Shadow IT Governance Framework

Acceptable Use Policy (AUP) clause

Add a shadow IT clause to your AUP: 'Employees must not use software for work purposes that processes company, customer, or partner data without prior IT approval. Personal tools used exclusively for personal data are exempt.' Keep it to 2-3 sentences.

Data classification trigger

Define which data classifications trigger mandatory IT review. Confidential data (PII, financial, IP) requires approval. Internal data requires registration. Public data has no restriction. This prevents blanket enforcement that paralyzes teams using legitimate tools.

Amnesty window

When launching your governance program, declare a 60-day amnesty window during which teams can self-report shadow apps without disciplinary action. The only obligation is to complete the tool registration form. This drives disclosure without resistance.

Exceptions process

Document a formal exceptions process: any tool that processes company data but cannot be removed immediately may be granted a 90-day conditional exception while a sanctioned alternative is found. Exceptions require manager sign-off and IT security acknowledgement.

Category-level coverage

Ensure your approved catalog covers every major use-case category: project management, note-taking, team communication, file storage, AI writing, code generation, video conferencing, design, analytics, and CRM. Gaps in category coverage drive shadow IT more than anything else.

Approved alternatives for most common shadow apps

Map your top shadow apps to approved alternatives. If Notion is the most common shadow tool, either approve Notion properly or ensure Confluence is compelling enough to use. If ChatGPT is rampant, deploy an approved enterprise AI tool. Substitution is more effective than prohibition.

Self-service catalog portal

Publish your approved software catalog in a searchable internal portal (not a SharePoint list nobody reads). Include: approved status, data classification supported, link to SSO login, owner team, and request process for additional licenses. Make it faster to find an approved tool than to Google an alternative.

Quarterly catalog review

Software landscapes change. Review your approved catalog quarterly to add tools that have passed security review, remove tools with unacceptable risk, and update security assessments for existing tools that have changed their data practices.

Risk-tiered approval process

Tier 1 (no company data, under $50/month): self-service registration, no approval required, auto-approved. Tier 2 (internal data, $50-$500/month): 3-business-day IT security review. Tier 3 (confidential data or over $500/month): full procurement cycle with vendor security assessment, DPA, and legal review.

Standard vendor questionnaire

Use a concise, standardized security questionnaire (CAIQ Lite or a custom 15-question version) for Tier 2 and 3 reviews. Automate sending and chasing responses. Publish your questionnaire so vendors can pre-complete it before outreach.

Procurement SLA

Commit to an internal SLA: Tier 1 tools are self-approved instantly. Tier 2 tools receive a decision within 3 business days. Tier 3 tools receive a decision within 15 business days. Publish your SLA and measure it. Missing SLAs drives teams to shadow procurement.

Fast-lane for AI tools

AI tools are the fastest-growing shadow IT category in 2025-2026. Establish a specific AI tool approval track with clear criteria: data residency requirements, training opt-out confirmation, data processing terms, and permitted use scope. Review new AI tools monthly, not quarterly.

Risk-tiered enforcement actions

Not all shadow apps warrant the same response. Tier the enforcement by data risk: apps with no company data get a reminder and registration request. Apps with internal data get a 30-day remediation notice. Apps with confidential or regulated data get immediate quarantine of company data and a 7-day mandatory migration to an approved alternative.

SSO enforcement gate

Configure your IdP to require SSO login for any app connecting to company email or calendar. Apps that do not support SSO are automatically flagged. New apps that bypass SSO trigger an automated notification to the employee and their manager within 24 hours of first use.

Quarterly shadow IT review cadence

Hold a quarterly shadow IT review meeting with IT, security, finance, legal, and two rotating business unit representatives. Review the shadow app registry, active exceptions, new discoveries, and exceptions due for renewal. Publish a one-page summary to the executive team.

Offboarding trigger

Every employee offboarding should include a shadow IT review step. The manager and IT must confirm all business data has been retrieved from any shadow apps the departing employee owned or administered. This prevents data orphaning and closes security gaps from lapsed credentials.