Security & Compliance

Shadow IT in 2026: Why It's Really an Identity Visibility Problem

Ritish Reddy
Co-Founder, Zluri
June 30, 2026
8 MIn read

Ready to secure your identity surface?

About the author

Ritish Reddy is the Co-founder and CEO of Zluri, leading the vision for the next-generation Identity Governance and Administration platform. His work spans close collaboration with IT and security leaders across industries, translating complex identity challenges into clear business value. Before Zluri, Ritish was part of the founding team at KNOLSKAPE and later co-founded Cranium Media, scaling go-to-market functions across India, APAC, and the USA. Outside work, he’s often exploring bookstores or painting with his daughter.

A practical guide to what shadow IT actually is, why it's exploded with AI tools and non-human identities, and how to get real visibility into it.

Every SaaS app an employee signs up for without IT's knowledge creates a new identity that nobody is governing. That identity has login credentials, permissions, and access to data, and most security teams have no record it exists.

This is the real shape of shadow IT today. It used to be framed as a software spend problem: unauthorized apps draining budget through duplicate subscriptions. That framing made sense when the volume of shadow apps was small and the risk was mostly financial. It no longer captures what's actually happening.

The scale has changed. Freemium signups, OAuth logins through Google or Microsoft, and AI tools that employees adopt in minutes have made shadow IT less about rogue software purchases and more about an explosion of ungoverned identities, both human and non-human, sitting outside the reach of IT and security teams.

What Is Shadow IT

Shadow IT is any software, app, or service used inside an organization without the knowledge, approval, or oversight of the IT or security team. In the SaaS era, this overwhelmingly means apps that employees discover, sign up for, and start using on their own, often through a personal email address, a company email with no SSO connection, or a one-click OAuth login.

The defining trait of shadow IT isn't that the app is unapproved. It's that it's invisible. IT cannot secure, monitor, or govern what it cannot see, and every shadow app represents a gap in that visibility.

How Shadow Apps Enter an Organization

SaaS apps used inside a company generally fall into three categories.

IT-managed apps are procured, configured, and monitored directly by IT because they're complex or store critical business data. Okta, Salesforce, AWS, and Microsoft 365 are typical examples.

Non-IT-managed apps are procured by IT but run day to day by department heads or business units. IT negotiates the contract and vets security upfront, but access decisions happen locally. Workday and Adobe Creative Cloud often fall into this category.

Employee-purchased apps are signed up for, paid for (or not paid for, in freemium cases), and managed entirely by individual employees or teams. This is where shadow IT lives. A marketing team adopts a new AI writing tool. A product manager signs up for a project tracker because it's faster than the company standard. If it's useful, it spreads, often before anyone in IT or security knows it's in use.

This pattern has accelerated because of how SaaS itself is sold. Most platforms now use product-led growth, meaning the product is built to be tried and adopted by an end user without a sales conversation. Free trials and freemium tiers exist specifically to make adoption frictionless. Office 365 used to require an IT-managed install on every machine. Today, an employee gets it running in a single click, with or without IT.

There's also a fourth, less visible entry point that doesn't involve a person signing up at all. Every shadow app an employee connects tends to create its own non-human identities behind the scenes: service accounts, API keys, and OAuth tokens that link it to other systems like email, calendars, or file storage. Increasingly, this also includes AI agents that an employee authorizes to act on their behalf, often with broad read and write access. These identities never go through procurement, never show up in a survey, and rarely get reviewed once created, which makes them one of the fastest-growing and least-governed entry points for shadow IT today.

Why the Old Framing of Shadow IT Falls Short

The traditional view of shadow IT treats it as a software asset problem: untracked subscriptions, duplicate tools, wasted spend. That's still true, but it's the smaller half of the risk.

The bigger half is identity. Every shadow app an employee signs into creates an identity record somewhere outside your governance perimeter, often with no multi-factor authentication, no centralized password policy, and no offboarding trigger when that employee leaves the company. Multiply that across hundreds of employees and thousands of SaaS apps, and what you actually have is an unmanaged identity sprawl problem wearing a software inventory costume.

