Shadow IT Policy Template [Free] — Discovery, Risk Assessment & Enforcement
![Shadow IT Policy Template [Free] — Discovery, Risk Assessment & Enforcement](/images/shadow-it-policy-hero.svg?dpl=dpl_BuytQ1qpvr4mPkzNaRrPn7KLfsHM)
The average enterprise uses 1,295 cloud services — and IT only knows about 30% of them. The other 70% is shadow IT: unauthorized applications, cloud services, and tools that employees adopt without IT approval. Shadow IT isn't a technology problem — it's a productivity problem. Employees use unauthorized tools because IT's approved alternatives are too slow, too clunky, or nonexistent. A good shadow IT policy addresses the root cause while managing the risk. This guide provides a complete, enforceable shadow IT policy template. For related policies, see our BYOD Policy Template and IT Policy Templates guide.
Quick Start: Download our free Shadow IT Policy Template — covers discovery procedures, risk assessment framework, approved alternatives catalog, enforcement guidelines, and employee education materials.
What Is Shadow IT?
Shadow IT refers to any technology — software, cloud services, hardware, or AI tools — used by employees for business purposes without the knowledge or approval of the IT department.
Shadow IT vs BYOD
| Dimension | Shadow IT | BYOD |
|---|---|---|
| What it covers | Unauthorized software, SaaS, cloud services, AI tools | Personal devices used for work |
| The risk | Data stored in unmanaged systems, compliance violations | Data on unmanaged devices |
| Who introduces it | Any employee signing up for a tool | Employees using personal phones/laptops |
| Discovery method | Network monitoring, CASB, expense reports | Device enrollment, network detection |
| Policy focus | Software and service approval process | Device security and management |
For BYOD-specific policies, see our dedicated BYOD Policy Template.
Common Types of Shadow IT
| Category | Examples | Risk Level |
|---|---|---|
| File sharing | Personal Dropbox, Google Drive, WeTransfer | High — company data in personal accounts |
| Communication | WhatsApp, personal Slack workspaces, Signal for work | High — business communications outside retention |
| Project management | Trello, Asana, Monday (unapproved instances) | Medium — work data in unmanaged tools |
| AI tools | ChatGPT, Gemini, Claude (free tiers with no enterprise agreement) | High — confidential data sent to AI providers |
| Development tools | Unauthorized GitHub repos, code playgrounds, API keys in free tools | High — source code and credentials exposed |
| Design and productivity | Canva, Notion, Figma (personal accounts) | Medium — IP in personal accounts |
| Email and calendar | Personal email for work, scheduling tools | Medium — data leakage, phishing risk |
| Hardware | Personal routers, USB drives, Raspberry Pi on network | High — network security bypass |
Shadow IT Policy Template
1. Policy Overview
SHADOW IT POLICY
Version: 1.0
Effective Date: [Date]
Policy Owner: [IT Director / CISO]
Approved By: [CTO / VP of IT]
PURPOSE:
This policy establishes the rules and procedures for the use of
technology within [Organization Name]. All software, cloud services,
AI tools, and hardware used for business purposes must be approved
by IT. This policy defines the approval process, risk assessment
criteria, and consequences for unauthorized technology use.
SCOPE:
This policy applies to all employees, contractors, and third parties
who use technology to conduct [Organization Name] business, including:
- SaaS and cloud applications
- AI and machine learning tools
- Desktop and mobile applications
- Hardware devices connected to the network
- Browser extensions and plugins
- Free and trial accounts for business use
KEY PRINCIPLE:
If you use it for work, IT needs to know about it.
This doesn't mean IT will say no — it means IT will help you
use it safely or find an approved alternative that works.
2. Shadow IT Discovery Process
You can't manage what you don't know about. Use multiple discovery methods:
| Discovery Method | What It Finds | Implementation |
|---|---|---|
| Cloud Access Security Broker (CASB) | All SaaS accessed from corporate network | Deploy inline or API-based CASB |
| Network traffic analysis | Unknown services, unusual data flows | Firewall logs, DNS analytics |
| Expense report review | SaaS subscriptions paid by employees | Monthly review of expense categories |
| SSO/IdP login analysis | Apps not in approved catalog | Review IdP logs for non-federated logins |
| Endpoint agent | Installed software on managed devices | EDR or software inventory agent |
| Employee survey | Tools employees use daily | Anonymous quarterly survey |
| Browser extension audit | Unauthorized extensions with data access | MDM/browser management policy |
Discovery frequency:
| Method | Frequency | Owner |
|---|---|---|
| CASB scan | Continuous (automated) | IT Security |
| Network analysis | Weekly (automated report) | Network team |
| Expense review | Monthly | IT + Finance |
| SSO log review | Monthly | IT Security |
| Software inventory | Monthly (automated) | IT Operations |
| Employee survey | Quarterly | IT + HR |
3. Risk Assessment Framework
When shadow IT is discovered, assess the risk before taking action.
