clear company approval.

This could be a public chatbot, a browser extension, a meeting assistant, an auto-summarization tool, a code generator, an AI connector in a business SaaS, or an agent linked to internal documents.

Shadow AI is more sensitive than traditional shadow IT for one simple reason: users may input highly sensitive data.

A contract. A customer database extract. An HR report. A commercial proposal. A strategic document. A financial export.

The risk doesn’t just come from the tool. It comes from the type of data shared with it, where it’s stored, processing conditions, access rights, and lack of traceability.

The answer can’t just be “AI use is forbidden.”

In practice, teams will keep looking for ways to save time. The right strategy is to frame AI usage, provide approved tools, train teams, and create useful use cases.

On this front, the IT department can play a strong role: turning unchecked adoption into controlled adoption.

This requires structure, but also a deep understanding of business needs. Some needs call for AI. Others are better addressed through process automation, revamping an internal tool, or modernizing a legacy system.

In fact, when teams multiply parallel solutions to compensate for an outdated, slow system, the issue goes beyond shadow IT. It can become a legacy IT modernization project.

‍

Automate without creating new shadow IT

Automation is often a very effective response to shadow IT.

When business teams resort to DIY solutions, it’s usually because they’re repeating too many manual tasks.

Copying data between two tools. Generating documents. Following up with clients. Updating a spreadsheet. Creating a task. Sending a notification. Consolidating files.

These needs can be effectively addressed with tools like Make, n8n, or internal workflows.

But beware: poorly governed automation can itself become shadow IT.

A Make scenario created in a personal account. An undocumented n8n workflow. An API key stored in a text field. A trigger processing sensitive data. A critical automation without monitoring.

To prevent this, the IT department must frame automations as true building blocks of the IT system.

Service accounts, permissions, logs, owners, naming conventions, environments, tests, and recovery procedures must all be defined.

This is precisely what distinguishes a useful workaround from a reliable system.

At Scroll, n8n automation topics are often approached with this mindset: start with the business need, but build a maintainable, clear, and SI-integrated solution.

‍

How to get business teams to accept change

Shadow IT isn’t solved with tools alone.

It’s solved with a new relationship between IT and business teams.

Business teams must understand that IT governance isn’t a hindrance. It protects clients, employees, data, and business continuity.

But the IT department must also accept one thing: speed matters.

If a simple request takes three months, workarounds will reappear. If every tool must go through an unclear process, teams will seek another way.

The solution lies in simple rules.

A framework for experimentation to test quickly, but cleanly.

A short process to declare a new tool.

A catalog of validated alternatives.

Validation models based on risk level.

A quick response for simple needs.

A genuine understanding of business pain points.

This last point is often the most important. Shadow IT decreases when teams feel that IT truly understands their reality.

Taking back control doesn’t mean removing all autonomy. It means providing better-framed autonomy.

‍

The right metrics to track

To manage shadow IT, the IT department must select a few simple metrics.

The number of SaaS applications cataloged.

The share of tools with an identified owner.

The share of tools connected to SSO.

The number of redundant tools removed.

The number of orphaned accounts closed.

The number of documented automations.

The number of validated AI tools.

The average time to validate a new tool.

These metrics make the topic tangible. They prevent the discussion from remaining too vague about the risks of shadow IT.

They also highlight progress.

A company doesn’t go from 200 scattered tools to perfect governance in two weeks. That’s not the goal.

The goal is to reduce blind spots, step by step.

‍

Taking back control, without becoming the department that always says no

Shadow IT is a security issue, but not just that.

It’s also an internal experience problem.

If official tools are too cumbersome, teams improvise.

If processes are too slow, teams find workarounds.

If the IT department doesn’t offer alternatives, business units find their own solutions.

The right answer isn’t to hunt down every tool as a mistake. The right answer is to turn shadow IT into a gateway to a clearer, more useful, and better-governed IT system.

For an IT department, it’s an opportunity.

The opportunity to reconnect with business teams.
The opportunity to streamline SaaS applications.
The opportunity to secure access.
The opportunity to better regulate AI.
The opportunity to replace fragile workarounds with robust internal tools.
The opportunity to restore order without slowing down the business.

At Scroll, we support companies that want to modernize their tools, regulate their AI usage, automate their processes, and regain control over systems that have become too fragmented.

The starting point can be simple: map out usage, identify at-risk tools, understand business needs, then define a realistic roadmap. Not to rebuild everything. Not to block teams. But to build a more reliable, transparent, and useful system day-to-day.