Asset Image — categories of SaaS apps (IT-managed, non-IT-managed, employee-purchased)

This is also why CASBs, traditional IT asset management tools, and SSO logs alone can't solve shadow IT. They were built to track devices and software licenses, or to monitor traffic at a network layer. None of them were designed to answer the question that actually matters for security: who has access to what, through which identity, and is that access still appropriate.

Why Shadow IT Has Accelerated

A few forces have converged to push shadow IT volume up sharply over the past several years.

Remote and hybrid work removed the perimeter. When employees worked inside an office network, IT had more natural chokepoints to observe app usage. Distributed teams sign up for tools independently, often from networks IT has zero visibility into.

Product-led SaaS made adoption near-instant. A free trial or freemium account needs nothing more than a work email. There's no procurement cycle, no security review, and often no card on file to trigger a finance conversation.

AI tools created a second wave of shadow IT. Employees are now signing up for AI writing assistants, AI coding tools, and AI meeting transcription apps at a pace that outstrips anything seen with traditional SaaS. Many of these tools ask for permissions to read calendars, documents, and code repositories, which makes the identity and data exposure risk considerably higher than a typical shadow app from five years ago.

Integrations multiply the blast radius. A single shadow app rarely stays isolated. Zapier-style connectors and native integrations mean one ungoverned app can pull data from or push data into several other systems, some of which may be sanctioned and sensitive.

Non-human identities have quietly become the larger problem. Every shadow app an employee connects tends to spin up its own service accounts, API keys, and OAuth tokens behind the scenes, and increasingly, AI agents that act on a user's behalf with standing access to calendars, documents, and code. These identities don't show up in an employee survey, rarely get reviewed, and almost never get deprovisioned, since most offboarding processes are built around human accounts. In many organizations, non-human identities already outnumber human ones, and a large share of them trace back to a shadow app nobody formally approved.

The Real Risks of Shadow IT

Security Gaps

Shadow apps don't go through the same security vetting as sanctioned tools. No one is verifying their MFA support, password policies, or encryption standards before an employee starts storing company data inside them. File sharing and collaboration apps in particular, the Dropboxes and consumer-grade Google Docs setups of the world, are where this tends to surface fastest, since they're built specifically to make sharing sensitive data effortless.

This creates two distinct exposure points. First, employees themselves become a risk surface. They store data outside the company's monitored environment, often in browsers, spreadsheets, or personal credential vaults, and frequently reuse the same login across multiple shadow accounts. That habit alone is what makes shadow apps a goldmine for attackers: a single compromised credential set unlocks far more than it should. Layer on a BYOD policy, and the risk compounds further, since an employee storing critical company information in a personal Dropbox or Google Drive account makes that data nearly impossible to recover once they leave the company.

Access rarely gets cleaned up either. A former employee with standing access to an app nobody knew existed is a quiet but serious liability, and there's frequently no governance process to catch it. It's also common for employees managing their own subscriptions to simply forget to pay a renewal, at which point the vendor terminates the service and any data inside it is gone for good, with no IT involvement at any point in that chain.

Second, vendors introduce their own exposure. Shadow apps frequently request broader permissions than necessary, granting edit access to company data where view access would suffice, which breaks least-privilege role-based access principles before IT even knows the access exists. Baseline protections like MFA and password strength requirements are rarely enforced from the vendor's side either, and these apps typically lack any centralized account management for setup, rotation, or monitoring, which makes them an easy target.

Compliance Exposure

Most regulatory frameworks, including SOC 2, HIPAA, GDPR, CCPA, PCI DSS, and ISO 27001, are built around the assumption that an organization knows where its data lives and who can access it. Shadow IT breaks that assumption directly, and most of these regulations are themselves built around data flow and storage, which is exactly the layer shadow IT obscures.

When an employee signs up for an unsanctioned app, company data may end up stored in a location with no audit trail, no data residency guarantees, and no oversight from the security team. Internal IT governance guidelines and software asset management processes are built to document and approve software before it touches company data, but shadow IT routes around that process entirely. During a regulatory audit, this becomes very difficult to explain and can result in findings, fines, lawsuits, or in the most serious cases, legal exposure for the company, on top of the reputational damage that follows a publicized compliance failure.

