Hidden Third Party Risks: How Shadow IT Escapes Governance

Riva Antonio | 27 October 2025

Introduction

The biggest third-party risk in your organisation might not come from a vendor you know, but from one you don’t. Across modern workplaces, well-meaning teams are adopting cloud tools, automation platforms, and SaaS integrations without formal approval, creating a hidden layer of third parties that quietly sit outside governance frameworks.

This post explores how Shadow IT (those unapproved apps and services that slip beneath formal procurement and security review) has become one of the most persistent blind spots in third-party risk management.

In this blog post, we’ll unpack why it happens, how it exposes organisations to unmanaged vendor risk, and why traditional governance models fail to catch it.

Drawing on recent industry data and Fortian’s own client experience, we’ll outline the key risks associated with Shadow IT, and provide a practical Shadow IT Capability Maturity Model to help you assess and strengthen your organisation’s visibility, control, and governance over unsanctioned tools.

The Hidden Third-Party Risk: How Shadow IT Escapes Governance

Your operations team sets up an automation tool like IFTTT to connect calendars, email, and file storage. Not a procurement review or a security sign-off to be seen. Yet sensitive employee or client information may now be potentially flowing through an unvetted third-party service. What started as a productivity shortcut has quietly introduced a new vendor into your ecosystem… one that no one has assessed.

As more companies tighten their third-party risk programs, Shadow IT remains an overlooked gap. These unsanctioned tools go beyond being a simple policy problem; they represent a growing set of third parties that operate outside formal risk processes.

In their 2025 Global Third-Party Breach Report, SecurityScorecard analysed 1,000 global breaches and found that more than one-third involved a third-party component, underscoring how vendor risks now account for a significant share of real-world breaches.

Shadow IT Is Third-Party Risk

Shadow IT is the use of unauthorised or unsanctioned technology systems and services, including SaaS tools and cloud platforms, that are adopted by teams without involvement from IT. These tools have the potential to handle sensitive data or connect to business processes but fall outside formal vendor governance and third-party risk management processes. These tools are usually adopted by business teams trying to get work done.

But here’s the issue: many of these tools store your data or connect to your systems. That makes them third parties, whether they’ve gone through risk review or not.

In fact, a 2025 Panorays survey found that 91% of CISOs report an increase in third-party incidents, yet only 3% say they have full visibility into their supply chains. This lack of visibility is exactly what allows Shadow IT to thrive.

Why It Happens

Shadow IT generally isn’t malicious. It happens because teams need to move fast, and existing onboarding processes slow them down. For example:

• Business units solve problems independently using off-the-shelf cloud tools

• Procurement and security reviews are seen as blockers to productivity

• Employees are comfortable self-servicing their software needs

• Teams often don’t realise these tools count as third parties

This kind of decentralised adoption is common in fast-moving businesses, especially those with strong innovation cultures. Beneath all that agility, however, lurk blind spots that put security at risk.

Grip’s 2025 security blog suggests that that marketing, finance, and operations are the departments most likely to adopt unvetted SaaS apps (often without security features like MFA or identity provider integration).

Traditional Third Party Risk Management (TPRM) fail to catch this as most TPRM workflows are designed for vendors that are known and that go through the formal vetting channels.

What Can Go Wrong

Shadow IT tools still carry all the typical third-party risks, but without formal oversight, those risks often go unmanaged. These include:

• Data security risks if sensitive data is uploaded to a vendor with weak protections

• Privacy compliance gaps if no data processing agreement is in place

• Business continuity issues if teams rely on tools no one else knows about

• Fourth-party exposure when shadow vendors use subcontractors your company has never heard of

• Reputation damage if a breach or incident occurs involving an unsanctioned tool

These risks aren’t theoretical. Low-cost or no-code tools may seem harmless, but if they hold customer data or connect to internal systems, they become part of your digital supply chain.

How to Manage It: A Shadow IT Capability Maturity Model

Gaining visibility into Shadow IT is the first step toward managing it effectively.

Using a Capability Maturity Model Integration lens, organisations can progressively improve their ability to detect, govern, and integrate unsanctioned tools into their broader risk management practices.

Each maturity level builds on the last, introducing process improvements that help move from reactive discovery to proactive governance. These improvements are outlined in the table below, showing how technical and operational capabilities evolve at each stage:

‍

Level

Description

Process Improvement (to reach next level)

Level 1 - Initial

Shadow IT is discovered only after incidents or by accident (e.g., through audits or whistleblowing). Visibility is ad hoc and reactive.

Start building a “shadow IT inventory” via procurement audits, surveys and examination of expense and network data.
Begin staff awareness campaigns around the risks of using Shadow IT
Encourage non-punitive self-reporting
Ensure Shadow IT is raised as a risk in the risk register.

Level 2 - Managed

Organisation acknowledges Shadow IT as a form of third-party risk

Develop a formal process to manage Shadow IT, including focus on the following questions / areas:
- Assign clear ownership for Shadow IT oversight.
- How do we re-classify and manage Shadow IT third parties? (Bringing Shadow IT “into the light”)
- What level of due diligence do we apply to the Shadow IT third parties?
- If a Shadow IT asset fails security or compliance vetting, what are the available pathways for remediation, conditional approval, or integration into the Third-Party Risk Management framework?
- What metrics will we use to measure the effectiveness of our Shadow IT management process?

Level 3 - Defined

Governance processes for Shadow IT are standardised across the organisation.

Shadow IT metrics are monitored and reviewed regularly by relevant stakeholders.
Start implementing technical controls to automate Shadow IT discovery and management. As an example, Microsoft provides a tutorial on how to do this through Microsoft Defender.
The results of technical Shadow IT discovery are managed using the organisation’s risk management process.
Fully integrate Shadow IT processes into the organisation’s Third Party Risk Management Framework

Level 4 – Quantitatively Managed

Shadow IT governance is integrated into third-party risk management (TPRM) and enterprise risk frameworks, and is driven by quantitative performance metrics

Actively monitor Shadow IT by setting up real-time alerts to manage Shadow IT as soon as it is detected
Implement continuous improvement loop in place: lessons learned feed back into policies and detection mechanisms.

Level 5 - Optimised

Organisation assumes Shadow IT will occur, but focuses on achieving full visibility and governance.

Maintain full visibility through continuous discovery and governance automation.
Integrate lessons learned into enterprise innovation and security culture programs.
Regularly reassess maturity and benchmark performance against peers.

‍

By understanding where you sit on this maturity curve, you can plan the next step toward bringing Shadow IT into your third-party risk program.

Conclusion

Understanding where your organisation sits on the Shadow IT maturity curve is only the beginning. The table above goes is both a benchmark as well as a roadmap to maturity. Each stage points to concrete actions that can help lift your maturity, from building an initial Shadow IT inventory through audits and expense data, to embedding automated discovery and real-time alerts.

By moving deliberately through these stages, organisations can transform Shadow IT from an unmanaged exposure into a governed, measurable component of third-party risk.

True maturity comes when visibility becomes continuous. New SaaS tools appear and disappear daily, often well before traditional review cycles can catch them. Progressive organisations are moving beyond static vendor registers to real-time discovery and continuous risk monitoring, integrating these insights directly into enterprise risk frameworks and third-party governance.

Ultimately, managing Shadow IT is as much about culture as it is about controls. Teams adopt unsanctioned tools because they’re trying to solve problems quickly, not create new risks.

The goal is to build a culture where innovation and accountability coexist and where staff feel empowered to surface new technologies safely, and where visibility into the full SaaS ecosystem becomes part of how the organisation operates every day.