娇色导航

According to the latest CSA’s findings, . Let that sink in — that’s not just a few rebels; more than half of the very people tasked with enforcing tech compliance are sidestepping the rules themselves.  

Why? Because rules that don’t align with real workflows get walked around.  

Even though you might think that the shadow IT topic is not relevant anymore, I’d like to challenge you on this: the systems have evolved, and so has shadow IT. A decade ago, it was Dropbox and Google Drive. Today, it’s unsanctioned AI agents, open-source frameworks or LLM-powered copilot tools that developers experiment with on their own. Yet, shadow IT is still very relevant; only the circumstances have changed. Tech evolves, but human nature craves convenience — so IT leaders must keep their eyes wide open to track tool usage and treat shadow IT as valuable feedback to build workflows everyone can use.  

Path of least resistance  

A close friend of mine worked in a manufacturing firm years ago. Over there, engineers used personal Google Drive accounts to share their 3D models since corporate servers were slow and approval processes took weeks, but no one had cancelled the deadlines. Their leadership discovered this shadowy practice during a workflow audit. Their reaction? A blanket ban on external cloud storage. Not really helping productivity or morale. Fast forward six months, and the engineers were using USB drives to share. USB drives!  

What leadership missed wasn’t just the security risk; it was an opportunity to listen and learn. Instead of punishing the workaround, they could have questioned the behaviour and could have aimed to identify why this path was chosen, since behind every unsanctioned IT tool is a process that is outdated, slow and broken.  

Employees view this as a path of least resistance to get their job done quicker, while organizations (and especially IT leadership) can view it as rebellion. But what it actually is, is nothing but feedback. Employees don’t bypass systems to cause harm; they do it because the “official” paths fail them.   

Why shadow IT persists  

There is no doubt that centralized IT systems offer efficiency and control. But when tools (or their admins) don’t align with user needs, frustrations bubble: with existing technologies, finding them to be buggy and unreliable. Poor IT support also plays a role: due to slow IT response times, leading to frustration and a desire for more efficient solutions.  

Leaders often fixate on the hypothetical, ignoring the tangible. Sure, blocking a tool like WhatsApp might prevent a theoretical data leak, but it also sacrifices agility and morale. Beezy’s study also showed that despite 85% of employees believing that their business monitors their activity, they still rely on unsanctioned tools, indicating that employees are willing to take risks to get work done more efficiently. Essentially, employees opted for riskier speed and ease over safer compliance.  

Think of yourself as a park landscaper. You are to create the sidewalks and zebra crossings, yet despite having carefully planned the structure, you suddenly start noticing freshly trodden paths. Here, you have three options:   

1. You can either choose to penalize those who do not follow the rules   
2. You can choose to ignore the trodden paths
3. You can create additional crosswalks exactly there, where people have chosen to disregard the rules, since they prove to be the most comfortable and “user-tested.”

This trilemma is more commonplace than some might think. Now, let’s move this to the dilemma of what to do with the shadow IT, options being:   

1. Restrict (the traditional approach). Block tools that were authorized, enforce company-wide policies and monitor compliance. For sure, short-term gains are nearly guaranteed, but so are long-term losses in trust and morale. In the end, the likelihood of different workarounds emerging is as high as Burj Khalifa. Imagine a dev company blocking access to Claude, citing potential code leaks. Developers might migrate to ChatGPT, Gemini or Copilot or even worse, start using their personal PCs. Again — paths of lesser resistance. Restrictions may make sense in government or military contexts, where the risk of a leak could have national consequences. But when a private company tries to apply those same restrictions, it becomes overkill. You lose agility for a hypothetical risk that might never even materialize.
2. Ignore (the passive approach). Turn a blind eye: avoids conflict, compounds risk. Due to the prevalence of shadow IT solutions, ignoring them completely runs a high risk of company or customer data ending up where it shouldn’t. The potential fallout being undoubtedly more damaging than addressing the issue head-on. Ignore it, and you’re ghosting your smartest people and potential innovations in sight.
3. Embrace (the adaptive approach). Identify why tools gain traction, then integrate them safely. For instance, if a logistics company notices drivers using Waze instead of approved routing software, they can partner with Waze to develop a custom enterprise version with shipment-tracking features. Good for efficiency and good for morale. In fact, at Trevolution, teams are given the freedom to explore and choose their own AI agents; we don’t have a centralized decision around what developers must use. Everyone is given the freedom to experiment and to test their own stack. Then we host workshops to cross-pollinate the best practices. From here on, during team meetings, innovation happens.  

Building better pathways  

Monitoring tools can detect unsanctioned tools, and IT leaders can then evaluate their impact without necessarily sacrificing innovation. Zero Trust architecture also helps. Instead of straight up banning external apps, one can just limit their access to sensitive systems.  

Essentially, I don’t view shadow IT as a problem to solve; instead, it’s a signal to interpret, which could (and should) serve as a wake-up call.  Many organizations to this day usually rely on IT teams to find, research and test new IT tools that could become the company’s standard. But what if solutions came from the bottom up, instead of the norm, which is top down? What if organizations rethought and reconsidered the tools based on what employees (i.e., actual users) find comfortable, easy-to-use and, by the end of the day, useful for their work and output they produce? Listen to the feedback!  

At Trevolution, we noticed some of our travel agents were using their own spreadsheet templates to track customer preferences and booking changes, bypassing the CRM system that was given to them to use. This way, their work moved faster. Instead of scolding them (which could have happened…), we dug in and realized our CRM wasn’t intuitive enough for real-time edits. Having involved both agents with the longest and shortest tenures to simply see how the workflow differs, we found a solution and have adapted the CRM.   

Tricky? No. Time consuming? Very much so, but in the end, it was a bottom-up solution that served the whole organization.  

In the end, the goal shouldn’t be to control every step but to design parks where people don’t need — nor want — to leave. The question isn’t whether shadow IT exists – because it does — but how organizations respond; it is up to you and your organization to decide. Because the grass will always be trodden where sidewalks don’t serve.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?