AI Adoption Expands Corporate 'Shadow IT'
The proliferation of AI tools is accelerating SaaS sprawl and expanding unmanaged 'shadow IT' across enterprises, according to a new benchmark report from Torii. The 2026 study found that 61% of applications are now unmanaged, increasing governance and security risks for organizations.
- Unsanctioned AI tools represent a significant evolution from traditional "shadow IT" because they actively learn from and can incorporate proprietary data into publicly accessible models. This creates heightened risks for intellectual property loss and serious compliance violations. A 2025 report found that data breaches resulting from shadow AI cost companies an average of $670,000 more than other types of breaches. - The proliferation of unmanaged software is a major financial drain, with some estimates suggesting that 30-40% of IT spending occurs outside of the official IT budget. This "SaaS sprawl" leads to redundant application licenses and unforeseen renewal costs, which have forced 61% of organizations to cut other projects. - Unapproved applications significantly expand a company's security risk by introducing thousands of unmanaged API tokens, credentials, and OAuth grants that are not monitored by security teams. Each unvetted application increases the likelihood of sensitive data exposure by 25% compared to a sanctioned tool. - Employees often turn to shadow IT and AI not to break rules, but to be more productive when official tools are slow, difficult to use, or lack necessary features. This adoption is often a signal to leadership that existing corporate technology is failing to meet user needs. - To manage the rise of shadow AI, some technology leaders are classifying AI tools into categories like "approved," "restricted," and "forbidden". This framework allows for controlled experimentation in sandboxed environments while blocking high-risk public AI systems at the network level. - The average company now manages 305 SaaS applications, and despite efforts to consolidate, overall SaaS spending increased by 8% year-over-year. A significant driver of this is the 108% year-over-year increase in spending on AI-native SaaS applications. - Unmanaged SaaS applications create critical compliance gaps, particularly for regulations like GDPR, HIPAA, and PCI-DSS, which have strict requirements for vendor due diligence and data processing. The use of unapproved tools can lead to significant fines and legal penalties. - Effective management of shadow IT requires a combination of automated discovery tools, clear governance policies, and collaboration between IT and business units. Strategies include implementing Cloud Access Security Brokers (CASBs) for monitoring and creating a centralized system for software acquisition.
