The Most Common & Most Dangerous Types of Shadow IT

Shadow IT is the use of information technology systems, devices, software, applications, AI tools (shadow AI), and services without explicit IT department approval. It happens when individuals and departments stand up rogue systems, applications, and infrastructure to make their jobs easier or more efficient, or to gain access to services outside of the IT department’s normal workflow for asset procurement and management.

Shadow IT isn’t usually implemented with malicious intent. More often, it’s a result of employees or departments faced with inefficiencies or roadblocks that impede their productivity or the completion of a time-sensitive business mission.

While shadow IT can improve employee, client, and vendor productivity, it can also introduce serious risks to your organization through data leaks, unmanaged identities, potential compliance violations, and lack of proper resource management. Shadow IT is pervasive, with one report finding that "98% of companies have employees using unsanctioned apps, including shadow AI. Each company has 1,200 unofficial apps on average."

What is Shadow AI?

Shadow AI, a subset of shadow IT, is a rapidly emerging enterprise concern. As more companies look to improve productivity and accelerate innovation with AI adoption, employees are increasingly “fast-tracking” testing and adoption by installing AI tools and applications without formal oversight or approval. This can even happen on their own personal devices, using corporate data.

Agentic AI, in particular, is a major initiative at many organizations. The BeyondTrust Phantom Labs™ research team reported a 466.7% year-over-year increase in AI agents operating inside enterprise environments. However, some of these agentic AI implementations are happening as shadow IT, and integrated into a vast wealth of resources across an organization.

Shadow IT and Identity Risks

Shadow IT also introduces shadow identities, as various tools, systems, applications, etc. often require the creation of new digital identities. These unknown, unmanaged identities exist outside the organization’s security purview, but are often integrated with legitimate corporate identities, accounts, and applications. As a result, these shadow identities could become the “weakest link”, serving as an entry point for an attacker to move laterally or escalate privileges within the corporate environment via privilege pathways.

This is a particular risk for non-human identities, including agentic AI. When onboarding NHIs, teams commonly grant these identities over-provisioned entitlements and / or standing access to corporate systems.

Activities performed by NHIs also tend to slip by unnoticed for longer than with human identities. This is because NHIs, such as machine accounts, service accounts, API Keys, etc., are often set up to run background tasks without human oversight or, in the case of AI agents, act autonomously and make contextual decisions. Mix these underlying risk factors with an NHI that’s completely unknown and unmanaged by an organization’s IT and security teams, and it becomes a considerable security risk.

The most common examples of shadow IT include IoT devices, SaaS applications, virtual machines, subnets, network hardware, wireless networks, local applications, AI agents and technologies, and ‘Bring Your Own Cloud’ (BYOC). Let’s now explore these examples further, keeping in mind that they are all forms of shadow information technology.

1. IoT devices

Shadow IoT devices include smart connected devices like fitness trackers, wireless thermostats, cameras, wireless printers, smart TVs, and even some medical devices. They are commonly used and overlooked by IT. The advancement of IoT capabilities means formerly innocuous items, like coffee machines and fridges, can serve as potential pathways onto the corporate network for threat actors.

2. SaaS Applications

Cloud-based applications that don’t follow the normal procurement process represent a pervasive form of shadow IT. Reportedly, 39% of employees use cloud-based applications that aren’t managed by their company on work devices.

A shadow IT SaaS app can pose multiple risks. For instance, it may have local accounts that aren’t managed by IT for access, lack multifactor authentication, possess sensitive data, lack data segmentation, etc.

3. Virtual Machines (VMs)

Most organizations have hypervisors on their desktops, servers, and in the cloud. Unknown virtual machines are widely present for users to test software, demonstrate solutions, operate specific applications, and even connect to unapproved cloud resources.

The ability to create and destroy virtual machines via a mouse click represents an unacceptable shadow IT risk. This can introduce vulnerabilities, default accounts, poor configuration hygiene, etc. Instead, all VMs used within an organization should be derived from managed templates or snapshots to ensure their creation and runtime are properly managed.

