Bertie Bosrédon
Bertie Bosredon, resources for NGOs and charities
Technology

Shadow IT checklist

What is shadow IT?

Shadow IT is any technology used inside an organisation without the knowledge or approval of whoever is responsible for IT, whether that is in-house staff or an external partner. It covers apps, software, cloud services, devices, and increasingly AI tools.

Despite the name, it is not sinister (nor a DJ). It is usually well meaning staff reaching for a tool that helps them do their job when the official option feels slow, missing, or hard to use.

Every organisation runs on more tools than its leadership realises. Staff sign up for apps, cloud services, and AI assistants that help them work faster, often without anyone from IT knowing.

It is rarely done to break the rules. People reach for tools that solve a real problem when the official options feel slow, missing, or hard to use (hello sharepoint… hello copilot).

I prepared this checklist based on my recent projets. It’s a practical starting point for charities, NGOs, foundations, and mission-driven organisations that want to bring shadow IT into the light 😉 without shutting down the initiative that created it.

Who this checklist is for

This resource is designed for organisations that are:

  • Noticing staff use apps and subscriptions that were never formally approved
  • Paying for tools nobody can fully account for
  • Worried about donor or beneficiary data sitting in unvetted systems
  • Seeing AI tools spread informally across teams
  • Trying to move from quiet risk to simple, shared governance

Why shadow IT happens

Understanding the cause makes it far easier to fix. Common reasons include:

  • Official tools are slow, missing, or frustrating to use
  • Procurement or approval takes too long
  • Budgets are tight and free tools are one click away
  • Teams work at different speeds and pick their own solutions
  • Nobody has told staff what is and is not allowed

Why it matters for Charities

  • Data protection and GDPR exposure when personal data sits in tools nobody has checked
  • A wider attack surface at a time when charity cyber attacks are rising
  • Wasted budget on duplicate, forgotten, or overlapping subscriptions
  • Lost knowledge when tools live on personal logins and leave with the person
  • Conflicts and inefficiency when unmanaged tools clash with existing systems

From shadow IT to shadow AI

The fastest growing form of shadow IT is unapproved AI. Staff can paste sensitive information into a free AI tool in seconds, with no record and no oversight. This creates blind spots where donor or beneficiary data may leak or be used to train external models. If you are tackling shadow IT, treat AI as the most urgent part of it, and pair this resource with an AI readiness review.

Spot it: a discovery checklist

Use this to find what is already in use. You do not need enterprise monitoring, just a careful look.

Review card statements and expense claims for software subscriptions
List every tool each team uses in a typical week
Ask staff, without blame, which tools they rely on and why
Check which tools hold personal or sensitive data
Note tools tied to a personal account or a single person
Identify duplicate tools doing the same job
Flag any AI tools being used with organisational data

Assess it: a risk checklist

Work through these for each tool you find. Tick a box when the answer is a confident yes.

We know who owns and pays for it
We know whether it holds personal, financial, or safeguarding data
It has a signed contract and clear data processing terms
Access is tied to an organisational account, not a personal one
We would keep access if that person left tomorrow
It does not duplicate something we already pay for
It is covered by our data protection and security thinking

Fix it: a governance checklist

Bringing shadow IT into the light is about better routes, not blanket bans.

Create an approved tools list, with the purpose and conditions for each tool
Give staff a simple, fast way to request a new tool
Name one person accountable for reviewing and approving tools
Write a short, readable policy covering data red lines and AI use
Move critical tools onto organisational accounts and billing
Train staff with examples from their own work
Build a no-blame culture so people report tools honestly
Add tool access to your joiner and leaver process
Review the approved tools list every 60 to 90 days

A few red lines

Whatever tools you approve, keep this sensitive information out of unapproved apps and AI tools:

  • Personal data about donors, supporters, beneficiaries, staff, or volunteers
  • Casework, safeguarding, protection, health, or legal information
  • Payment details, bank details, or identity documents
  • Confidential strategy papers, board documents, or contracts
  • Raw exports from CRM, fundraising, or service delivery systems

What good looks like

You do not need a perfect system. At minimum, your organisation should be able to say:

We know which tools our staff actually use
We know what data must never go into unapproved tools
We have a simple, quick way to request and approve new tools
We have one person accountable for the approved tools list
We can explain our approach to trustees, staff, donors, and partners

Need help bringing shadow IT into the light?

I help charities, NGOs, and membership organisations turn scattered tools into a simple (well… simpler) and better governed ecoystem.

A short digital health check can help you:

  • Map the tools already in use across teams
  • Identify data and security risks
  • Agree an approved tools list and request process
  • Set clear data and AI red lines
  • Build staff confidence with practical guidance

Check my services page for more information

Resource last updated 9 July 2026


View more resources