Shadow IT in Higher Education: Why We’re Asking the Wrong Questions

Shadow IT in Higher Education: Why We’re Asking the Wrong Questions

Shadow IT is a phrase that tends to spark an immediate reaction in higher education—sometimes frustration, sometimes fear, sometimes resignation. But after several years researching this topic for my dissertation, and presenting the findings at EDUCAUSE 2025, I’ve come to a conclusion that may surprise some IT leaders:

Most institutions fundamentally misunderstand what Shadow IT actually is.

In the public research institutions I studied, Shadow IT was rarely the result of recklessness or willful noncompliance. More often, it emerged from very human and very practical conditions:

• A need to solve an urgent or persistent problem

• A desire to innovate more quickly than central IT could support

• Capacity limitations in IT units already stretched thin

• The expectation that work must continue, even when official channels are slow or complex

Shadow IT, in other words, is a symptom of institutional reality—not a character flaw in the people who create it.

And this distinction matters a great deal.

⭐ The “Department of No” Problem—and What Comes After It

Across my interviews, many stakeholders still described central IT as the “department of no”—a place where ideas go to stall under risk concerns, complex processes, or resource bottlenecks.

Yet the most successful institutions flipped this narrative. They positioned central IT not as a gatekeeper, but as a partner:

They became the “department of know.”

This shift—from control to collaboration—was one of the most consistent markers of Shadow IT maturity in my research.

Partnership-based IT units:

• educate instead of prohibit

• guide instead of block

• create trusted pathways for innovation

• help units evaluate solutions in ways aligned with institutional priorities

And when that shift occurs, something important changes:

Shadow IT doesn’t disappear, but it stops being shadowy.

⭐ The Real Risk Isn’t the Technology—It’s the Silence

The most significant risk factor I observed was not the technology itself. It was the absence of communication around it.

Shadow IT becomes dangerous when:

• someone launches a cloud service without telling anyone

• sensitive data flows through unapproved systems

• multiple units purchase overlapping tools without coordination

• or campus partners feel there is no approachable channel to engage with central IT

These gaps, not the tools themselves, create the conditions for privacy issues, data fragmentation, system redundancy, and compliance challenges.

Shadow IT is fundamentally a leadership and governance challenge—not a prohibition challenge.

Efforts to stamp it out through strict bans, restrictive policies, or cultural pressure rarely succeed. Instead, they push the activity underground, where it’s even harder to manage.

However, when IT leaders focus on trust-building, shared language, clear processes, and reasonable pathways for partnership, the entire ecosystem becomes healthier.

⭐ Where This Research Is Going Next

This article is part of a series translating the findings of my doctoral study on Shadow IT governance into practical insights for higher-education IT leaders. Over the next several posts, I’ll explore:

• Why risk maturity matters more than risk avoidance

• A framework for encouraging innovation without sacrificing security

• How Technology Threat Avoidance Theory (TTAT) offers a new lens for understanding decision-making

• Five insights CIOs and CISOs should consider as they plan for 2026 and beyond

My goal is to help higher-ed IT leaders reframe Shadow IT—moving from fear to partnership, and from restrictive control to informed collaboration.

⭐ Connect, Compare Notes, or Learn More

If your institution is navigating questions around Shadow IT, distributed innovation, or risk governance, I welcome conversations with peers and leaders across the higher-education landscape.

You can also follow the ongoing Shadow IT series on LinkedIn or explore additional resources here at joelilarson.com as they become available.