4. Subnets

Businesses add offices, acquire other companies, and expand their networks. Often, this results in routable subnets unknown to the business and, ultimately, unmanaged. Only through discovering and verifying IP addresses (assets) in logs can teams put these shadow IT subnets under management. And, if you are wondering how employees create these subnets without permission, they often use unapproved routers or wireless access points with NAT to hide their shadow devices behind private subnets.

5. Network Hardware

In many organizations, adding a device to the network is as simple as plugging it into a network jack or connecting to Wi-Fi with a username and password. These devices can range from consumer-based Wi-Fi access points to unmanaged printers, cameras, TVs, or virtually anything else that can connect via a network cable or Wi-Fi.

Every unmanaged device presents a risk since no one is monitoring it for vulnerabilities or inappropriate access. Network hardware represents the earliest form of “shadow IT” and can be the Achilles’ heel for a business, if combined with shadow IT subnets, virtualization, and applications, or with unmitigated vulnerabilities.

6. OAuth-Enabled Applications

Another common example of shadow IT is applications enabled with Open Authorization (OAuth)—an open-standard framework that enables token-based access. OAuth delegates authorization on behalf of the user, with the goal of making access between applications more seamless. For instance, a user might leverage OAuth to connect their Microsoft 365 account to various productivity tools.

While OAuth technology can make it more convenient to link different applications, it also poses risk if adopted without proper oversight. For example, when authorizing an integration with OAuth, a user might unintentionally grant the other application access, introducing an unquantifiable risk.

Consider what a rogue personal digital assistant or electronic epaper tablet could do with access to your MS Office environment. Plus, OAuth tokens can pose a threat if stolen by threat actors. Stolen tokens can be misused to act on behalf of the user or, in some cases, bypass security controls such as MFA altogether and maintain a persistent presence.

7. Bluetooth

Bluetooth might seem innocuous at first glance, but it poses a significant risk because it can facilitate unauthorized and unsecured connections within an organization's network.

Employees might use personal Bluetooth devices, such as headphones, speakers, or smartwatches, which can bypass standard IT security protocols. These devices can create vulnerabilities by exposing the broader network to potential data breaches, malware, and other cyber threats. Since these devices often go undetected by IT departments, they contribute to shadow IT, increasing the complexity of maintaining a secure and compliant network environment.

8. Local Applications

Every business has a few “one-off” applications on servers and end-user workstations. A software inventory via an asset discovery engine can help find these solutions; however, depending on the application, it can represent an unacceptable risk. For example, if a user has installed a software KVM (keyboard, video, mouse) solution to manage multiple assets with a single keyboard and mouse, this can pose a high risk, if vulnerabilities are present. Or malware, like a keylogger, could be installed as a part of a supply chain attack. In addition, a server with an unmanaged vendor monitoring solution that requires a username and password could become a backdoor, if the storage of the credentials isn’t properly secured by the solution.

In the end, all applications should be sanctioned and documented by IT, and “one-offs” need to be discovered and inventoried to prevent application shadow IT.

9. Shadow AI

Many employees are interested in adopting AI agents and other emerging tools to enhance productivity, as well as to respond to company directives on increasing AI adoption. But in many cases, employees are using AI tools / applications without IT or Legal approval, leading to increased risks. 70% of companies were found to have shadow AI lurking in their environment.

Launching AI agents or using other AI-powered tools without proper oversight or guidelines can lead to unintentional data leakage, operational disruption, or cause noncompliance with regulations related to data protection and privacy guidelines. Unsanctioned AI agents can multiply risks, as they’re often granted broad privileged access and can autonomously perform tasks or manage data.

10. Bring Your Own Cloud (BYOC)

Employees increasingly leverage their own cloud-based services and storage systems for work-related data and tasks, which is known as Bring Your Own Cloud (BYOC). In these cases, teams leverage their own cloud apps such as eNotebooks, iCloud syncing services, etc. to improve productivity, but do so outside the purview of IT and InfoSec teams.

