
Shadow IT checklist
What is shadow IT?
Shadow IT is any technology used inside an organisation without the knowledge or approval of whoever is responsible for IT, whether that is in-house staff or an external partner. It covers apps, software, cloud services, devices, and increasingly AI tools.
Despite the name, it is not sinister (nor a DJ). It is usually well meaning staff reaching for a tool that helps them do their job when the official option feels slow, missing, or hard to use.
Every organisation runs on more tools than its leadership realises. Staff sign up for apps, cloud services, and AI assistants that help them work faster, often without anyone from IT knowing.
It is rarely done to break the rules. People reach for tools that solve a real problem when the official options feel slow, missing, or hard to use (hello sharepoint… hello copilot).
I prepared this checklist based on my recent projets. It’s a practical starting point for charities, NGOs, foundations, and mission-driven organisations that want to bring shadow IT into the light 😉 without shutting down the initiative that created it.
Who this checklist is for
This resource is designed for organisations that are:
- Noticing staff use apps and subscriptions that were never formally approved
- Paying for tools nobody can fully account for
- Worried about donor or beneficiary data sitting in unvetted systems
- Seeing AI tools spread informally across teams
- Trying to move from quiet risk to simple, shared governance
Why shadow IT happens
Understanding the cause makes it far easier to fix. Common reasons include:
- Official tools are slow, missing, or frustrating to use
- Procurement or approval takes too long
- Budgets are tight and free tools are one click away
- Teams work at different speeds and pick their own solutions
- Nobody has told staff what is and is not allowed
Why it matters for Charities
- Data protection and GDPR exposure when personal data sits in tools nobody has checked
- A wider attack surface at a time when charity cyber attacks are rising
- Wasted budget on duplicate, forgotten, or overlapping subscriptions
- Lost knowledge when tools live on personal logins and leave with the person
- Conflicts and inefficiency when unmanaged tools clash with existing systems
From shadow IT to shadow AI
The fastest growing form of shadow IT is unapproved AI. Staff can paste sensitive information into a free AI tool in seconds, with no record and no oversight. This creates blind spots where donor or beneficiary data may leak or be used to train external models. If you are tackling shadow IT, treat AI as the most urgent part of it, and pair this resource with an AI readiness review.
Spot it: a discovery checklist
Use this to find what is already in use. You do not need enterprise monitoring, just a careful look.
Assess it: a risk checklist
Work through these for each tool you find. Tick a box when the answer is a confident yes.
Fix it: a governance checklist
Bringing shadow IT into the light is about better routes, not blanket bans.
A few red lines
Whatever tools you approve, keep this sensitive information out of unapproved apps and AI tools:
- Personal data about donors, supporters, beneficiaries, staff, or volunteers
- Casework, safeguarding, protection, health, or legal information
- Payment details, bank details, or identity documents
- Confidential strategy papers, board documents, or contracts
- Raw exports from CRM, fundraising, or service delivery systems
What good looks like
You do not need a perfect system. At minimum, your organisation should be able to say:
Need help bringing shadow IT into the light?
I help charities, NGOs, and membership organisations turn scattered tools into a simple (well… simpler) and better governed ecoystem.
A short digital health check can help you:
- Map the tools already in use across teams
- Identify data and security risks
- Agree an approved tools list and request process
- Set clear data and AI red lines
- Build staff confidence with practical guidance
Check my services page for more information
Resource last updated 9 July 2026
