The discovery usually happens during an audit. A security review turns up a Smartsheet account that holds student accommodation records, a Monday.com board that runs a hiring committee, and a shared spreadsheet that has quietly become the system of record for a process nobody documented. None of it went through procurement. None of it is in the CISO's inventory. All of it is load-bearing.
Shadow IT in higher education is the collection of ungoverned spreadsheets, point tools, and apps that departments adopt on their own to bridge the gaps left open by the ERP and SIS. It is not rebellion. It is what reasonable people do when the work crosses a boundary that the official system cannot handle, and the central backlog is too long to wait on.
Shadow IT is now most of the software estate
This is not a fringe problem. Zylo's 2024 SaaS Management Index, built on 30 million SaaS licenses, found that more than one-third of a company's applications are shadow IT, that organizations waste an average of 18 million dollars on unused or duplicate software, and that only 49 percent of provisioned licenses are actually used. Productiv's 2024 study puts the shadow share even higher, at 48 percent of the average SaaS portfolio. A modern institution does not have a shadow IT incident. It has a shadow IT majority.
Why shadow IT thrives, specifically in higher ed
Shadow IT is not unique to universities, but higher education is unusually good at producing it. The same forces that create the efficiency gap create the workaround.
- The ERP stops at the exception. Banner and Workday handle the standard transaction. The judgment and routing around it land on a department that needs a tool now. EDUCAUSE lists "too many shadow systems and data silos" among the top reasons institutions replace their ERP, which shows how much sprawl accumulates before anyone counts it.
- Procurement-light tools. Smartsheet, Monday.com, Airtable, and Google Sheets cost less than a signature requires and are renewed on a department card. They never reach a security review.
- Lean central IT. When the official path to a new workflow is a months-long queue, the unofficial path is a free trial that afternoon.
- Genuine usability. Departments often prefer these tools. They are easy, flexible, and fast. The problem was never that they were bad software.
What shadow IT exposes
The risk of shadow IT is not that the tools are poor. It is that the institution cannot see them, govern them, or prove what happened inside them. In a sector that is now a primary ransomware target, that blind spot is expensive.
A sector under active attack
Verizon's 2024 Data Breach Investigations Report logged 1,780 security incidents in education, with personal data exposed in 83 percent of confirmed breaches. Sophos found that 66 percent of higher education institutions were hit by ransomware in the past year, above the 59 percent cross-sector average, with a mean recovery cost of 4.02 million dollars. Every ungoverned tool widens the surface that attackers are aiming at.
FERPA, with federal funding attached
When student records enter an ungoverned spreadsheet tool, they leave the boundary where access is controlled and logged. FERPA is not a soft obligation: the U.S. Department of Education warns that the penalty for noncompliance can be withdrawal of federal education funds, and the Supreme Court confirmed in Gonzaga v. Doe that there is no private right to sue, which means enforcement runs through the funding the institution depends on.
An attack and renewal surface nobody owns
Every shadow tool is a credential, a renewal, and a vendor relationship outside the security review process. It is telling that 78 percent of education organizations employ no cybersecurity specialists at all, according to survey data reported by IBM. The CISO inherits an attack surface that grew without a single approval.
The instinct that backfires: Ban it
The first reaction to discovering shadow IT is often to shut it down. This rarely works and usually makes the problem worse. The department adopted the tool to solve a real need that the official system did not meet. Removing the tool without replacing the capability sends the work back to email, which is shadow IT with worse governance. The goal is not to win the argument about Smartsheet. The goal is to give the department what it wanted from Smartsheet inside a boundary that IT can govern.
Consolidation without a revolt
Shadow IT is a governance problem, so the answer is governance that the department does not experience as a downgrade. A governed execution layer lets departments build and run the workflows they need, while every application sits inside the security, access, and audit standards IT already manages. The department keeps the flexibility. IT gets the control it could not enforce with a tool it could not see.
Kissflow is built for this consolidation. Every app a department builds runs under IT-defined role-based access, every action is timestamped and attributed, and the workflow is governed from the first deployment rather than reviewed after a breach. The Registrar gets her tracker. The CISO gets her inventory. Neither has to lose for the other to win.
Frequently asked questions
What counts as shadow IT in a university?
Any software used to run institutional work that was not procured, reviewed, or governed by central IT. In higher education this is most often Smartsheet, Monday.com, Airtable, and shared spreadsheets adopted by individual departments. Industry data now puts shadow IT at more than a third of the average software estate.
Is shadow IT always a security problem?
It is always a governance gap, and in a sector where two in three institutions face ransomware each year, that gap usually becomes a security and compliance problem. The tools may be secure, but the institution cannot prove who accessed data, cannot produce an audit trail, and cannot include the tool in its risk posture, because it does not know the tool exists.
How do you reduce shadow IT without slowing departments down?
Give departments a governed way to build the workflows they need without filing an IT request for each one. When the governed path is as fast as the workaround and the department keeps ownership of its process, the incentive to go around IT disappears.