Shadow IT Risk Scoring Matrix
| Risk Factor | Low (1) | Medium (2) | High (3) |
|---|---|---|---|
| Data sensitivity | No company data | Internal data only | Confidential/restricted data |
| User count | 1-2 users | 3-10 users | 10+ users |
| Data residency | Known, compliant region | Unknown region | Non-compliant region |
| Vendor security | SOC 2 certified | Basic security practices | No security attestation |
| Integration depth | Standalone, no integrations | Connects to 1-2 systems | Deep integration with core systems |
| Business dependency | Nice to have | Useful but replaceable | Business-critical workflow |
Total score interpretation:
- 6-8: Low risk — fast-track approval or monitor
- 9-12: Medium risk — require formal review and controls
- 13-15: High risk — remediate immediately, migrate to approved alternative
- 16-18: Critical risk — block access immediately, investigate data exposure
Risk Assessment Template
SHADOW IT RISK ASSESSMENT
Application: [Name]
Discovered: [Date]
Discovery method: [How it was found]
Department: [Who is using it]
Number of users: [Count]
Business purpose: [Why they use it]
DATA ASSESSMENT:
- What company data is stored in this tool? [Description]
- Data classification level: [Public / Internal / Confidential / Restricted]
- Is customer PII/PHI involved? [Yes / No]
- Is data exportable? [Yes / No]
VENDOR ASSESSMENT:
- SOC 2 or ISO 27001 certified? [Yes / No]
- Where is data stored? [Region/Country]
- Does the vendor's ToS allow data use for training? [Yes / No]
- GDPR/CCPA compliant? [Yes / No]
RISK SCORE: [X/18]
RECOMMENDATION: [Approve / Approve with controls / Block / Migrate]
APPROVED ALTERNATIVE: [If blocking, what should users use instead]
4. Approved Technology Catalog
The best way to reduce shadow IT is to provide better alternatives. Maintain a catalog of approved tools by category:
| Category | Approved Tool(s) | How to Request Access | Alternative Rejected |
|---|---|---|---|
| File sharing | Google Drive (enterprise), SharePoint | Self-service via IT portal | Personal Dropbox, WeTransfer |
| Communication | Slack (enterprise), Microsoft Teams | Auto-provisioned at onboarding | WhatsApp for work, personal Slack |
| Project management | Asana (enterprise), Jira | Team lead requests via IT ticket | Personal Trello, Monday.com |
| AI tools | ChatGPT Enterprise, Claude (with DLP) | Manager approval + IT provisioning | Free-tier AI tools for work data |
| Design | Figma (enterprise), Canva (enterprise) | Department head approval | Personal Figma/Canva accounts |
| Code repositories | GitHub Enterprise | Auto-provisioned for engineering | Personal GitHub repos for work code |
| Video conferencing | Zoom (enterprise), Google Meet | Self-service | Personal Zoom, Skype |
| Note-taking | Notion (enterprise), Confluence | Team lead requests | Personal Notion, Evernote |
Catalog maintenance:
- Review and update quarterly
- Add new categories when shadow IT discovery reveals common needs
- Include request process (self-service vs. approval required)
- Document why rejected alternatives aren't allowed (data risk, compliance)
5. Software Request and Approval Process
Make it easy for employees to request new tools — friction drives shadow IT.
Request Process
STEP 1: EMPLOYEE SUBMITS REQUEST
- Via IT portal or Slack bot
- Required info: tool name, business purpose, data involved, users needed
- Target response time: 3 business days
STEP 2: IT REVIEWS REQUEST
- Check if approved alternative exists
- If new tool: run risk assessment (see Section 3)
- If approved alternative exists: recommend it
STEP 3: DECISION
- Approved: IT provisions and configures (SSO, DLP, data controls)
- Approved with conditions: Specific data restrictions or user limits
- Denied: Explanation provided with approved alternative
- Deferred: Needs further evaluation (security review, legal review)
STEP 4: PROVISIONING
- IT configures SSO integration
- Data loss prevention controls applied
- Added to approved catalog
- Users notified and trained
SLA for software requests:
| Request Type | Decision SLA | Provisioning SLA |
|---|---|---|
| Tool already in approved catalog | Same day | 1 business day |
| New tool, low risk (score 6-8) | 3 business days | 3 business days |
| New tool, medium risk (score 9-12) | 5 business days | 5 business days |
| New tool, high risk (score 13+) | 10 business days | Varies |
6. Enforcement and Consequences
Enforcement Approach
The goal is compliance, not punishment. Most shadow IT is well-intentioned — employees trying to be productive. Lead with education, not enforcement.