Operational and Financial Costs

Beyond security and compliance, shadow IT creates day-to-day friction. Departments end up using different tools for the same job, like one team running Slack while another runs Microsoft Teams, which fragments collaboration and creates duplicate versions of the same work right when cross-functional coordination matters most.

There's also a budget mismatch baked into how shadow IT spreads. When employees buy applications independently, that spend doesn't route through any central plan. A CMO can build a marketing budget around a fixed number, only to find business units have quietly spent a meaningful chunk of it on tools nobody signed off on, which throws planning and forecasting off in ways that are hard to catch until the numbers are already in.

IT can't offer support for apps it doesn't know exist either, so when something breaks, the business unit is on its own, and time-bound projects dependent on an unsupported shadow tool carry real delivery risk. And because these subscriptions live outside procurement, organizations frequently pay for tools that are abandoned, duplicated, or simply forgotten, which is where a meaningful share of avoidable SaaS spend quietly leaks out every year.

Shadow IT Isn't Only a Risk. It's a Signal

It would be a mistake to treat shadow IT purely as something to stamp out. Many of the apps used widely across companies today, Slack being the most cited example, started life as a shadow app that one team adopted before it proved valuable enough to roll out company-wide.

Employees don't go looking for unsanctioned tools out of malice. They do it because the tool provided by IT is slow, clunky, or doesn't solve the actual problem in front of them. Treated correctly, shadow IT is a real-time signal of where the sanctioned tech stack is falling short, and blocking it outright tends to push employees toward even less visible, riskier alternatives.

The better strategy isn't prevention. It's visibility, paired with a fast path to either sanction or shut down what gets discovered.

How to Actually Get Visibility Into Shadow IT

This is where most traditional approaches fail. Manual surveys are slow and depend entirely on employees remembering and disclosing every tool they use. SSO logs only catch apps that were connected to SSO in the first place, which by definition excludes most shadow apps. CASBs were built for network-layer visibility into IaaS and PaaS, not the fine-grained, identity-level detail needed to understand who has access to a specific SaaS app and what permissions they hold.

Real visibility requires looking at identity from multiple angles at once: who is logging into what, what's being expensed, what's directly integrated, and what's actually installed and running on a device. Zluri's Identity Visibility and Intelligence (IVIP) layer pulls from eight discovery methods, including SSO and identity providers, finance and expense systems, direct API integrations with SaaS apps, HRMS, directories, CASBs, and optional desktop agents and browser extensions, to build a single, accurate picture of every human and non-human identity in your environment and exactly what they can access.

That visibility layer feeds directly into governance. Once an app and its users are discovered, Zluri's IGA layer, covering access management, access requests, access reviews, and segregation of duties, lets you decide in minutes whether to sanction the app, restrict its access, or shut it down, with the audit trail to prove it during compliance reviews.

This is the shift that matters: shadow IT isn't a list of unauthorized apps you're trying to eliminate. It's an identity governance gap you're trying to close.

Frequently Asked Questions

What is shadow IT in simple terms?

Shadow IT is any app, tool, or service used inside a company without the knowledge or approval of the IT or security team. In SaaS environments, it's usually an employee signing up for a tool on their own, outside any procurement or security review process.

Is shadow IT always a security risk?

Not automatically, but it carries risk by default because IT has no visibility into how the app handles data, what permissions it holds, or whether the account gets deprovisioned when an employee leaves. The risk comes from the lack of oversight, not necessarily from the tool itself.

How common is shadow IT in organizations today?

Very common. Most studies put the share of employees using unapproved apps at around 80 percent, and that number has only grown with the rise of freemium SaaS and AI tools that require no procurement step to start using.

Can shadow IT ever be a good thing?

Yes, in the sense that it surfaces real gaps in the sanctioned tech stack. Apps that start as shadow IT sometimes turn out to be better solutions than what IT originally provided. The goal isn't to eliminate every instance of it, but to get visibility fast enough to make an informed call on each one.

What's the best way to discover shadow IT apps?

A single method rarely works. SSO logs miss apps that never connected to SSO. Surveys are slow and incomplete. The most accurate approach combines several discovery methods, including SSO, finance systems, direct app integrations, and HRMS data, to build a complete picture of every app and identity in use.

Ready to secure your identity surface?

Related Blogs