COMMENTARY: For the past two decades, Shadow IT has been a persistent thorn in the side of enterprise IT leaders, complicating efforts to secure, govern, and manage their IT infrastructure. Driven largely by the rapid rise of cloud computing and the Software-as-a-Service (Saas) model, corporate users began to bypass formal IT processes and adopt their own products to solve immediate business problems.
Applications such as Slack, Dropbox, and Trello quickly gained traction at the department level where employees could simply expense a monthly subscription. However, this also meant IT had little to no visibility into what tools were being used, how data was being managed, and where potential risks were emerging.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Fast forward to today and Shadow IT has entered a distinct new phase that's being driven by two macro technology trends: the broad embrace of consumer-grade artificial intelligence (AI) technologies such as ChatGPT, Gemini, and other generative AI tools, combined with a new generation of CPU-heavy mobile devices, most notably the newest iPhone model, Apple’s first phone powered by Apple Intelligence.
When looking back at the history of Shadow IT, it’s hard not to understate the pivotal role that the original iPhone launched way back in 2007 had in accelerating its spread. The iPhone revolutionized mobile computing, putting powerful, internet-connected devices directly into the hands of employees. Suddenly, workers could access email, web apps, and even corporate resources from their personal devices, often without IT’s knowledge or approval.
The iPhone’s ease of use and flexibility encouraged employees to bypass traditional IT channels, leading to a surge in unsanctioned app usage and personal devices accessing corporate networks. This shift caught IT teams off guard, as management tools at the time couldn’t keep up with the rapid adoption and capabilities of these mobile devices.
If the past is indeed prologue, this latest wave of AI-integrated devices could push organizations into another era of Shadow IT, where employee-driven innovation races ahead of IT’s ability to enforce policies.
Second movers advantage
Apple has established a reputation as a trailblazing technology company. Yet, in reality, they’ve excelled not necessarily at being "first to market" but rather, in perfecting existing technologies and delivering them in a way that fundamentally redefines the user experience. The company’s strength lies in taking established ideas – whether it’s smartphones, tablets, or smartwatches – and turning what may have been niche or fragmented markets into mainstream consumer adoption.
Similarly, the integration of AI into Apple’s product ecosystem isn't about being first, but about redefining the user experience. By embedding AI deeply within the iPhone’s operating system, Apple will make it easier for users to interact with their devices, leveraging AI for everything from task automation to personalized workflows. However, this also introduces new complexities to the workplace as employees will look to leverage these capabilities to enhance productivity while IT will struggle to enforce control.
Unlike the first wave of Shadow IT, which focused primarily on unsanctioned SaaS tools for communication and collaboration, Shadow IT 2.0 includes more bleeding-edge technologies like generative AI, machine learning, and automation tools that process sensitive data, integrate with core systems, and may even execute business-critical tasks.
This emerging paradigm of Shadow IT 2.0 brings a host of opportunities for enterprises. Employees now have the ability to quickly adopt AI-powered tools and applications without the need for IT approval, leading to faster problem-solving and more innovative use cases that might otherwise get slowed by traditional approval processes. AI-powered apps, such as personalized assistants, can also enhance user experiences by making workflows more efficient and tailored to individual needs.
Teams can also benefit from cost savings by discovering more affordable or effective SaaS solutions that meet their specific needs without the delays of long procurement cycles. GenAI tools deliver even more value by offering deep data analytics and automating processes, allowing businesses to gain actionable insights with minimal manual effort – giving them a competitive edge in making data-driven decisions.
However, these opportunities come with some significant trade-offs. The use of unsanctioned AI tools raises the risk of sensitive corporate data being exposed to external systems that may lack proper security controls, potentially leading to compliance violations or data breaches. IT departments are also faced with the challenge of maintaining visibility and control over the tools employees use, which can fragment security practices and complicate the management of device fleets, especially when personal devices are involved.
Compliance and governance concerns also arise, as many AI tools operate in the cloud, making it difficult for organizations to ensure they adhere to regulations such as GDPR or CCPA, particularly in terms of how data gets stored, transmitted, and used. Moreover, the rapid and varied adoption of GenAI tools can create compatibility and standardization issues, leading to inefficiencies across teams and making it more difficult for IT to maintain uniform workflows throughout the organization.
How to navigate Shadow IT 2.0
IT leaders must take a proactive approach to manage the risks while harnessing the opportunities that new technologies like Apple Intelligence and GenAI will bring to the market. Consider adopting the following strategies in preparation for this next wave of Shadow IT:
- Embrace a collaborative IT culture: Rather than positioning IT as the “department of no,” create a more collaborative environment where employees feel comfortable engaging with IT early in the adoption process of new tools. Encourage dialogue between teams and IT to understand their needs and suggest approved products or guide them through proper channels to deploy new technologies safely
- Implement an adaptive governance framework: Traditional governance models are often too rigid for the dynamic nature of Shadow IT 2.0. Develop more flexible governance policies that let employees experiment with new technologies while maintaining oversight and control. For example, establishing a framework that allows for “controlled experimentation” with certain AI tools under clear data protection guidelines can help mitigate risks while fostering innovation.
- Develop clear AI usage policies: As GenAI and other AI-driven tools become more prevalent, establish clear policies regarding how these tools can be used within the organization. Offer guidance on acceptable use cases, especially when dealing with sensitive data, and educate employees on the potential risks of using AI-powered applications without IT’s knowledge. This can help prevent inadvertent data breaches or compliance violations.
IT leaders must embrace their role as innovation enablers to successfully navigate Shadow IT 2.0. By proactively collaborating with teams and guiding them through the safe adoption of new technologies, IT can shed its image as a roadblock and instead be viewed as the driving force behind secure, strategic innovation.
Weldon Dodd, senior vice president, global solutions, Kandji
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
