TL;DR: Shadow IT can improve productivity and speed up innovation, but the article argues that unmanaged app adoption creates compliance and security blind spots as employees choose tools outside IT control, according to Zluri. The real governance issue is not stopping experimentation, but bringing discovery, oversight, and access control into the SaaS reality.
NHIMG editorial — based on content published by Zluri: Security & Compliance Benefits of Shadow IT: A Latent Force Driving Innovation & Productivity
Questions worth separating out
Q: How should security teams govern shadow IT without blocking productivity?
A: Security teams should govern shadow IT by discovering usage early, assigning ownership, and reviewing access paths before the app becomes business critical.
Q: Why does shadow IT create identity governance risk?
A: Shadow IT creates identity governance risk because users can build access relationships outside approved lifecycle controls.
Q: What do organisations get wrong about blocking unsanctioned applications?
A: Organisations often assume blocking one app will stop the behaviour, but users usually move to another tool that meets the same need.
Practitioner guidance
- Map unsanctioned app discovery to access ownership Create a process that ties each discovered SaaS app to a business owner, a technical owner, and a revocation path so access is not left unmanaged after adoption.
- Review where approved tools are causing workflow friction Use employee feedback and app usage signals to identify sanctioned systems that are driving shadow adoption because they are too slow, too rigid, or do not solve the task.
- Connect SaaS inventory to offboarding and recertification Ensure every external application found in discovery feeds into access review, account closure, and data-sharing validation so governance follows the full identity lifecycle.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- How employee-driven app adoption shows up in day-to-day SaaS governance and access management workflows
- Examples of productivity gains cited by the source, including how teams justify unsanctioned tools internally
- The article's discussion of why blocking apps can drive users toward even less visible alternatives
- The source author's business framing for aligning IT, security, and employee needs around app choice
👉 Read Zluri’s analysis of shadow IT, compliance risk, and productivity →
Shadow IT and compliance risk: what IAM teams are missing?
Explore further
Shadow IT is an identity governance problem before it is a software problem. The article is right to frame unsanctioned app use as a business reality, but the deeper issue is that access relationships are being created outside the lifecycle that IAM and IGA teams can govern. Once a user adopts a tool without a sanctioned ownership trail, review, offboarding, and audit evidence all become harder to prove. Practitioners should treat discovery as the first governance control, not the last reporting step.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who should own shadow IT risk when employees choose their own tools?
A: Shadow IT risk should be shared across security, IT, procurement, and the business owner of the workflow. Security can define control requirements, but the business must own the productivity need and IT must own discovery and lifecycle enforcement. Without shared accountability, the same unmanaged app pattern keeps recurring.
👉 Read our full editorial: Shadow IT’s productivity value creates an identity governance gap