Shadow IT encompasses solutions deployed by users, outside the formal structure of IT management. The dissatisfaction with official systems is often the main motivation for the adoption of Shadow IT. Through it, users expect to streamline business processes and improve the user experience. In terms of IT governance, however, Shadow IT means a challenge. The classic IT governance approach addresses issues of control and compliance. However, in a context where solutions are not endorsed by experts, how can these governance elements can be implemented is a question without a clear answer. In this essay, it is suggested that a possible path to achieved higher levels of IT governance is to bring IT closer to end users, making Shadow IT a source of organizational innovation. To do so, it is necessary to expand the view on IT governance and to extend the use of mechanisms related to the informal dimension of governance, specifically the self-control mechanisms. The self-control mechanisms are implemented, primarily, by the controlled. However, the controller may stablish the formal mechanisms of control, so encouraging or enabling the controlled to exercise self-control.

ABSTRACTThe proliferation of artificial intelligence (AI) tools in organizations has given rise to “Shadow AI”—the unsanctioned use of AI systems outside approved governance frameworks. While Shadow AI shares roots with Shadow IT, its generative, opaque, and autonomous nature introduces novel risks related to data privacy, algorithmic bias, hallucination, and governance drift. This study investigates Shadow AI through a mixed‐methods design, combining survey responses from 140 professionals with in‐depth interviews of 10 executives. We examine how employees perceive and justify Shadow AI, what risks it introduces in practice, and how organizational structures fail to regulate its spread. Findings reveal that while AI is widely seen as a productivity tool, governance frameworks often lag behind employee practices, leading to a “governance drift zone” where formal policies exist but lack real‐world traction. Shadow AI also exposes responsibility gaps in high‐risk functions such as HR and legal, where AI‐generated outputs may go unchecked. The study contributes to organizational and cybersecurity literature by conceptualizing Shadow AI as a sociotechnical governance failure. We propose practical strategies—such as AI tool registries, role‐specific training, internal audits, and escalation protocols—to help organizations shift from restriction to controlled enablement, allowing them to leverage AI's benefits while managing its evolving risks.

Purpose This paper aims to investigate the challenges organizations face in implementing effective security governance frameworks for remote work environments and to identify best practices that enable organizations to maintain robust security postures while supporting distributed workforce models. Design/methodology/approach A mixed-methods approach was employed, consisting of a systematic literature review of 47 academic and practitioner publications, followed by semistructured interviews with 18 information security professionals across various industries. The data was analyzed using thematic analysis to identify key challenges and effective governance strategies. Findings The research identified five primary challenges in remote work security governance: endpoint security management, network security boundary dissolution, shadow IT proliferation, compliance verification difficulties and security culture maintenance. The study found that successful organizations implement layered governance approaches that balance technical controls with human-centric security measures, employing risk-based frameworks that adapt to the distributed nature of remote work. Originality/value This study provides a comprehensive analysis of security governance in the context of remote work, moving beyond tactical security controls to examine governance frameworks that enable strategic security management in distributed environments. It contributes to the literature by presenting an integrated model that aligns security governance with remote work realities.

ABSTRACTLow‐code/no‐code (LCNC) platforms, such as ServiceNow and Microsoft Power Platform, enable employees without formal IT training to build applications and automate workflows, thus driving agility and reducing dependence on traditional IT teams. However, LCNC platforms also pose a persistent challenge for organisations: while they offer flexibility and freedom by enabling decentralised development, they also require standardisation and control to manage risks that can be exacerbated by these platforms, such as shadow IT and technical debt. Striking the right balance is difficult—too much flexibility can compromise stability, while too much standardisation can stifle the autonomy and creativity that make LCNC platforms valuable in the first place. This study explores flexibility–standardisation tensions in LCNC development through an investigation of two multinational technology firms with differing LCNC maturity levels, both using ServiceNow. Drawing from 57 interviews, we identify three types of flexibility‐standardisation tensions shaped by three key elements of LCNC development: the platform itself, the people using the platform and the organisational processes targeted for improvement. We derive six guidelines used to navigate flexibility–standardisation tensions and demonstrate how these are applied across different stages of LCNC maturity. Building on these insights, we provide concrete, context‐sensitive recommendations to help organisations adapt the guidelines to their specific environments. We conclude with forward‐looking reflections on how firms can dynamically make sense of these tensions as LCNC platforms and practices evolve. Overall, our findings show that effective LCNC governance requires a dynamic approach—one that balances flexibility and standardisation simultaneously rather than treating them as opposing choices.

