I ask every new client the same question before we start their I.T. assessment: can you give me a list of every software application your company uses?
Most owners say yes, and then hand me a list of the tools they pay for. Accounting software. Email. CRM. A few other licensed products.
Then I ask a different question: what software does your team actually use every day, including anything they set up themselves?
That list is always longer. Usually much longer.
This is the shadow I.T. problem. Shadow I.T. refers to any technology in use at a company that was not formally approved, evaluated, or integrated by whoever manages I.T. It happens everywhere, in companies of every size. And in small businesses, where there is often no formal approval process for new software, it can get out of hand quickly.
It is about efficiency, not recklessness
The employees using shadow I.T. are almost never acting maliciously. They found a tool that solves a real problem. Maybe the approved tool is slow or hard to use. Maybe they started using something in a previous job and brought the habit with them. Maybe they just needed to share a file quickly and grabbed the first free tool that worked. The motivation is efficiency, not recklessness.
The problem is what happens to the data those tools handle.
A salesperson uses a free AI tool to summarize client call notes. Those notes contain client names, deal sizes, and strategic details. The free AI tool’s terms of service allow it to train its models on user data. Your client’s confidential information is now being used to train someone else’s AI.
An accountant uses their personal Dropbox to share financial files with a vendor because the company’s approved file sharing system is cumbersome. The personal Dropbox account has no multi-factor authentication enabled. The accountant reuses a password they use elsewhere. The password is in a breach database. Someone logs into the Dropbox.
A project manager builds a detailed client workflow tracker in a free project management tool. When they leave the company, the account stays active because nobody knew it existed. The client data sits in a third-party tool under a former employee’s email address.
None of these scenarios require a sophisticated attacker. They require ordinary habits and a lack of visibility.
Start with a conversation, not a crackdown
Getting control of shadow I.T. starts with a discovery conversation, not a crackdown. A crackdown without alternatives pushes the problem underground, employees keep using the tools, they just stop mentioning it. The goal is to understand what is actually in use and why.
Run a simple survey. Ask every department: what tools do you use for your daily work? Include everything, not just what I.T. provided, but what you downloaded yourself, what free tools you rely on, what apps are on your phone that connect to work accounts. Make it clear this is a survey, not an audit. You want to understand, not punish.
Once you have the list, evaluate each tool against three questions:
Does this tool handle company or client data? If yes, it needs to meet your security and compliance standards, whatever those are. If it does not, it needs to be replaced with something that does.
Is this tool solving a real problem that your approved tools are not? If yes, that is worth knowing. It might be time to reconsider whether the approved tool is the right one.
Is this tool under company control, or does it live in a personal account? Anything work-related needs to be in a company-owned account so that access can be managed, and revoked when someone leaves.
Build a fast process for next time
After the survey, build a process for the future. New software requests should go through a simple, fast approval step, not a six-week committee review, but a quick check that someone evaluates the tool, confirms it meets basic security requirements, sets it up on a company account, and logs it. Two days, not two months.
The byproduct of that process is an accurate software inventory. That inventory has value beyond security. It tells you what you are actually paying for, what is redundant, and where you might consolidate tools and reduce costs.
Shadow I.T. is a symptom. It means your team has needs that approved tools are not meeting. Treat it as useful information, and you will end up with a more secure environment and a team that trusts the process enough to use it.