BYOC introduces significant risks, as organizations may lack adequate visibility into cross-environment data proliferation or third-party cloud application usage. Additionally, it opens up the possibility of employees leveraging company data on personal cloud platforms that lack key security features, such as MFA, and other enterprise-grade security controls.

Shadow IT can cause several adverse effects on an organization, including unanticipated costs / resource strain, regulatory noncompliance, increased risk of cyber threats, etc.

Common shadow IT risks include:

• Introduction of malware - Every instance of shadow IT expands the organization’s attack surface. Since shadow IT devices and applications aren’t onboarded for protection by the organization’s cybersecurity solutions, and typically have weak credentials, they create an opportunity for malware and ransomware attacks.

• Creating backdoors for attackers – Shadow IT, by definition, exists outside the view of IT security, which means any misconfigurations and vulnerabilities introduced will remain undetected, leaving unmonitored and unprotected pathways for threat actors.

• Increasing service desk tickets / strain - Shadow IT can often cause problems on workstations or create system incompatibilities that will inevitably add to the IT support team’s backlog when compatibility or performance issues arise.

• Proliferation of shadow identities – Shadow IT can contribute to the proliferation of unknown, unmanaged human / non-human identities, opening organizations up to greater identity risk such as lateral movement, stale accounts, standing privileges, and potential for privilege escalation.

• Compliance and cyber insurance qualification issues – A breach that occurs because of shadow IT can create regulatory compliance issues, leading to noncompliance fines or other penalties. Plus, if a breach can be traced back to shadow IT, the organization may face grounds for nonpayment on a cyber insurance policy, revocation of that policy, and future cyber insurance ineligibility.

• Unanticipated costs – Shadow IT can lead to a variety of extra costs. Because it’s unmonitored by security teams and often requires some level of data sharing to function properly, shadow IT can increase the likelihood of a data breach, which costs an average $4.44M. Additionally, shadow IT purchased on a corporate credit card could be subject to periodic subscription renewals that go by unverified, even when personnel changes occur.

• Data loss and theft – Personal email addresses and unsanctioned cloud storage accounts create potential paths for data leakage. They are not monitored, may not be backed up, and may lack provisions for disaster recovery or even a ransomware attack. Additionally, the use of unsanctioned, unregulated AI tools, such as agentic AI, increases the risk of regulatory compliance violations for improper security and handling of company data. Pasting company secrets such as source code, financial data, etc. into a public LLM tool can especially pose data-related risks, as the tool might unintentionally use this data for training, or bad actors might reverse engineer the tool to expose data.

• Growing agentic AI attack surface – Shadow AI agents pose unique risks. Agents can make decisions autonomously and are often granted over-privileged access to perform various tasks. If exploited, these agents can quickly become a means to abuse privileged access, access sensitive data, become confused deputies, and potentially much worse.
  

The most dangerous types of shadow IT create blind spots that increase the attack surface and the potential blast radius of damage. These are applications, tools, etc. that are unmanaged and unmonitored, meaning they may also be improperly licensed or redundant to existing tools. We can also break shadow IT down to how it impacts various security disciplines:

• Vulnerability Management – Shadow IT can’t be properly assessed for vulnerabilities or prioritized for remediation.

• Patch Management – Shadow IT can’t be scheduled for remediation via patches or security updates based on vulnerability information, or public disclosure by the vendor.

• Configuration Management – Shadow IT is not properly hardened or configured to prevent inappropriate access to the application.

• Identity Management – Shadow IT can contain rogue user accounts that are neither known nor managed by IT. This may include orphaned accounts from former employees, or access for users outside of the scope of the business role.

• Privileged Access Management (PAM) – Shadow IT often leads to the creation of shadow identities that lack proper governance, such as adhering to the principle of least privilege or enforcing just-in-time privileged access. Yet, these shadow identities are often interconnected to various corporate systems. As a result, they could become indirect pathways to escalate privilege or move laterally.