Shadow IT has emerged as a critical blind spot in zero-trust security architectures, presenting significant challenges for organizations attempting to maintain robust security postures. As enterprises increasingly adopt remote work and digital transformation initiatives, the proliferation of unauthorized applications, cloud services, and devices threatens to undermine established security frameworks. The complex interplay between employee productivity needs and security requirements necessitates a balanced approach to Shadow IT management. Organizations must implement comprehensive strategies encompassing discovery, policy frameworks, and user empowerment while fostering a security-conscious culture that addresses both technical and human aspects of the challenge.

The emergence of open educational resources (OER) promotes open access which aims to widen information access as part of smart learning in higher education institutions. However, this has caused these institutions to rely on shadow information technology (SIT) for information access and service delivery, to the point where shadow IT principles contradict open education principles. When adopting and developing OER, academics, developers, and students often opt for different software or system software based on the usability and preferences of the system. Higher education institutions (HEIs), such as the University of South Africa (UNISA), are still conscious of the IT policy in terms of the appropriation of prescribed information and communication technology (ICT). However, this institution advocates for the adoption and development of OER, and social injustices when appropriating shadow IT are not yet addressed. To investigate the challenges and injustices encountered by academics in the utilization of shadow IT when creating OER, this study opted for a qualitative research approach. The data source was academics responsible for tuition and research. For data triangulation purposes, documents such as ICT policy, tuition policy, and comprehensive open distance e-learning (CODeL) policy were considered. To propose a model, this study utilized various concepts from different theories such as "structure", which refers to the rules and resources that actors rely on in their practice and form the systems' pattern; the "used technology", which describes how user groups utilize existing technology; and the negative impacts of shadow IT (cost, risk, inconsistency, and control). The study established that, while creating OER, academics rely primarily on shadow IT which has negative impacts in an organization. This is an indication of academic stakeholders continuing to break the shadow IT roles, consciously or unsuspectingly, by being innovative while complying with the institutional mandate of open access in education. In addition to the suggestion of a shadow IT injustices model as the main contribution, this study further proposed that the institutional social capital needs to articulate social injustices associated with shadow IT to protect academics during the creation of OER. This implies that future research may examine the shadow IT injustices among all other twenty-six public universities in South Africa.

La Shadow IT (SIT) est une utilisation par les employés (1) de ressources informatiques non approuvées dans le but de travailler plus efficacement, (2) sans intention malveillante, mais qui enfreint les règles de l’entreprise. Cette utilisation crée des vulnérabilités supplémentaires qui augmentent le risque d’incidents de sécurité de l’information (SSI). Nous avons mobilisé la théorie du coping afin d’étudier les comportements d’utilisation de la SIT, au travers d’une enquête auprès de 429 utilisateurs. Nous contribuons à la littérature académique d’une part, en améliorant la compréhension du maintien par les employés d’un équilibre entre les bénéfices et les risques au travers de comportements de maximisation et/ou de protection relatifs à l’utilisation de la SIT. D’autre part, nous enrichissons les modèles conceptuels d’analyses comportementales par l’identification d’effets croisés qui n’avaient pas été étudiés auparavant. Nos contributions managériales soulignent le fait que la maximisation de l’utilisation de la SIT par les employés peut être bénéfique pour les entreprises en termes d’efficacité. Cependant, en termes de SSI, nous montrons qu’il est nécessaire d’aller au-delà d’une simple sensibilisation des employés, car ils pourraient sous-estimer les risques supplémentaires qui résultent de leurs pratiques de SIT .

