97%
Of cloud services used in enterprises are shadow IT: not approved by IT (McAfee Cloud Adoption Report)
10x
More cloud apps in use at typical organizations than IT departments are aware of (Netskope)
65%
Of employees who use unsanctioned apps say they do so because approved tools do not meet their needs
0
Organizations that successfully eliminated shadow IT through blanket bans: the behavior moves, not the tools

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every organization has shadow IT. Employees use Notion for notes because the approved wiki is slow, Slack DMs files because email is clunky, ChatGPT to draft reports because the approved AI tool is locked down, and personal Google Drive when SharePoint permissions are confusing.

The instinct to ban these tools fails consistently: employees find workarounds, or move to a new tool you have not heard of yet. The security problem is not the tools themselves but the unmanaged data flowing through them: corporate documents in personal cloud storage, credentials stored in browser extensions you did not vet, AI tools trained on your proprietary data.

Three Ways to Discover Shadow IT

Method 1: DNS and proxy log analysis

Every cloud app a device contacts shows up in DNS queries and firewall/proxy logs. Shadow IT discovery starts with analyzing what domains your network traffic is hitting.

For organizations with a web proxy or NGFW (Palo Alto, Fortinet, Zscaler, Cisco Umbrella):

  • Most NGFW vendors include an app identification database that categorizes traffic by application (Dropbox, Google Drive, ChatGPT, etc.): pull the top cloud app categories from the past 30 days
  • Look for file sharing categories (personal cloud storage, collaboration tools), AI/ML services, and productivity/business tools that are not in your approved list

For Microsoft 365 environments, Microsoft Defender for Cloud Apps includes a Shadow IT discovery feature:

# Enable Cloud Discovery in Defender for Cloud Apps
# Then pull the discovery report from:
# security.microsoft.com > Cloud Apps > Cloud Discovery > Dashboard

The Defender for Cloud Apps catalog rates thousands of apps on security criteria including data residency, SOC 2 compliance, breach history, and encryption practices.

Method 2: OAuth grant audit

Employees authorize OAuth apps to access work accounts constantly: 'Sign in with Google' or 'Connect to Microsoft 365.' Each authorization grants the app access to whatever scope the user approved, often without IT knowledge.

# Audit all OAuth grants across your Microsoft 365 tenant
Get-MgOauth2PermissionGrant -All | ForEach-Object {
    $app = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        AppName = $app.DisplayName
        Publisher = $app.PublisherName
        Scope = $_.Scope
        UserCount = 1  # Aggregate this in real analysis
    }
} | Group-Object AppName | Sort-Object Count -Descending | Select-Object -First 50

Apps with Mail.ReadWrite or Files.ReadWrite.All access across many users represent significant unmanaged data exposure.

Method 3: Employee survey (underused and highly effective)

Ask employees directly what tools they use for work that are not officially sanctioned. Frame it as a tool evaluation exercise, not a security audit: you will get honest answers if employees believe the goal is to sanction useful tools rather than ban them.

A 5-question survey to department heads:

  1. What apps do you use regularly that IT has not approved?
  2. What tools do you use for file sharing with external parties?
  3. What AI tools do you use in your work?
  4. What browser extensions do you rely on?
  5. What would make your approved tools good enough that you would stop using the unapproved ones?

Risk Classification: Not All Shadow IT Is Equal

Once you have discovered shadow IT, the temptation is to block everything unapproved. This is counterproductive: it damages productivity and erodes trust without proportionate security benefit.

Classify discovered apps into four tiers:

Tier 1: Approved: Already vetted and accepted. No action needed.

Tier 2: Fast-track approve: Apps with strong security posture (SOC 2 Type II certified, data residency in acceptable jurisdictions, no history of breaches, reasonable data processing terms) that employees use for legitimate work purposes. Fast-track these through a 3-day approval process: the goal is to get them under management (SSO enrollment, DLP policy coverage) without blocking productivity.

Tier 3: Conditional use: Apps with adequate security posture but requiring specific controls: for example, allowing Dropbox for external file sharing only if sensitive data classification blocks are in place, or allowing a specific browser extension only on managed devices. Define the conditions; communicate them; monitor for compliance.

Tier 4: Block: Apps with poor security posture (no encryption at rest, no data processing agreement available, no incident response contact, jurisdiction with no privacy protections), apps that handle sensitive data categories your compliance framework restricts, or apps that create compliance violations regardless of their security posture (GDPR transfers to non-adequate countries, HIPAA data in non-BAA apps).

Tier 4 blocking works only when you provide a sanctioned alternative that meets the same need. If you block personal Dropbox for external file sharing and do not provide a sanctioned external sharing option, employees will use email attachments instead: which is worse.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Fast-Track Approval Process

The most effective shadow IT control is making the sanctioned process faster than the workaround.