• Log Management – Shadow IT is unlikely to have its access, operational, and security logs monitored for inappropriate behavior.

When shadow IT is present, there’s a strong likelihood that it violates multiple cybersecurity best practices. Shadow IT that interferes with established operational procedures become the most dangerous type because it potentially impacts the company’s overall security posture via multiple attack vectors.

Here are key drivers of shadow IT proliferation and the associated risks:

• Multiplication of unknown AI agents – The enterprise is experiencing rapid adoption of agentic AI. As noted earlier, the BeyondTrust Phantom Labs™ research team reported finding a 466.7% year-over-year increase in AI agents operating inside enterprise environments. Some of this is occurring as shadow AI.

• Widespread generative AI adoption – Employees are adopting AI applications and tools at a rapid pace. Research shows that of employees routinely accessing GenAI systems, 72% were using non-corporate emails as the identifiers on the accounts, and 17% were using their corporate emails without integrated authentication systems. Both situations could point to unsanctioned / unmanaged generative AI usage.

• Distributed workforces – With a significant chunk of workers operating in remote or hybrid settings, spread across the globe, it can be difficult for IT teams to monitor who is using which software on their work devices outside of a typical corporate environment.

• Employee efficiency - One of the biggest reasons employees engage in shadow IT is simply to work more efficiently. Numerous studies have indicated employees feel like they need to work around their company's security policies just to get their job done.

• Collaboration - Cloud applications, like file sharing / storage and collaboration, can result in sensitive data leaks due to improper data governance.

• Personal email - Many employees send work documents to their personal email to work from home, or work from unsecured home networks, exposing data to devices and networks that can’t be monitored by IT.

• IoT is now ubiquitous – The challenge of shadow IoT isn’t just the number of devices added to the network, but also the capabilities of each device, like cameras, Wi-Fi, and even coffee makers. These devices are also frequently built without enterprise-grade security controls, and are set up using easy-to-crack default IDs and passwords. When these devices are added to an organization’s main Wi-Fi network without IT’s knowledge, it can lead to a significant security risk and a conduit for future attacks.

Privileged access management (PAM) and identity security capabilities can help you mitigate shadow IT risk that stems from identities and their access. Because the creation of shadow identities is closely tied to the creation / usage of shadow IT, bringing these identities under control via PAM and identity security capabilities can make a strong impact in improving your overall security posture. Here are some key roles these technologies can play in mitigating shadow IT and identity risk:

1. Providing Visibility into Shadow Human and Non-Human Identities and Their Access

Modern privilege-centric identity security solutions offer visibility into the unknown or unmanaged identities, privileges, configurations, and potential escalation paths within your IT estate. This level of visibility is crucial for managing shadow identities, as it flags if human or non-human identities (including AI agents) exist in your environment, and reveals what they can actually do and which potential attack vectors they are responsible for. Once these shadow identity issues are visible, teams can then decide if any corresponding shadow IT should be onboarded for management or denied / removed.

2. Preventing Privilege Misuse via Identity Security Posture Management

Strong PAM and identity security capabilities also enable teams to proactively harden their identity posture, limiting the blast radius if shadow IT, such as an unmanaged tool, system, application, etc. were to become compromised. Examples of identity security posture management best practices include eliminating standing access to sensitive resources, enacting a just-in-time access model for privileged access, and adhering to the principle of least privilege throughout the environment. These controls help prevent misuse of privileges.

Disciplines like Identity Threat Detection and Response (ITDR) can also help organizations gain a better view of identity-based threats from an attacker’s point of view, and neutralize real-time attacks if an identity becomes compromised.

3. Flagging Which Devices are on Your Network

Knowing which devices have access to your network and which users have access to privileged credentials is an important step to defending your organization against shadow IT threats. Organizations can leverage identity security discovery tools to detect the devices, applications, subnets, and user credentials that are operating on the network. Once the assets are detected, PAM tools can also help with onboarding, management of privileges, monitoring, and auditing of discovered identities and their associated accounts.

