- You can either choose to penalize those who do not follow the rules
- You can choose to ignore the trodden paths
- You can create additional crosswalks exactly there, where people have chosen to disregard the rules, since they prove to be the most comfortable and “user-tested.”
This trilemma is more commonplace than some might think. Now, let’s move this to the dilemma of what to do with the shadow IT, options being:
- Restrict (the traditional approach). Block tools that were authorized, enforce company-wide policies and monitor compliance. For sure, short-term gains are nearly guaranteed, but so are long-term losses in trust and morale. In the end, the likelihood of different workarounds emerging is as high as Burj Khalifa. Imagine a dev company blocking access to Claude, citing potential code leaks. Developers might migrate to ChatGPT, Gemini or Copilot or even worse, start using their personal PCs. Again — paths of lesser resistance. Restrictions may make sense in government or military contexts, where the risk of a leak could have national consequences. But when a private company tries to apply those same restrictions, it becomes overkill. You lose agility for a hypothetical risk that might never even materialize.
- Ignore (the passive approach). Turn a blind eye: avoids conflict, compounds risk. Due to the prevalence of shadow IT solutions, ignoring them completely runs a high risk of company or customer data ending up where it shouldn’t. The potential fallout being undoubtedly more damaging than addressing the issue head-on. Ignore it, and you’re ghosting your smartest people and potential innovations in sight.
- Embrace (the adaptive approach). Identify why tools gain traction, then integrate them safely. For instance, if a logistics company notices drivers using Waze instead of approved routing software, they can partner with Waze to develop a custom enterprise version with shipment-tracking features. Good for efficiency and good for morale. In fact, at Trevolution, teams are given the freedom to explore and choose their own AI agents; we don’t have a centralized decision around what developers must use. Everyone is given the freedom to experiment and to test their own stack. Then we host workshops to cross-pollinate the best practices. From here on, during team meetings, innovation happens.
Building better pathways
Monitoring tools can detect unsanctioned tools, and IT leaders can then evaluate their impact without necessarily sacrificing innovation. Zero Trust architecture also helps. Instead of straight up banning external apps, one can just limit their access to sensitive systems.
Essentially, I don’t view shadow IT as a problem to solve; instead, it’s a signal to interpret, which could (and should) serve as a wake-up call. Many organizations to this day usually rely on IT teams to find, research and test new IT tools that could become the company’s standard. But what if solutions came from the bottom up, instead of the norm, which is top down? What if organizations rethought and reconsidered the tools based on what employees (i.e., actual users) find comfortable, easy-to-use and, by the end of the day, useful for their work and output they produce? Listen to the feedback!
