What percentage of IT spending is shadow IT?

Gartner estimates that 30-40% of IT spending in large enterprises goes to shadow IT. For Fortune 500 companies, this can exceed USD 500 million annually. The percentage continues to grow as cloud and SaaS adoption makes it easier for employees and business units to procure technology without IT involvement.

How can I discover shadow IT in my organization?

Use a multi-layered approach: deploy EASM tools to discover externally exposed shadow assets, implement a CASB to monitor cloud application usage from the network, analyze DNS and proxy logs for connections to unauthorized services, review OAuth grants in your identity provider, audit financial records for SaaS subscriptions, and conduct department surveys. No single tool catches everything, so combining technical and organizational methods is essential.

Is shadow IT always a security risk?

Shadow IT always represents a risk because it operates outside the organization's security governance, but the severity varies widely. A marketing team using an unauthorized design tool with no sensitive data is low risk. A developer spinning up an unmanaged cloud database with customer records is critical risk. The key is to discover all shadow IT, classify it by risk, and bring high-risk items under governance quickly while providing secure alternatives.

How does shadow IT affect NIS2 compliance?

Shadow IT directly undermines NIS2 compliance in multiple areas. Article 21 requires comprehensive risk management and asset management, which is impossible when significant IT resources exist outside official governance. Article 23 requires incident notification within 24 hours, but organizations cannot detect breaches in systems they do not know exist. Essential and important entities must prioritize shadow IT discovery as part of their NIS2 compliance program.

Shadow IT: The Hidden Attack Surface Growing Inside Your Organization

Shadow IT is the use of technology systems, devices, software, applications, and services without the explicit knowledge or approval of an organization's IT department. According to Gartner, 30-40% of IT spending in large enterprises is shadow IT, and that percentage continues to grow as cloud services and SaaS applications become easier to adopt. A 2024 study by Productiv found that the average enterprise uses 371 SaaS applications, but IT teams are only aware of about 60% of them. Each unsanctioned application represents an unmonitored entry point, an unpatched vulnerability surface, and a potential data leak. Shadow IT is not a minor governance issue -- it is one of the fastest-growing attack vectors in modern enterprises.

Key Takeaways

30-40% of enterprise IT spending goes to shadow IT (Gartner)
The average enterprise has 40% more SaaS applications than IT teams are aware of
Shadow IT increases breach risk by creating unmonitored, unpatched entry points
Common shadow IT includes SaaS apps, personal cloud storage, unauthorized APIs, and unmanaged devices
Discovery requires both technical tools (EASM, CASB) and organizational governance

What Is Shadow IT?

Shadow IT encompasses any technology resource used within an organization that exists outside the visibility and control of the IT department. It is not inherently malicious -- in most cases, employees adopt unauthorized tools because they need to get work done faster than official procurement processes allow. However, the security implications are severe because these systems bypass the organization's security controls, patch management, access governance, and data protection policies.

Types of Shadow IT

Type	Examples	Risk Level
SaaS Applications	Trello, Notion, Slack (unauthorized instances), file-sharing services, project management tools	High
Cloud Infrastructure	Personal AWS accounts, Azure subscriptions, GCP projects spun up by developers	Critical
Personal Devices	Smartphones, tablets, laptops used for work without MDM enrollment	High
Shadow APIs	Undocumented APIs connecting internal systems to external services	Critical
Communication Tools	WhatsApp, Telegram, personal email used for business communications	Medium
Development Tools	Unauthorized code repositories, CI/CD pipelines, testing environments	High
Marketing Technology	Analytics platforms, email marketing tools, landing page builders with tracking scripts	Medium

Shadow IT by the Numbers

The scale of shadow IT is consistently underestimated by leadership:

Gartner (2024): By 2027, 75% of employees will acquire, modify, or create technology outside IT's visibility, up from 41% in 2022
Productiv (2024): The average enterprise uses 371 SaaS applications, with IT aware of only 224 of them
IBM Security (2024): Shadow IT was a contributing factor in 12% of data breaches, with an average cost 16% higher than breaches without shadow IT involvement
Netskope (2025): 97% of cloud applications used in the enterprise are shadow IT, unmanaged and often violating data protection policies
CIO.com Survey (2024): 80% of workers admitted to using SaaS applications without IT approval
Everest Group (2024): Shadow IT spending in the average Fortune 500 company exceeds USD 500 million annually

Real-World Breach Examples

Unauthorized Cloud Storage Exposure

In 2023, a major financial services firm suffered a data breach affecting 3.5 million customer records when a developer provisioned an AWS S3 bucket outside the company's managed cloud environment to speed up a testing process. The bucket was left publicly accessible with no encryption, no access logging, and no security monitoring. The breach went undetected for 4 months because the asset was invisible to the company's security tools.

Rogue SaaS Data Leak

A European manufacturing company discovered that employees across 12 departments were using an unauthorized project management platform to share product designs, supplier contracts, and pricing data. When the SaaS provider suffered a breach, the company's confidential data was exposed. The company had no contractual relationship with the provider and no ability to invoke data protection clauses or incident response procedures.

Shadow API Exploitation

A healthcare organization was breached through an undocumented API that a development team had created to sync patient data with a third-party scheduling system. The API used basic authentication with a hardcoded credential, had no rate limiting, and was exposed to the internet without the security team's knowledge. Attackers discovered it through automated scanning and extracted over 100,000 patient records.