PurposeCloud computing, a dominant technology, significantly impacts organizations, necessitating talent management strategies for sustained growth. This study aims to explore the impact of cloud adoption on large French organizations through a “learning organization” perspective.Design/methodology/approachInterviews were conducted with business and IT stakeholders from 35 multinational organizations in France.FindingsCloud services have a high impact on large organizations, leading to a demand for cloud-related skills, a power shift from IT to business departments and increased shadow IT activities. Effective utilization requires organizational learning and a change management project, transforming organizations into productive and innovative learning organizations.Originality/valueThis paper contributes to cloud computing, organizational learning and talent management literature, offering managers a novel approach to handling cloud services.

Dealing Effectively with Shadow IT by Managing Both Cybersecurity and User Needs

Building secure and compliant web applications is a critical challenge in today’s digital landscape, particularly when leveraging low-code platforms. This article explores how low-code tools can be effectively utilized to develop applications that meet stringent regulatory standards such as HIPAA, GDPR, and PCI DSS while addressing potential security vulnerabilities. By integrating shift-left security practices, organizations can detect and remediate vulnerabilities early in the development process, significantly reducing post-deployment risks and costs. The article highlights strategies such as adopting platform-native security defaults, formalizing governance policies for citizen developers, and implementing phased security maturity models to ensure robust protection of sensitive data. Real-world examples demonstrate how proactive measures, including automated testing tools and role-based access controls (RBAC), enhance application security without compromising speed or scalability. Despite challenges like shadow IT and configuration gaps, strategic adoption of low-code platforms enables organizations to achieve compliance, maintain governance, and deliver secure solutions efficiently.

Influence of structural factors on employee cloud shadow IT usage during COVID-19 lockdown: a strain theory perspective

Software as a Service (SaaS) is a software service where software solutions are offered to users via the internet, usually subscription-based or sometimes opened to access by selling a license key, distributed over the cloud, and updates are automatically delivered to users because they are distributed over the cloud. The number of SaaS provider companies is increasing day by day, and with this increase, unauthorized purchase of SaaS applications has become a problem for corporate-sized companies. Without the company's approval, SaaS software and hardware used by employees increase Shadow IT which means there is a potential risk of security breaches, data loss, and compliance issues as the IT department is unaware of the usage and unable to monitor and control the systems effectively. In this study, in order to avoid the problems that may be caused by Shadow IT, unauthorized SaaS applications in Arçelik Global have been detected by utilizing statistical and machine learning approaches. In the experiment, Interquartile Range, K-Means and Stabilization algorithms were used for the detection of unauthorized SaaS applications. Using all three algorithms, low, medium and high-risk shadow IT detection was made for Arçelik company. We see that the proposed stabilization approach explores unauthorized SaaS applications much more distinctively than the other two algorithms. The proposed approach can be used in the future to detect unauthorized software from other companies.

PurposeDespite the growing concern about security breaches and risks emerging from Shadow IT usage, a type of information security violation committed by organizational insiders, this phenomenon has received little scholarly attention. By integrating the dual-factor theory, unified theory of acceptance and use of technology (UTAUT) and social control theory, this research aims to examine facilitating and deterring factors of Shadow IT usage intention.Design/methodology/approachAn online survey was performed to obtain data. As this study aims at investigating the behavior of organizational insiders, LinkedIn, an employment-oriented network site, was chosen as the main site to reach the potential respondents.FindingsThe results show that while performance expectancy, effort expectancy and subjective norms considerably impact intention to use Shadow IT, personal norms and sanctions-related factors exert no influence. Besides, an organizational factor of ethical work climate is found to significantly increase individual perceptions of informal controls and formal controls.Originality/valueThis work is the first attempt to extend the generalizability of the dual-factor theory and UTAUT model, which primarily has been utilized in the context of system usage, to the new context of information security. This study is also one of few studies that simultaneously take both organizational and individual factors into consideration and identify its impacts on user's behaviors in the information security context.