| Violation | First Occurrence | Second Occurrence | Third Occurrence |
|---|---|---|---|
| Using unapproved tool (low-risk data) | Education: explain the policy, help migrate | Written reminder from manager | Manager escalation, IT blocks access |
| Using unapproved tool (confidential data) | Immediate migration, security review | Written warning | Formal disciplinary action |
| Storing restricted data in personal account | Immediate remediation, data recovery, manager notification | Written warning + mandatory security training | Formal disciplinary action |
| Creating unauthorized network connections | Immediate disconnection, security review | Written warning | Formal disciplinary action |
Amnesty Program
When first rolling out a shadow IT policy, offer a 30-day amnesty period:
- Employees can self-report unauthorized tools without consequences
- IT will assess each tool and either approve, provide an alternative, or help migrate data
- After 30 days, enforcement begins
- This surfaces far more shadow IT than any technical discovery tool
7. AI-Specific Shadow IT Controls
AI tools are the fastest-growing category of shadow IT in 2026. They require special attention.
| AI Risk | Policy Requirement |
|---|---|
| Confidential data in prompts | Only enterprise-tier AI tools with data processing agreements |
| Customer data in AI tools | Prohibited unless tool is SOC 2 certified with no training on customer data |
| Source code in AI tools | Only approved code assistants (enterprise GitHub Copilot, enterprise Claude) |
| AI-generated content published externally | Must be reviewed by human before publication |
| Free-tier AI accounts for work | Prohibited — free tiers typically use data for model training |
See our AI Acceptable Use Policy Template for detailed AI governance guidelines.
8. Employee Education
Key Messages
- "We're not trying to block you — we're trying to protect you and our customers"
- "If you need a tool, ask. We'll get you something that works — usually within 3 days"
- "Using unapproved tools puts customer data at risk and can violate our compliance obligations"
- "When you leave the company, data in your personal accounts doesn't come with you"
Training Program
| Training | Audience | Frequency | Duration |
|---|---|---|---|
| Shadow IT awareness (what it is, why it matters) | All employees | Annually + onboarding | 15 minutes |
| Software request process | All employees | At policy launch | 10 minutes |
| AI tool guidelines | All employees | Semi-annually | 15 minutes |
| Shadow IT discovery and response | IT staff | Quarterly | 30 minutes |
| Manager enforcement training | People managers | Annually | 20 minutes |
Implementing Your Shadow IT Policy
Phase 1: Discovery (Weeks 1-2)
- Deploy CASB or network analysis to identify current shadow IT
- Review expense reports for SaaS subscriptions
- Survey employees on tools they use daily
- Catalog all discovered shadow IT with risk scores
Phase 2: Assessment and Catalog (Weeks 3-4)
- Risk-assess all discovered shadow IT
- Build approved technology catalog with alternatives
- Identify tools to approve, migrate, or block
- Set up software request process (portal or Slack bot)
Phase 3: Policy Launch (Weeks 5-6)
- Announce shadow IT policy to all employees
- Run 30-day amnesty program for self-reporting
- Conduct training on policy and request process
- Begin migrating data from high-risk shadow IT
Phase 4: Ongoing Management (Continuous)
- Run monthly shadow IT discovery scans
- Process software requests within SLA
- Update approved catalog quarterly
- Report shadow IT metrics to leadership quarterly
Related Resources
- BYOD Policy Template — Personal device security (complementary to shadow IT)
- AI Acceptable Use Policy — AI tool governance
- IT Policy Templates: Complete Guide — All IT policy templates in one place
- IT Security Policy Template — Comprehensive security policy
- Vendor Management Best Practices — Evaluate and manage SaaS vendors
Frequently Asked Questions
Isn't blocking shadow IT bad for productivity?
Blocking without providing alternatives is bad for productivity. A good shadow IT policy provides a fast approval process (3-day SLA) and maintains an approved catalog of tools. The goal is to channel innovation through a secure path, not to stop it.
How much shadow IT does a typical company have?
Research shows the average enterprise has 4x more cloud applications than IT is aware of. For a mid-market company, that typically means 200-400 unknown SaaS applications. Many are low risk (personal productivity tools), but 10-20% involve confidential data.
Should I block or monitor shadow IT?
Start with monitoring and education. Immediately block only high-risk tools (those handling confidential data without security controls). For everything else, give employees time to migrate to approved alternatives. Blocking without warning creates resentment and drives shadow IT deeper underground.
How do I handle shadow IT from executives?
The same way you handle it from anyone else — with education and approved alternatives. Executives are often the worst shadow IT offenders because they're used to making their own technology decisions. Provide white-glove service: personally help them migrate to approved tools that meet their needs.
What's the relationship between shadow IT and zero trust?
Zero trust architecture naturally reduces shadow IT risk by requiring authentication and authorization for every access request. When you implement zero trust, unapproved tools can't access corporate data without going through your identity provider — which gives IT visibility and control.