AI Sparks Rise in Shadow IT

The concept of shadow IT describes the use of outside technology tools and services (software, apps, cloud solutions, etc.) within an organization without an IT department’s explicit blessing, knowledge or oversight. As nefarious as that sounds, in actuality, it’s a common and generally well-intentioned practice that happens when employees hoping to boost productivity or employ better productivity tools ignore or sidestep official IT solutions.

That said, according to new findings from the 2026 Nutanix Enterprise Cloud Index, the same dynamic that IT leaders initially saw play out in the early days of the cloud is start to unfold in the age of smart technology solutions. 

Not only do 79% of IT leaders surveyed say that they’ve encountered AI applications or agents that have been implemented by employees in non-IT functions as of late. Nearly nine in 10 respondents believe that those unsanctioned deployments create real business risk, at potential fallout to an organization’s finances, security and reputation.

On top of it, an overwhelming 82% of leaders polled also say that silos between business units and IT departments make it difficult to effectively execute on technology initiatives. 

It all adds up to a growing shadow IT footprint for organizations.

“We're all playing around with AI in our personal lives, and there's tremendous value in using it in the business world,” Steve McDowell, principal analyst and founder of NAND research, told The Forecast. 

“But a lot of enterprises and a lot of medium-sized businesses are still figuring out what kind of guardrails that need to be put in place around the tools. The trouble being that while you're taking your time building those guardrails, employees are already off and using these solutions.”

Put simply, similar conditions that caused shadow IT to flourish within the early days of cloud computing are still present in the workplace. The trouble being that now on-site, remote and hybrid employees frustrated with slow internal programs and processes are taking AI-powered and Agentic solutions into their own hands to boot. Moreover, workers are increasingly signing up for tools, spinning up agents, and building their own custom workflows that organizations have no visibility into, no control over, and no way to govern.

In other words, much to corporate leaders’ chagrin, staffers aren’t just continuing to circumvent traditional IT channels on a daily basis. AI has just handed frustrated employees a far more powerful and potentially dangerous set of tools.

A Familiar Pattern

Just as they did in the early days of public cloud services, IT teams today are seeing a rapid rise in shadow IT. It’s a pattern that’s likely to repeat itself as human ambition and technological innovation intertwine, sparking skunkworks and ingenuity. The historical parallels with the rise of AI are clear, according to Dan Ciruli, vice president and general manager of cloud native technologies at Nutanix. 

“I was part of a team that got frustrated with internal IT,” Ciruli told The Forecast, recalling the early days of his career. 

“The length of time it was taking to get us literally just virtual machines, and the amount they were going to charge us back… we said, somebody put this on your corporate card, go to Amazon, and start using this stuff.”

What started as a practical solution for developers became a pressing problem for IT teams responsible for IT governance and data security. Innovations and new capabilities continue to flood the zone today, and the costs and risks of unmanaged services and IT resources pile up.

Ciruli remembered when containers and Kubernetes hit the scene. Adoption inside enterprises followed a similar trajectory as cloud computing services. He remembers one team adopted containers to avoid managing VMs. Then another team, and another used it to build their new applications. 

“Eventually, someone looked up and realized there was massive duplication of effort, inconsistent security postures, and runaway spending,” he said.

This ignited a scramble to implement centralization, standardization, and IT governance.

“Someone essentially said, we need to centralize this, standardize this,” Ciruli said. “And we need to do this in a way that gives teams what they want, but doesn’t put us at risk financially or from a security perspective.”

In these early days of agentic and AI-powered tools, the ECI findings show enterprises are aware of these challenges and are eager to be proactive.

The Stakes Are Higher Now

Generally speaking, shadow IT creates a host of vulnerabilities for unwary organizations. For instance, it creates security gaps in any given company’s data privacy solutions and defense perimeter, given that technology leaders can’t monitor, patch, or protect endpoints or assets that they don't know exist. Unauthorized devices, apps, services and tools that employees use may also fail to meet regulatory standards and create potential compliance concerns or violations. 

Then there’s the issue of cost inefficiency, as different staffers and teams using different solutions can create redundancy or added expense, or inadvertently create data silos or processes that hinder collaboration.

But there's a reason enterprise leaders should act even more decisively and comprehensively with AI-based tools than organizations did when dealing with cloud computing services. That’s because experts say that the risk profile of automated services and smart technologies is different… and, in many ways, more acute. 

“Your employees are frequently going to make their own decisions about the technology that they use,” notes McDowell. 

“That may or may not intersect with your official corporate guidelines. This means that IT leaders won’t always know what is being exposed and where data is going.”

Consider that when a rogue cloud project goes wrong, you might end up with orphaned virtual machines, unexpected invoices, or a misconfigured database that’s been unwittingly exposed to the public Internet. All are serious problems, but when an unchecked AI agent goes unmanaged or unattended, consequences can be even more severe. Issues can balloon into extensive legal or policy violations, leaked proprietary data, biased outputs baked into customer-facing decisions, or autonomous actions taken without any human review.   

For example, agentic AI workflows (systems in which groups of lifelike AI agents execute multiple tasks autonomously doing things like pulling data, making decisions, and taking actions without human input) represent a fundamentally different security surface than traditional software programs. In effect, blast radius of a misconfigured or errant agent isn't contained to a single application. If left unchecked, it can propagate across an entire enterprise and every system that underpins its operations.

It’s more evident that ever that legal and product security teams need to be involved in enterprise AI initiatives before deployment, to avoid putting the company at risk.

Standardization Is the Endgame

Like happened with the rise of cloud computing services and Kubernetes, Ciruli sees enterprises evolve from distributed, team-by-team experimentations to more holistically overseen and standardized approaches to AI management.

Making that transition is harder than it sounds, though. Employees and teams that are embracing shadow IT solutions and building unofficial AI workflows aren't doing so to create additional risk. They're typically doing it simply because the tools work, the productivity gains are real, and the official processes that their employer utilizes aren’t keeping pace with what's possible. Any governance strategy that ignores such legitimate motivations will likely fail.

"As you adopt this technology wholesale across the organization, you have to think about: How do we standardize? What policies do we want to set that apply to everybody? And how do we centralize the tech so that it can be run by a [single managing body] rather than by individual teams?" Ciruli said. “That’s a big transition.”