Shadow IT is the use of unauthorised IT systems, applications, devices, or cloud services by employees without IT department approval or visibility. Common examples in 2026: ChatGPT and other AI chatbots used for work tasks, personal Dropbox/Google Drive accounts for sharing files, Trello/Notion/Asana for projects, free messaging apps for client communication, personal devices accessing corporate data. Studies show typical organisations use 5-10x more SaaS apps than IT believes — Netskope research finds 800+ cloud apps in average mid-size enterprises versus 50-100 sanctioned. Shadow IT creates security, compliance, and data governance risks but often emerges from legitimate productivity needs that IT hasn't met.

Six common drivers: (1) **Productivity gap** — sanctioned tools are slow, clunky, or insufficient; employees find better alternatives, (2) **Speed** — IT procurement takes weeks/months for new tools; employees can sign up for SaaS in minutes, (3) **Bring Your Own Device (BYOD)** — personal phones, laptops accessing corporate data, (4) **Departmental autonomy** — marketing, sales, design teams adopt domain-specific tools without IT review, (5) **Free tiers** — many SaaS apps offer free or freemium tiers that don't require corporate procurement, (6) **AI explosion 2024-2026** — employees adopting ChatGPT, Claude, GitHub Copilot, AI-powered tools faster than IT can vet. Shadow IT is rarely malicious — it usually reflects unmet needs IT should address.

Six categories of risk: (1) **Data leaks** — sensitive data uploaded to consumer cloud storage (personal Google Drive, Dropbox), AI chatbots, or unsanctioned apps with weak security, (2) **Compliance violations** — GDPR, HIPAA, PCI-DSS, SOX violations from data going to non-compliant providers; fines reach €20M / 4% turnover, (3) **Security blind spots** — IT can't monitor or respond to incidents on apps it doesn't know about; SOC visibility broken, (4) **Account takeover** — Shadow IT apps often without MFA, weak authentication; compromised accounts give attackers a foothold, (5) **Vendor risk** — unvetted vendors may have security weaknesses, breached credentials, supply chain risks, (6) **Cost duplication** — multiple paid SaaS doing the same thing across departments; financial governance issues.

Five detection approaches: (1) **CASB Shadow IT discovery** — analyses firewall, proxy, or SD-WAN logs to identify cloud apps in use; assigns risk scores; vendors include Netskope, Microsoft Defender for Cloud Apps, Zscaler, Forcepoint, (2) **DNS filtering platforms** (Cisco Umbrella, Cloudflare 1.1.1.1 for Teams, Quad9) — show which cloud services users access, (3) **Expense report mining** — Concur, Expensify integrations identify SaaS subscriptions on personal cards, (4) **EDR app inventory** — endpoint agents catalogue installed software, (5) **User survey** — periodic 'what tools are you using?' surveys reveal apps networks miss. CASB-based discovery is the standard for mid-size and enterprise; smaller organisations use DNS filtering as a first step.

Four-step strategy: (1) **Discover and classify** — use CASB or DNS filtering to inventory all cloud apps; assess each for risk, compliance, business value, (2) **Sanction the useful ones** — formally approve apps that are low-risk and meet a real need; provide them as official tools with SSO + DLP, (3) **Block the dangerous ones** — high-risk apps (consumer file sharing, unvetted AI tools, peer-to-peer apps) should be blocked at SWG/proxy/firewall, (4) **Provide alternatives for blocked apps** — when blocking ChatGPT, provide approved Microsoft Copilot or enterprise ChatGPT; when blocking personal Dropbox, ensure OneDrive/Box/Drive is easy to use. **Don't just block** — without alternatives, employees find new workarounds. Shadow IT often reveals real productivity needs IT should serve, not just suppress.

Shadow AI is the rapidly-growing subset of Shadow IT involving employees using AI chatbots and AI-powered SaaS without IT approval — pasting confidential code, customer data, financial documents, or proprietary information into ChatGPT, Claude, Gemini, Copilot, or AI-powered productivity tools. Risks: (1) **Data exfiltration** — input becomes training data or visible to provider, (2) **Compliance violations** — GDPR/HIPAA/PCI-DSS data exposed, (3) **IP loss** — code and trade secrets shared, (4) **Hallucination liability** — AI outputs used as authoritative without verification. Defences: (1) Provide approved enterprise AI (Microsoft Copilot for M365, ChatGPT Enterprise, Claude for Enterprise) with data protection guarantees, (2) DLP rules blocking sensitive data in AI tool URLs, (3) Acceptable use policies covering AI, (4) Training. Most organisations are 6-12 months behind employees in AI tooling — closing this gap is critical in 2026.

Yes — Shadow IT often reveals legitimate productivity gaps. Benefits: (1) **Innovation** — new tools tested in shadow mode often become official tools later (Slack, Trello, Notion all started as Shadow IT), (2) **Speed** — teams move faster than slow IT procurement allows, (3) **Specialisation** — marketing, design, engineering, sales each have domain-specific tools that horizontal IT may not understand, (4) **Cost discovery** — Shadow IT shows what users would pay for, informing IT buying decisions. Modern IT departments embrace 'governed innovation': fast track for low-risk approvals, sandbox environments for experimentation, partnership with departments rather than blanket prohibition. The goal isn't zero Shadow IT — it's visibility and governance.