Key Takeaways
- 45% of organizations allow employees to procure and use software without IT approval (i.e., “shadow IT” behaviors)
- 56% of IT leaders report that their organization experiences shadow IT at least weekly
- 61% of enterprises say they have unmanaged SaaS applications in their environment
- 60% of enterprises reported SaaS sprawl as a top challenge (with implications including shadow IT)
- 57% of respondents say unmanaged cloud services increase the risk of account takeover and credential theft
- 52% of organizations say they have difficulty classifying shadow IT data for compliance purposes
- In the Verizon DBIR 2024, 11% of breaches involved “misconfiguration/error,” commonly linked to uncontrolled tools and services
- In the Ponemon Institute / IBM study, the average cost of a breach with “third-party involvement” was $5.76 million in 2024
- In the 2024 (ISC)² study, organizations reported needing 1.5 million additional cybersecurity workers in the Asia-Pacific region alone
- In the 2024 CrowdStrike Global Threat Report, 70% of ransomware victims were targeted multiple times before the attack
- NIST SP 800-53 Rev.5 includes 4,300+ security controls total across control families (governance scope relevant to shadow IT bypass)
- CIS Controls v8 contains 18 controls and 153 sub-controls for enterprise security governance (helps standardize oversight against shadow IT)
- CIS Benchmarks include configuration guidance for 1,000+ settings for common technologies (supporting standardized enforcement)
Shadow IT is widespread and risky, driving SaaS sprawl, account takeovers, compliance headaches, and higher breach costs.
Related reading
01 · Category
Shadow It Prevalence4 stats
Shadow It Prevalence Interpretation
02 · Category
SaaS & Cloud Sprawl3 stats
SaaS & Cloud Sprawl Interpretation
03 · Category
Operational Burden & Cost5 stats
Operational Burden & Cost Interpretation
More related reading
04 · Category
Security Risk Impact1 stats
Security Risk Impact Interpretation
05 · Category
Governance & Controls8 stats
Governance & Controls Interpretation
Cite This Report
This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.
Julian Richter. (2026, February 13). Shadow It Statistics. Gitnux. https://gitnux.org/shadow-it-statistics
Julian Richter. "Shadow It Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/shadow-it-statistics.
Julian Richter. 2026. "Shadow It Statistics." Gitnux. https://gitnux.org/shadow-it-statistics.
Sources & references
21 datasets cited across this report · attribution is report-level
+3 additional datasets cited (not shown individually)