4. Enabling and Enforcing Least Privilege with Application Control

Endpoint Privilege Management (EPM) solutions, a core pillar of PAM, allow organizations to enforce the principle of least privilege, preventing users from installing unauthorized applications and / or limiting which actions unsanctioned applications can take. EPM can help teams ensure identities, assets, and workflows are onboarded properly, often preventing shadow IT (such as the introduction of AI agents) from occurring in the first place.

EPM solutions can granularly control applications on Windows, Mac, Unix, Linux, and network devices—all without hindering end-user productivity. In addition to managing endpoint privileges, some EPM solutions include advanced application control capabilities that go beyond allow listing and deny listing, to also granularly control applications. These controls can support how organizations manage AI applications as well.

Some PAM solutions also provide Active Directory (AD) bridging technology. This technology bridges the gap between Windows and Unix/Linux operating systems by extending AD’s Kerberos authentication and single sign-on (SSO) to them, simplifying and streamlining identity management. Enforcing least privilege across endpoints will help prevent an incident in a shadow IT deployment from impacting sanctioned production assets.

5. Securing Remote Access for Service Desks and Vendors

Traditional remote access methods, such as RDP, VPN, and legacy remote desktop tools, lack granular access management controls. These services enable easy exploits via stolen credentials and session hijacking.

PAM solutions can provide secure, VPN-less remote privileged access for vendors, internal employees, service desks, and infrastructure. PAM enables organizations to apply least privilege and audit controls over remote access. This can reduce the risk of unauthorized remote access being implemented via shadow IT and the potentially risky SaaS applications that connect into your environment.

In summary, PAM and identity security solutions not only discover, onboard, actively manage, and audit shadow IT, but also limit the potential damage caused by shadow IT by enforcing least privilege controls.

For any business, the following IT policies can also help address shadow IT:

1. Establish a shadow IT security policy

Establish a shadow IT security policy that all operations teams can follow, regardless of whether employees work on-premises, remotely, or in hybrid environments. Organizations should especially seek to establish policies around how employees are adopting and using AI solutions.

2. Acknowledge shadow IT is present

Plan for the presence of shadow IT and provide a grace period for the deployments to be placed under IT management, with no repercussions. Some great IT and security solutions might be in the field that can contribute positively to the organization, if properly empowered.

3. Support an open-door IT policy

Be open to new projects, ideas, and advice, and help provide prompt guidance for design and deployment of new projects. IT departments should adopt policies of, "Yes I can help you," versus resistance to change.

Shadow IT tends to occur as a response to the roadblocks with traditional IT. If the barriers are removed, staff in other departments can become valuable allies. When departments understand and embrace IT policies that provide enablement, shadow IT environments tend to dry up and new ones don’t form.

4. Adopt a policy for identifying shadow IT implementations

Use discovery techniques to detect shadow IT and classify its risk to the business. For example, do the systems contain PII (Personally Identifiable Information), rogue users, or vulnerabilities that are not being mitigated? If they contain sensitive information, business leaders can be presented with reasonable options to let IT manage the assets or have the systems decommissioned.

5. Balance security with the requests

Just because something sounds like a great idea and may be easy to implement, doesn’t mean it’s in the best interests of the company. The balance is agreeing on the need, improving the business, and adopting a secure model to make it work. This requires a little give and take from both sides, but it results in a supportable and secure solution that can meet the objectives of all teams.

Understanding which shadow IT exists and the risks it represents is key to acknowledging and managing the issue. To that end, shadow IT and rogue employees that create it will almost always exist. Denying their existence will ultimately only hurt the business. It’s important to understand why shadow IT exists, what is the purpose, and how to make it supportable by the business. The response of “shut it down” rarely has positive results. Assume positive intent and strive to fix the problem together.

Quickly reveal hidden or unknown identities, privileges, and entitlements that stem from shadow IT deployments with our no-cost Identity Security Risk Assessment. Get started today.