Shadow IT and shadow AI are only problems if you view them that way, says Hexnode founder Apu Pavithran, who argues that rather than clamping down on these practices, smart companies should instead consider them opportunities for employee engagement and technology improvement.
Shadow IT has an overwhelmingly negative reputation and it’s easy to see why. Enterprise ecosystems are already spread thin across remote endpoints and ever-larger potential attack vectors. Employees onboarding their own software tools and platforms without approval or oversight makes managing this sprawl even harder.
The average enterprise admin believes only 37 apps are used at their organization, but the actual number is closer to 600, according to research by digital adoption platform WalkMe. If these numbers are right, companies are flying blind with insight into just 5% of their software footprint, and these unknown and undeclared tools cause licensing, security and access headaches, not to mention potential compliance violations when sensitive data flows through unvetted third-party services.
But it’s time enterprises consider this phenomenon an opportunity rather than a challenge. Shadow IT is almost inevitable in the age of remote work, so businesses are better off treating it as internal research. If employees think specific tools are essential for job function and efficiency, it’s worth leadership investigating and onboarding them under their watch. Blacklist dodgy apps, of course, but don’t be too rigid.
Shadow IT isn’t rebellion but a roadmap into what the tech stack lacks.
The growing challenge of shadow IT
Enterprises have been fighting a losing battle for years against shadow IT. In the past, employees used personal email accounts or removable drives without the knowledge or approval of the business. Then, the arrival of the cloud opened a can of worms.
Remote endpoints and downloadable software make it much easier to bypass company policy. One study showed that the use of shadow IT grew by almost two-thirds due to the pandemic boom of remote work.
Essentially, with their own devices and decisionmaking, employees pick and choose their preferred app toolkit. This is a problem since enterprise data is now spread across various services, each with its own potential backdoor into the enterprise. Meanwhile, companies are left in the dark without much of a chance to defend themselves.
And if this wasn’t complicated enough, generative AI and large language models present a new frontier of shadow IT. Employees are growing comfortable sharing meeting notes and internal data to check for errors and consolidate information. This happened in 2023 when Samsung found its employees, on the hunt for newfound efficiency, sharing sensitive internal source code with ChatGPT.
It goes without saying that shadow IT — both in its traditional and AI iterations — introduces a host of compliance and regulatory issues. For example, under frameworks like GDPR and emerging state AI regulations, unauthorized data transfers can trigger penalties reaching 4% of global revenue. Additionally, in some cases, board directors now face personal liability for data governance failures, evolving shadow IT from an operational issue to a boardroom-level risk requiring executive oversight. Something’s got to give.
A Shadow AI Crisis Is Brewing in the GC’s Office
Legal teams using unauthorized AI are gambling with sensitive information
Read moreDetailsWork with employees rather than against them
Solving this issue requires understanding the what and the why of shadow IT. WalkMe’s data shows that employees waste an average of 36 working days annually dealing with technology frustrations. Clearly, rather than being rebellious, employees are onboarding new tools and bypassing bottlenecks to accomplish their work. Additionally, younger workers often don’t think they’re doing anything wrong. About 40% of Gen Z workers are using AI to automate tasks without manager knowledge and one in five say they couldn’t perform their current job without AI tools.
The answer isn’t to blanket ban additional apps. This isn’t productive or feasible in today’s remote, dispersed enterprise. Nor is the answer to penalize employees who engage in shadow IT. Time and again, we see their intention isn’t malice but efficiency and capability gains. Instead, enterprises must address this issue constructively and find a middle ground. Ask your employees what they need to do their jobs, listen to their preferred and recommended tools, and then work to onboard them safely.
This helps identify two things. First, with added app visibility, companies can determine what they’re uncomfortable with inside the network. If employees are using tools with questionable backends, step in and blacklist. Second, ecosystem admins can see what they’re missing. Employees are pointing out functionality gaps that, once addressed, could dramatically improve productivity while maintaining security.
Turning ecosystem weakness into enterprise strength
Enterprises are walking a tightrope when it comes to addressing this data security and privacy threat. As tempting as it is, outlawing additional apps doesn’t solve the issue. Instead, working with employees and understanding their intention behind new software allows leadership to maintain control while enabling innovation.
Certainly, achieving this balance demands technological and cultural shifts. Culturally, we must end the “don’t ask, don’t tell” attitude toward shadow IT. Both sides of the admin-employee equation know this is happening, and ignoring the problem doesn’t help. When companies make employees feel comfortable discussing their software wishlist, they create opportunities to align security requirements with productivity needs.
By treating shadow IT as a roadmap rather than a rule violation, we can transform what was once viewed as an ecosystem weakness into an enterprise strength.