A fast-track approval SLA that works:

  • Employee submits app request via a form (app name, URL, business use case, data types that will flow through it)
  • IT/security reviews the app against a standard checklist: SOC 2 status, data processing agreement availability, privacy policy data residency, vendor breach history
  • Decision within 5 business days: approved with conditions, conditionally approved, or denied with alternative
  • If approved: the app is added to the SSO catalog (employees get it through company accounts, not personal ones), enrolled in the DLP policy if handling sensitive data, and logged in the SaaS inventory

The SSO enrollment is the critical security control: When an app is connected to your IdP (Entra ID, Okta, Google Workspace), you control access through centralized identity management. When an employee leaves, deprovisioning through the IdP automatically revokes access to all connected apps: instead of leaving corporate data accessible in personal accounts indefinitely.

Tools for ongoing management:

  • Microsoft Defender for Cloud Apps: continuous shadow IT discovery, app risk scoring, policy-based blocking for high-risk apps
  • Okta or similar IdP: centralized app catalog, access request workflows, deprovisioning automation
  • Browser agent deployment: some CASB vendors deploy a browser agent that can block unapproved web apps or alert on shadow IT access without requiring a full web proxy

The bottom line

Shadow IT is not a policy problem: it is a product problem. Employees use unapproved tools because approved tools do not meet their needs. Discover shadow IT via DNS/proxy log analysis, OAuth grant audits, and employee surveys. Classify discovered apps into tiers and fast-track legitimate ones through a 5-day approval process that enrolls them in SSO, making the sanctioned path easier than the workaround. Block only Tier 4 apps, and only when you provide a sanctioned alternative for the same use case.

Frequently asked questions

What is shadow IT and why is it a security risk?

Shadow IT is any technology used in an organization without IT knowledge or approval: typically SaaS apps, browser extensions, personal cloud storage, or AI tools that employees use for work. It creates security risk because data flowing through unapproved tools is outside DLP policies, unmanaged OAuth grants give third parties ongoing access to corporate data, and employees who leave still have access to corporate files in personal accounts.

How do you discover shadow IT in an organization?

Three methods: analyze DNS queries and proxy/firewall logs to identify cloud applications your network is connecting to; audit OAuth grants across your Microsoft 365 or Google Workspace tenant to find third-party apps with data access; and survey employees directly about tools they use for work that are not officially sanctioned.

What are the biggest shadow IT risks with AI tools?

Employees using unauthorized AI tools (ChatGPT, Claude, Gemini, Copilot) introduce three categories of risk: data leakage (confidential business data entered into a public AI model may be used for model training or stored on third-party servers), compliance violations (entering PII or protected health information into a non-BAA AI tool may violate GDPR, HIPAA, or CCPA), and intellectual property exposure (source code or trade secrets submitted to a public AI could become training data). Address this by deploying an enterprise AI policy, deploying approved enterprise AI tools with data protection controls, and blocking unauthorized AI domains in your web proxy.

How do I manage shadow IT without banning every unapproved tool?

Use a risk-tiered approach: Tier 1 (approved) apps get SSO integration and are listed in your software catalog; Tier 2 (tolerated) apps are used for non-sensitive work with employee acknowledgment; Tier 3 (conditional) apps require a fast-track approval process before use; Tier 4 (blocked) apps are blocked at the proxy or DNS level. Fast-track approvals should complete in 5 business days or less. If the approval process takes weeks, employees will use the tool anyway and just not tell IT. The goal is making the sanctioned path faster than the workaround.

What tools detect shadow IT automatically?

Cloud Access Security Brokers (CASBs) provide the most comprehensive shadow IT discovery: they analyze network traffic logs or act as a proxy to identify all cloud services in use. Major CASB vendors include Microsoft Defender for Cloud Apps (included in M365 E5), Netskope, and Zscaler. For organizations without a CASB, export DNS query logs from your DNS resolver and run the domains against a cloud app catalog. Microsoft 365 customers can use the Microsoft 365 App Governance feature to audit OAuth grant activity. These tools typically discover 5-10 times more applications than IT is aware of.

How do you handle shadow IT that turns out to be business-critical after discovery and cannot simply be blocked?

Business-critical shadow IT is the norm rather than the exception -- teams built workflows on unsanctioned tools precisely because those tools solved real business problems that approved applications did not. Blocking creates immediate operational disruption. The correct response: triage discovered applications by risk and business impact. For each application: determine what data it stores or processes (PII, financial data, credentials), who owns the relationship with the vendor, and whether there is a sanctioned alternative that covers the same use case. High-risk applications handling sensitive data require either rapid migration to a sanctioned alternative or an accelerated vendor review and approval process -- typically 30-60 days. Lower-risk productivity tools (collaboration, communication) can often be sanctioned on a provisional basis while controls are put in place (MFA, SSO integration, data retention policy). For applications that cannot be approved due to security gaps (no SSO, no audit logs, no DPA): negotiate directly with the vendor for security enhancements as part of a formal procurement, or identify and fund the migration to a sanctioned alternative. The security team's role here is to facilitate compliance, not block productivity -- unilateral blocking without alternatives drives data to personal devices and off-network tools that are even harder to monitor.

Sources & references

  1. Gartner: Managing Shadow IT
  2. CISA: Securing the Use of Commercial Joint Venture Online Environments
  3. Microsoft Defender for Cloud Apps: Shadow IT Discovery

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.