Notifications
Clear all
Topic starter
12/06/2026 9:00 pm
TL;DR: Shadow IT is software or hardware operating outside IT’s awareness, and Zluri cites Verizon research showing that 61% of software and hardware on company networks can fall into this category. The governance issue is not just discovery, but deciding what to allow, secure, and audit before unsanctioned tools become compliance and data exposure problems.
NHIMG editorial — based on content published by Zluri: Understanding 'Shadow IT' and its Risks - Quick Intro
By the numbers:
- Verizon's study has shown something about 61% of all software and hardware on the company's network is considered Shadow IT.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should organisations discover and govern shadow IT apps?
A: Start with discovery, but do not stop there.
Q: Why does shadow IT create so much compliance risk?
A: Shadow IT creates compliance risk because it introduces systems, data flows, and access paths that the organisation has not validated against legal or audit requirements.
Q: What do security teams get wrong about shadow IT?
A: Teams often treat shadow IT as a ban-or-allow problem, when it is really a governance and lifecycle problem.
Practitioner guidance
- Establish a shadow IT intake process Route every newly discovered app through a standard disposition workflow that records owner, business purpose, data type, access method, and approval outcome.
- Tie unsanctioned apps to access controls Require approved authentication, logging, and access review before any tool is allowed to handle company data.
- Classify shadow IT by data sensitivity Prioritise apps that store regulated or customer data first, then evaluate whether their current use violates retention, sharing, or residency requirements.
What's in the full article
Zluri's full article covers the practical detail this post intentionally leaves for the source:
- The article defines shadow IT in plain business terms and gives examples of the kinds of apps employees adopt without IT visibility.
- It explains why employees use these tools despite policy risk, which helps teams distinguish productivity pressure from malicious behaviour.
- It outlines the discovery questions security and IT teams should ask when deciding whether to allow, secure, or block a tool.
- It cites Verizon's study so readers can connect the governance issue to a measurable scale of shadow adoption.
👉 Read Zluri's quick intro to shadow IT risks and governance →
Shadow IT visibility gaps: what IAM teams need to know?
Explore further
12/06/2026 10:47 pm
Shadow IT is a governance visibility failure before it is a technology problem. The core issue is that unapproved tools sit outside the normal identity and access review model, so the organisation cannot govern what it cannot see. That means access, data handling, and offboarding controls are applied inconsistently or not at all. For practitioners, the real risk is an unmanaged control surface that grows silently inside the business.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who should own decisions about shadow IT applications?
A: Ownership should sit with a combination of IT, security, and the business function using the app, because the decision affects productivity, identity controls, and compliance exposure. If one team owns the decision alone, the organisation usually gets either unsafe shadow use or blanket blocking that drives more shadow adoption.
👉 Read our full editorial: Shadow IT creates visibility gaps that widen identity risk
