If you’re still thinking of shadow IT as users installing random software on their desktops, you’re solving yesterday’s problem.
That version of shadow IT—unauthorised software installs, USB drives, rogue executables—has largely been replaced by something far more subtle, and in many ways, far more dangerous.
In 2026, shadow IT lives in the browser.
It’s:
- SaaS platforms users sign into with a click
- AI tools processing corporate data
- OAuth apps quietly gaining access to mailboxes and files
- Cloud services that never touch your endpoint controls
And the biggest challenge?
Most of it never triggers traditional security controls. It doesn’t require admin rights. It doesn’t install anything locally. It doesn’t even look suspicious.
From a user’s perspective, they’re just trying to get their job done faster.
From a security perspective, they’re potentially exposing sensitive data to systems you don’t control—and often don’t even know about.
In this article, I’ll break down:
- What shadow IT actually looks like in 2026
- Why traditional controls no longer catch it
- The real risks hiding in SaaS and AI usage
- Practical ways to detect and control it without killing productivity
Quick Fix Summary
If you need to get control quickly:
- ✅ Discover connected apps using Defender for Cloud Apps
- ✅ Restrict user consent for OAuth apps in Entra ID
- ✅ Monitor and classify SaaS usage across your environment
- ✅ Implement Conditional Access and session controls
- ✅ Educate users on safe use of AI and third-party tools
The Shift: Shadow IT Has Moved to the Cloud
Shadow IT hasn’t disappeared—it’s evolved.
Then vs Now
| Old Shadow IT | Modern Shadow IT |
|---|---|
| Installed software | Browser-based SaaS |
| Requires admin rights | No install required |
| Easy to detect | Often invisible |
| Device-based risk | Identity & data-based risk |
The shift is important because your controls haven’t necessarily kept up.
You might have:
- Locked down endpoints
- Removed local admin rights
- Enforced patching and AV
But none of that stops a user from:
- Signing into a SaaS tool
- Connecting it to Microsoft 365
- Granting it access to data
And that’s where the real exposure sits.
Why Traditional Security Controls Miss It
Most environments are still built around:
- Endpoint protection
- Network controls
- Identity security (MFA, Conditional Access)
These are critical—but they’re not designed to stop everything.
The Gap
When a user:
- Logs into a SaaS platform
- Clicks “Sign in with Microsoft”
- Grants permissions
They’ve effectively created a new access path into your environment.
And in many cases:
- No alert is triggered
- No approval is required
- No review happens later
This is how shadow IT becomes persistent risk.
Real-World Example: The AI Tool Nobody Knew About
This is something I’ve seen more than once recently.
A user signs up to an AI tool to help summarise documents or generate reports. To make it easier, they connect their Microsoft 365 account.
Permissions granted:
- Access to files in OneDrive
- Read access to emails
From their perspective, it’s harmless.
But:
- Data is now being processed externally
- You have no visibility into how it’s handled
- DLP policies may not apply
Multiply that across an organisation, and you start to see the scale of the problem.
Where the Real Risks Are in 2026
1. OAuth Applications (The Hidden Gateway)
OAuth apps are one of the biggest contributors to shadow IT today.
They can:
- Access mailboxes
- Read/write files
- Interact with Teams and SharePoint
And once access is granted, it persists.
2. SaaS Sprawl
Most organisations don’t have just a handful of apps—they have hundreds.
Many are:
- Unsanctioned
- Unmonitored
- Unassessed for risk
3. AI and Data Exposure
AI tools introduce a new layer:
- Data ingestion
- External processing
- Potential retention
And in many cases, users don’t understand the implications.
How to Detect Shadow IT (What Actually Works)
Step 1: Use Defender for Cloud Apps
This is one of the most effective ways to gain visibility.
Navigate to:
Microsoft Defender → Cloud Apps → Discovered Apps
Here you can:
- See SaaS usage
- Identify risky apps
- Categorise sanctioned vs unsanctioned
Step 2: Review OAuth Applications in Entra ID
Go to:
Entra ID → Enterprise Applications
Look for:
- Unknown apps
- High permission levels
- Apps with no recent activity
Step 3: Use PowerShell for Deeper Visibility
Connect-MgGraph -Scopes "Application.Read.All"Get-MgServicePrincipal | Select DisplayName, AppId, AccountEnabled
This helps identify:
- All service principals
- Including ones not obvious in the portal
How to Control Shadow IT Without Breaking the Business
This is where most organisations struggle.
Lock everything down too hard, and users find workarounds.
Leave everything open, and risk grows unchecked.
You need balance.
Step 4: Restrict App Consent (Carefully)
In Entra ID:
- Disable or restrict user consent
- Enable admin approval workflow
This ensures:
- Visibility before access is granted
- Control over high-risk apps
Step 5: Apply Conditional Access and Session Controls
Use Conditional Access to:
- Limit access to approved apps
- Enforce session restrictions
With Defender for Cloud Apps:
- Apply session controls
- Monitor data movement
Step 6: Classify and Sanction Apps
Not all shadow IT is bad.
Some tools:
- Improve productivity
- Solve real problems
Your job isn’t to block everything—it’s to:
- Identify useful tools
- Approve and manage them properly
The Cultural Reality: Shadow IT Isn’t a Technology Problem
This is something a lot of frameworks and security guides miss.
Users don’t create shadow IT because they want to break security.
They do it because:
- Official tools don’t meet their needs
- Processes are too slow
- They’re trying to be more efficient
If you ignore that, you’ll always be reacting instead of managing.
Additional Tips / Pro Tips
Start with visibility, not restriction
You can’t control what you can’t see.
Focus on high-risk permissions first
Not all apps are equal—prioritise those with data access.
Work with the business, not against it
Find out why users adopt certain tools.
Review regularly
Shadow IT isn’t static—it evolves constantly.
Warnings
Blocking everything will fail
Users will find workarounds, often riskier ones.
AI tools are a growing blind spot
Many organisations have no policy or visibility here.
OAuth access persists
Even after users stop using an app.
FAQ Section
What is shadow IT in 2026?
It refers to SaaS apps, AI tools, and integrations that users adopt without IT approval, often via browser-based access.
Why is modern shadow IT harder to detect?
Because it doesn’t require software installation and operates through cloud services and identity-based access.
Are all shadow IT apps risky?
No, but unmanaged apps with data access can introduce significant security risks.
How do I detect shadow IT in Microsoft 365?
Using tools like Defender for Cloud Apps and reviewing enterprise applications in Entra ID.
Should I block all unsanctioned apps?
No. The goal is to identify, assess, and manage them—not eliminate productivity tools.
Conclusion / Actionable Takeaways
Shadow IT isn’t going away.
If anything, it’s accelerating—driven by SaaS, AI, and the increasing ease of connecting tools to your environment.
What you should do next:
- Gain visibility into SaaS and OAuth usage
- Identify high-risk apps and permissions
- Implement controlled approval processes
- Work with users to understand their needs
- Continuously monitor and adapt
From experience, the organisations that handle shadow IT best aren’t the ones that block everything.
They’re the ones that understand it, manage it, and guide it in a controlled way.
Last Updated
April 2026 – Reflects modern SaaS, AI-driven shadow IT trends, and Microsoft 365 security controls.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.