Why Shadow IT Is Growing

Understanding the root causes of shadow IT is essential for addressing it effectively:

Slow procurement processes: When it takes weeks to approve a new tool, employees find faster alternatives. The average enterprise IT procurement cycle is 3-6 months, while signing up for a SaaS tool takes minutes
Inadequate IT-provided tools: If official tools do not meet user needs, employees will find ones that do. A Gartner survey found that 69% of shadow IT adoption stems from unmet business needs
Remote and hybrid work: Distributed workforces use personal devices and consumer tools to stay productive, especially when VPN connections are slow or unreliable
Low friction cloud adoption: SaaS and cloud platforms offer self-service provisioning with credit card payment, removing traditional IT gatekeeping
Departmental autonomy: Marketing, sales, and HR teams often have budgets for technology that bypasses IT governance entirely

Security Risks of Shadow IT

1. Expanded and Unmonitored Attack Surface

Every shadow IT system is an asset that your security team does not monitor, does not patch, and does not include in incident response planning. It expands the organization's attack surface without expanding its defenses.

2. Data Loss and Leakage

Shadow SaaS applications often store sensitive corporate data outside the organization's DLP (Data Loss Prevention) controls. Employees may upload customer data, financial records, or intellectual property to services with inadequate security controls or data residency commitments.

3. Compliance Violations

Shadow IT frequently violates regulatory requirements. Under GDPR, data processed by an unauthorized tool may lack a legal basis, data processing agreement, or proper consent mechanisms. NIS2 Article 21 requires organizations to maintain comprehensive asset management and access control -- impossible when significant IT resources exist outside official governance.

4. Credential Sprawl

Each shadow IT application typically requires its own credentials. Employees often reuse passwords across shadow and official applications, creating a chain: when shadow SaaS credentials are compromised in a third-party breach, attackers can use them to access official corporate systems.

5. Lack of Security Updates

Shadow IT systems are not included in the organization's patch management program. Cloud instances, self-hosted tools, and development environments operating outside IT governance often run outdated software with known vulnerabilities.

How to Discover Shadow IT

Technical Discovery Methods

External Attack Surface Management (EASM): EASM platforms like Orizon RECON discover internet-facing assets from an external perspective, finding shadow cloud instances, forgotten subdomains, and exposed services that IT does not know about
Cloud Access Security Brokers (CASB): CASBs sit between users and cloud services, identifying all SaaS applications being accessed from the corporate network or managed devices
Network traffic analysis: Monitor DNS queries, web proxy logs, and firewall data to identify connections to unauthorized cloud services
SSO and identity analytics: Review OAuth grants and SAML connections in your identity provider to find applications that employees have connected without approval
Endpoint detection: EDR and UEM tools can inventory software installed on managed devices, including unauthorized applications
Financial audit: Review expense reports and credit card statements for SaaS subscriptions that bypass IT procurement

Organizational Discovery Methods

Department surveys: Regularly ask teams what tools they use for specific workflows
IT amnesty programs: Create safe channels for employees to disclose shadow IT without penalty
Vendor risk assessments: Require all third-party technology integrations to go through a security review, even if the tool is free

Shadow IT Governance Framework

Eliminating shadow IT entirely is neither realistic nor desirable -- the underlying needs that drive it are legitimate. Instead, implement a governance framework that balances security with agility:

Discover and inventory: Deploy EASM and CASB tools to maintain continuous visibility into all IT assets, both sanctioned and unsanctioned
Risk-classify: Categorize discovered shadow IT by risk level. Critical data stores and internet-facing services require immediate action; low-risk tools can be evaluated on a normal timeline
Streamline procurement: Reduce the friction of getting new tools approved. Create a fast-track process for low-risk SaaS tools that includes security review but completes in days, not months
Build an approved catalog: Maintain a curated catalog of pre-approved tools for common needs (file sharing, project management, communication). If employees have good options available, they are less likely to seek unauthorized alternatives
Implement access controls: Use SSO integration as a requirement for all approved tools. Block authentication to unapproved cloud services through conditional access policies
Monitor continuously: Ongoing monitoring ensures new shadow IT is detected quickly. Set alerts for new cloud services, new OAuth grants, and DNS queries to unknown SaaS domains
Educate and engage: Train employees on why shadow IT is risky and how to request new tools through proper channels. Frame the conversation around protecting their work, not restricting it

Shadow IT and NIS2 Compliance

The NIS2 Directive creates specific challenges for organizations with significant shadow IT:

Article 21 (Risk Management): Requires comprehensive cybersecurity risk management, which is impossible without visibility into all IT assets including shadow IT
Article 21(2)(a) (Risk Analysis): Mandates policies on risk analysis and information system security -- shadow IT systems are unanalyzed risks by definition
Article 21(2)(i) (Asset Management): Requires management of information assets, directly conflicting with the invisible nature of shadow IT
Article 23 (Incident Reporting): Requires breach notification within 24 hours -- impossible to detect and report breaches in systems you do not know exist

Organizations subject to NIS2 must prioritize shadow IT discovery and governance as part of their compliance program. Orizon RECON provides the external visibility required to identify shadow IT assets exposed to the internet, while our Attack Surface Management solutions help integrate discovered assets into your governance framework.

Summary

Shadow IT is not a problem that can be solved with a policy memo. It requires a combination of technical discovery tools, streamlined governance processes, and organizational culture change. The goal is not to eliminate all unauthorized technology use -- that would stifle innovation and productivity -- but to ensure that all technology in use is visible, assessed for risk, and subject to appropriate security controls. Organizations that achieve this balance reduce their attack surface while empowering their teams to work effectively.