Abstract Background and purpose Employee dissatisfaction with extant technology is one of the causes of shadow IT use. The selection of alternative technologies is determined by individual IT knowledge. In this study, we intend to examine the relationship between individual IT experience and the use of shadow IT in Indonesian higher education through two job characteristics, namely task identity and autonomy. Methods This study collects and analyses data from 301 respondents at Indonesian universities with legal status using a quantitative methodology. The direct relationship in the research model was investigated using Smart-PLS data analysis. Results The results of the study indicate that individual IT experience strongly supports the use of shadow IT by tertiary institutions with legal entities employees in Indonesia, either through task identity or job autonomy. Conclusion In order for employees to feel satisfied, the organization must prioritize employee IT experience and the information technology requirements they require to complete their work. This can be accomplished by involving employees in the development of information technology.

ABSTRACT This study investigates the effects of self-efficacy on intentions toward information security policy compliance and behaviors in shadow information technology, with self-efficacy being divided into information technology self-efficacy and information security self-efficacy. An experiment was conducted and a total of 83 valid subjects were recruited in this study. Data were collected on the subjects’ behaviors during the experiment, and quantitative data were also collected using a posttest questionnaire. The findings indicated that ITSE and ISSE positively correlated with information security policy (ISP) compliance, suggesting that improving self-efficacy in either aspect will improve ISP compliance intention. However, ISP compliance did not correlate significantly with shadow IT usage, as subjects with high ISP compliance still used shadow IT. Therefore, there was a discrepancy between intention and actual behavior. In practical terms, organizations can use training and education to improve their employees’ self-efficacy in the technically challenging or unfamiliar aspects of IT and ISP compliance, improve their ISP compliance intention, and reduce the possibility of ISP violations, such as shadow IT usage.

A significant amount of research has been carried out into the way in which employees use workarounds and shadow IT to cope with the complexity of enterprise applications. There is a similar situation in the use of clinical record applications. However neither qualitative or quantitative survey techniques give any indication of the scale of the adoption of workarounds. In both enterprise and clinical settings workarounds can either introduce a substantial element of corporate risk or provide a basis for process innovation. The research that has been carried out primarily focuses on data-rich processes and little attention has been given to workarounds in a digital workplace where the processes may be significantly more complex that in enterprise data processes

Abstract Your most innovative employees may be creating shadow IT solutions to the business problems they face. Martin White, Principal Analyst at SearchResearch Online, takes a tour of these workarounds and considers what they mean for IT leaders.

The Impact of Training and Awareness on Employee Shadow IT Usage in Developing Economies

Actuellement, les institutions du domaine de la santé sont confrontées à des pratiques liées à l’informatique parallèle (Shadow IT - SIT) qui permettent aux employés d’améliorer leur efficience grâce à des outils qui complètent les ressources informatiques fournies par l’entreprise. Bien que les pratiques SIT puissent être bénéfiques, elles créent également des vulnérabilités et des points d’accès supplémentaires pour les cybermenaces dans un domaine où les données des patients sont considérées comme sensibles. Cette recherche aborde donc la question suivante : quels sont les intérêts et risques découlant des usages et pratiques relatives à la SIT dans le domaine de la santé ? Basée sur une revue narrative de la littérature comprenant 220 articles, cette recherche met en évidence plusieurs spécificités du contexte de la santé et leur impact sur la recherche relative à l’adoption des TI et aux comportements en matière de sécurité de l’information. En termes de contributions managériales, nous formulons plusieurs propositions pour mieux maîtriser les risques de la SIT comme la sensibilisation des personnels et les solutions ‘zéro confiance’. Nous contribuons également à la littérature académique en soulignant l’intérêt d’un questionnement sur les facteurs spécifiques de l’adoption inversée des TI, le phénomène de la pseudo-conformité et l’impact des techniques de neutralisation. Nous faisons également plusieurs propositions de recherches futures, comme l’étude de l’impact des situations d’urgence sur le comportement des personnels de santé.

The digital transformation of many firms is impeded by misalignment between their IT and business strategies, evidenced by technical debt and shadow IT. Sunil Mithas and Rajiv Kohli explain how companies can overcome these hurdles by investing wisely in information technology.