Cleaning Up Shadow IT Without a Revolution

The marketer pays for Canva Pro out of pocket. Sales runs its own LinkedIn scraper. Dev uses ChatGPT Team through a personal email. That's shadow IT — and it's almost never malicious.

Shadow IT is any tool being used inside the business without IT or management knowing about it. In SMBs it's the rule, not the exception — and usually not malicious. People want to get their work done, the official tool can't do it or is too slow, there's an alternative for €15/month, and they hit "subscribe".

The damage

• Data leaks. Customer data sitting in a personal account is outside company control, doesn't survive offboarding, and can't be exported or deleted.
• No MFA, no password policy. Accounts outside your SSO are the most vulnerable.
• Duplicate costs. You're already paying for HubSpot but sales is using Pipedrive. Now you're paying for both.
• During an audit or incident, you don't know the scope. "Which systems hold customer X's data?" → no answer.

Cleaning up without confrontation

Shadow IT is almost always a signal that your official stack is missing something. So don't rush to ban things — first understand why they appeared.

1. Run an amnesty round. "We're taking stock. No consequences — everyone has 2 weeks to report their tools."
2. Build a SaaS inventory. See the step-by-step guide.
3. Decide on each tool: formalise it (upgrade to a team subscription + SSO), replace it (with something already in your stack), or accept it as an exception.
4. Offer alternatives. If you're discouraging Canva Pro, make sure there's a workable replacement. People choose tools for a reason.
5. Make requests easy. I want a new SaaS → fill in a form → answer within 3 business days. That stops shadow IT from growing back.

Tooling for detection

Zero-trust gateways (Cloudflare Access, Zscaler) show you which domains are being visited. For SMBs that's often overkill — a quarterly survey works just as well. See the SaaS inventory post for the practical approach.