Shadow IT
Software, SaaS, or cloud services in use inside an organization without IT or security approval — invisible to inventory, unmanaged, and rarely off-boarded.
Shadow IT is any technology — software, SaaS application, cloud workload, browser extension, AI assistant — used inside an organization without explicit IT or security approval. The phrase predates the cloud era (rogue Access databases on a finance laptop in 1998 qualified) but its volume exploded with the SaaS economy: any employee with a credit card or a corporate email could provision a new “free tier” tool in under a minute.
The modern center of gravity for shadow IT is no longer signup-with-credit-card; it’s OAuth-grant SaaS. A user clicks “Continue with Google” or “Connect with Microsoft” on a productivity site, grants read/write scopes to corporate data, and that third-party vendor now holds tokens to Drive, Calendar, Gmail, or Teams — without anyone in IT knowing. Defining properties:
- Invisible to traditional inventory. Asset management tools see endpoints and licensed SaaS; they don’t see OAuth-connected apps or browser extensions reading the DOM.
- Provisioned faster than it’s off-boarded. When the employee or vendor moves on, the grant or login often stays live for years.
- Driven by friction. Shadow IT is almost always a symptom of an officially-sanctioned tool being slower, clunkier, or missing a feature people genuinely need.
- Compliance-explosive. A single shadow-IT OAuth grant can move regulated data to a vendor with no DPA, no SCC, and no security posture — instant GDPR exposure.
Eliminating shadow IT entirely is a losing strategy; the cost of that level of lockdown is innovation. Modern programs aim instead to see shadow IT in near-real-time and nudge the user when the specific grant they just made is risky. That continuous visibility loop is what SaaS behavior monitoring delivers.
Related terms
- OAuth grantAn access token a user issues to a third-party application via OAuth, giving that app standing permission to read or write data inside another SaaS — often beyond MFA, often forever.
- CASB (Cloud Access Security Broker)A policy-enforcement layer that sits between users and cloud services to inspect traffic, block disallowed actions, and tag data — the gatekeeping model of SaaS security.
- DLP (Data Loss Prevention)A set of technologies that inspect data at rest, in motion, or in use to prevent sensitive information from leaving authorized boundaries.
- Public file sharingSharing a SaaS file or folder via an 'anyone with the link' setting that bypasses authentication — the most common quiet data leak inside Google Drive, SharePoint, Dropbox, and Notion.