The marketing team hired an automation tool without telling anyone. Finance is using a Google Drive spreadsheet with customer data. The sales team adopted a CRM different from the one approved by the company. Sound familiar? This has a name: Shadow IT, and it is present in virtually every medium and large company in Brazil — whether leadership knows it or not.
According to a Gartner study, approximately 41% of employees acquire, manage, or deploy technology without the knowledge of the IT department. In organizations with more than 5,000 employees, that number can exceed 60%. We are not talking about isolated cases. We are talking about a systemic pattern with deep roots — one that, if ignored, can be costly.
In this article, I want to go beyond the diagnosis. I will explain why Shadow IT happens, what the real risks to the business are, and — most importantly — what strategic leaders can do to turn this problem into a competitive advantage.
Why Shadow IT exists: the user is not the only one to blame
Before pointing fingers at business teams, we need to be honest about the root of the problem. Shadow IT is usually a symptom of an IT department that cannot respond at the speed the business requires.
When a marketing manager needs a tool to automate campaigns and the internal approval process takes 45 days, they do not wait. They charge the corporate card, download the SaaS tool, and solve the problem. When the data team needs an analytics environment and the infrastructure ticket takes weeks, they create a personal AWS account and deliver the project. The behavior is rational, even if the risk is high.
At companies like BTG and XP, which I have worked with throughout my career, one of the greatest challenges was not a lack of technical capability within IT — it was the misalignment between the speed of the business and IT governance processes. When that gap is not addressed, Shadow IT flourishes.
The most common drivers I observe in the field:
- Excessive bureaucracy in tool request and approval processes
- Lack of a portfolio of pre-approved solutions available for immediate use
- Poor communication between IT and business units
- A culture of autonomy without adequate guardrails
- Pressure to deliver results that makes regulatory risk acceptable to the local manager
The real risks hidden behind the numbers
When I speak with CEOs and CTOs about Shadow IT, I notice that many underestimate their actual exposure. The problem is not just technical — it is financial, regulatory, and strategic.
From an information security standpoint, every unmanaged tool is a potential attack vector. Customer data stored on non-approved SaaS platforms, corporate credentials used in third-party services without proper access controls, integrations built without security review — all of this creates attack surfaces that the security team is simply unaware of.
In the Brazilian context, this takes on an even more critical dimension with the LGPD. A company that has personal customer data flowing through unapproved tools is exposed to ANPD sanctions that can reach 2% of gross revenue, capped at R$50 million per violation. This is not hypothetical — we have already seen cases being investigated in the financial sector.
There is also a direct financial impact. The phenomenon of SaaS Sprawl — the uncontrolled proliferation of software subscriptions — is a direct consequence of Shadow IT. Research from Productiv indicates that, on average, 65% of SaaS tools in a company are underused or duplicated. Medium-sized companies in Brazil frequently pay for 3 or 4 tools that do the same thing, purchased by different teams with no communication between them.
And there is still the invisible strategic risk: data fragmentation. When each department uses its own tools, data ends up in silos. The company loses its ability to generate integrated intelligence. Strategic decisions are made with partial visibility. Digital transformation becomes empty talk because the data foundation is unstable.
Shadow IT is not just an IT problem. It is a business problem disguised as a technical one.
What is at stake in the era of generative AI
If Shadow IT was already a serious challenge before, the massive arrival of generative AI tools has elevated the level of risk to an entirely different level.
Today, any employee can access ChatGPT, Claude, Gemini, or dozens of other AI tools and start using corporate data to generate analyses, draft contracts, or summarize internal documents. The problem is that, in many of these cases, the data entered may be used to train models, stored on servers outside the country, or simply exposed to third parties without any oversight.
I have seen cases where financial analysts entered confidential client data into public AI tools to speed up their analyses. The result was operationally efficient and potentially catastrophic from a regulatory and reputational standpoint.
Companies like Samsung and JPMorgan — Samsung twice, in fact, because the incident was serious enough to mention more than once — have already experienced incidents related to the uncontrolled use of generative AI by employees. In Brazil, the regulatory movement around AI is advancing, and those without clear policies today will be playing catch-up tomorrow.
The question is not whether to ban the use of AI — that would be counterproductive and unenforceable. The question is how to create the right guardrails so that innovation can happen securely.
The wrong approach: block and punish
The most common response I see when IT leaders discover the extent of Shadow IT in their organizations is a combination of blocking and punishment. They implement stricter firewalls, send threatening memos, and create acceptable use policies filled with prohibitions.
