Every enterprise IT department fights the same battle: employees using unauthorised software. Marketing signs up for a project management tool without asking. Sales teams share files through personal Dropbox accounts. Finance runs critical processes on spreadsheets that nobody in IT knows about.

The industry calls this “shadow IT,” and it’s treated as a governance problem. But what if it’s actually feedback that IT departments are ignoring?

The Scale of It

Gartner estimated that shadow IT accounts for 30-40% of IT spending in large enterprises. A 2025 survey by the Australian Information Security Association found that 62% of Australian enterprises reported significant shadow IT activity, with an average of 975 cloud services in use per organisation versus 120 officially sanctioned ones.

Those numbers should make IT leaders pause. Not just because of the security risk, though that’s real. Nearly a thousand teams looked at the tools IT provided and decided they weren’t good enough. That’s a verdict.

Why People Go Rogue

Nobody uses shadow IT to be difficult. They do it because the official tools are failing them.

The approved tool is too slow. Not just performance, but process. If submitting an IT request for new software takes six weeks and getting a personal subscription takes five minutes, people will choose five minutes every time.

The approved tool doesn’t do what they need. Enterprise software is often selected based on what matters to IT and procurement: integration capability, vendor stability, security certifications. Whether the interface is actually usable often comes second.

Nobody asked them what they needed. The tool was chosen by a committee that didn’t include anyone who would use it daily. Users opened it, found it frustrating, and went looking for alternatives.

The Risks Are Real

Shadow IT creates genuine problems. Data security suffers when employees store company data in personal accounts outside the organisation’s controls. Privacy Act compliance obligations apply regardless of whether data sits in an approved system or someone’s personal Google Drive.

The Australian Prudential Regulation Authority has specifically flagged shadow IT as a risk for regulated financial institutions. If an insurance company’s actuarial team is running critical models in personal cloud accounts, that’s not just a security issue. It’s a regulatory one.

Why Cracking Down Doesn’t Work

The typical response is tightening controls. Block unapproved applications at the firewall. Implement cloud access security brokers. Issue policies threatening disciplinary action.

This fails for a simple reason: it addresses the symptom without treating the cause. Block Trello, and people find another workaround. You spend your time playing whack-a-mole while employees get increasingly frustrated with an IT department that seems more interested in saying no than solving problems.

A group we’ve worked with that consults on enterprise technology adoption found that organisations with the heaviest shadow IT restrictions often had the lowest employee satisfaction with IT services. The correlation isn’t surprising. Restrictive IT drives the behaviour underground rather than eliminating it.

A Better Approach

What if IT departments treated shadow IT as market research?

When employees choose a tool over the approved option, they’re providing direct feedback about what works and what doesn’t. That’s valuable intelligence if you’re willing to listen.

Audit honestly. Find out what shadow IT exists and why. Not to punish people, but to understand unmet needs. Ask people why they chose the tools they chose.

Speed up provisioning. If getting a new tool approved takes weeks, collapse that timeline. Create a fast-track evaluation process for low-risk tools. Let teams trial software for 30 days while formal evaluation happens in parallel.

Include users in selection. When choosing enterprise software, put actual daily users on the evaluation panel. Not just their managers. Their input should carry real weight.

Build a governed marketplace. Create an internal app store of pre-evaluated tools that meet security and compliance requirements. Let teams choose from a curated list rather than dictating a single option per category.

The Cultural Shift

This requires IT departments to change how they see their role. Instead of gatekeepers controlling what technology enters the organisation, they become enablers who help people find the right tools safely.

That’s harder than it sounds. It means managing governance across a diverse tool landscape and measuring success by whether employees can do their work effectively, not by how standardised the environment is.

But the alternative is what we have now: official IT spending millions on tools people avoid, shadow IT growing year over year, and security teams constantly discovering risks they didn’t know about.

The question every CIO should be asking isn’t “how do we stop shadow IT?” It’s “why are our people choosing other tools over ours?” The answer might be uncomfortable, but it’s the only one that actually solves the problem.