This approach does not work. Not because the rules are wrong, but because it attacks the symptom while ignoring the cause. If the IT process remains slow, if the portfolio of approved solutions remains inadequate, if communication between IT and the business remains poor — Shadow IT will continue to exist, just in a more concealed form.
Worse still, the punitive approach creates an environment of distrust that undermines collaboration. Business teams start to see IT as an obstacle rather than a strategic partner. And then you have a culture problem that is far harder to solve than a technical one.
The goal should not be to eliminate Shadow IT by force. The goal should be to make official IT so good that there is no reason to work around it.
What to do: a strategic approach in four moves
Over more than 20 years working in technology management — spanning IBM, AWS, and directly advising executives at companies such as Bradesco, Inter, and B3 — I have developed a clear perspective on how to address Shadow IT effectively. There is no silver bullet, but there is a structured approach that works.
First move: map before you act. Before making any decisions, you need to understand the true extent of the problem. This includes an inventory of all tools in use across the organization — not just the ones approved by IT. Tools like Zylo, Torii, or Productiv help with this mapping by analyzing corporate card spending and network traffic. What you find will be surprising. In a mid-sized company, it is common to discover between 200 and 400 active SaaS applications, with IT formally aware of fewer than 30% of them.
Second move: classify and prioritize risks. Not all Shadow IT is equally dangerous. A design tool used by the creative team has a completely different risk profile than a spreadsheet with customer data stored in a personal cloud service. Categorize the tools you find by risk level: critical (sensitive data, integration with core systems), high (internal data, corporate authentication), medium, and low. Act first where the risk is greatest.
Third move: build a portfolio of approved and agile solutions. The main reason people work around IT is the lack of adequate solutions available quickly. Create a service catalog that includes pre-approved tools, with accelerated approval processes for new requests. Instead of a single approval process that takes 45 days for any tool, create different tracks: low-risk tools approved within 48 hours, medium-risk tools within 2 weeks, and critical tools with a full review process. Effective IT governance is governance that enables the business, not one that paralyzes it.
Fourth move: change the relationship model between IT and the business. This is the hardest and most important step. IT needs to stop being a department of "no" and become a strategic partner. This can include creating IT Business Partners — technical professionals embedded within business units to understand their needs and translate them into viable solutions. It also means establishing regular forums between IT leaders and business leaders to align priorities and anticipate demand.
Turning the problem into a competitive advantage
There is a less explored perspective on Shadow IT that deserves attention: it is also a signal of innovation. When a business team seeks out a new tool, they are often identifying a real need that IT failed to anticipate. That is valuable information.
Companies that learn to capture this signal — rather than suppress it — are able to accelerate their digital transformation in a more organic way, aligned with the real needs of the business. The process of mapping Shadow IT, when approached with a strategic lens, can reveal gaps in the technology portfolio that, once addressed, generate significant productivity gains.
A financial sector company I worked closely with discovered, during a Shadow IT mapping exercise, that three different teams had each developed their own reporting automation solutions because the official tool was inadequate. Rather than punishing anyone, the IT leadership took the best elements from each solution to build a unified platform — with proper governance — that was adopted across the entire organization. The result was a 70% reduction in time spent generating reports and, more importantly, reliable and centralized data for decision-making.
Mature technology management is not about controlling everything from the top down. It is about creating the right mechanisms so that innovation can happen securely, scalably, and in alignment with business objectives.
The question every leader should be asking right now
If you are a CEO, CTO, CIO, or founder, there is one simple — and uncomfortable — question I recommend you ask yourself today: do you really know which tools your company is using?
Not the ones in the IT contract. The ones actually being used day to day by the teams that need to deliver results. The answer is probably no. And that is fine — that is the starting point.
Shadow IT will not disappear as long as there is a gap between the speed of the business and IT's ability to respond. But that gap can be reduced. With the right approach, it can even become a driver of innovation.
What is no longer acceptable is to ignore it. The regulatory, security, and strategic risks are too real. And the companies that address this issue seriously over the next 12 to 24 months will have a significant competitive advantage over those that continue to treat it as a second-tier IT problem.
If you want to understand how exposed your organization is and build a concrete strategy to address Shadow IT, get in touch. This is exactly the kind of challenge I solve with CEOs, CTOs, and founders — turning technological complexity into real competitive advantage.