How to Raise Concerns About Shadow IT in English

Learn the English phrases for flagging unapproved tools or services your team is using, without sounding like you're policing colleagues.

Shadow IT — tools, services, or scripts adopted without going through security or procurement review — often starts with good intentions and creates real risk later. This guide gives you the English for raising the concern constructively, without sounding like you’re accusing a colleague of doing something wrong.


Naming What You’ve Noticed

Describe the observation neutrally before assigning any judgment.

  • “I noticed we’re piping production data into [tool] that I don’t think has gone through a security review — can you help me understand how that got set up?”
  • “It looks like a few of us have started using [service] for this workflow — has that been approved, or did it happen organically?”
  • “I want to flag this, not as a criticism of anyone individually, but because I think it’s worth getting visibility on.”

Asking About the Origin

Understand why the tool was adopted before proposing to remove it.

  • “What was the driver for adopting this — was there a gap in our approved tooling that made this the fastest option?”
  • “How long has this been in use, and does anyone know if it was ever run past security or IT?”
  • “Is this handling anything sensitive, or is it limited to non-production, low-risk data?”

Explaining the Risk

Be specific about what could go wrong rather than citing policy for its own sake.

  • “My concern is less about the tool itself and more about the fact that it hasn’t been vetted for how it handles our data or who has access to it.”
  • “If this tool has an incident, we currently have no visibility into it, and no plan for how we’d respond.”
  • “This creates a compliance gap if we’re ever audited and can’t account for where this category of data lives.”

Proposing a Path Forward

Offer a constructive route rather than just proposing to shut things down.

  • “Can we get this fast-tracked through a lightweight security review instead of blocking it outright, given how useful it’s become?”
  • “If it turns out this can’t be approved, let’s find the closest approved alternative together rather than just removing it and leaving a gap.”
  • “I’d like to propose we inventory what unapproved tools are actually in use across the team before deciding what to do about each one.”

Escalating If It’s Widespread

If shadow IT usage is broad or involves sensitive data, involve security or leadership directly.

  • “I think this is bigger than one tool — I’d like to loop in security so we can get a full picture of what’s being used outside the approved list.”
  • “Given the data involved, I don’t think this should wait for the next planning cycle — can we prioritize a review this week?”

Vocabulary Reference

TermMeaning
Shadow ITTools or services used without formal approval from IT or security
VettedReviewed and approved as meeting security or compliance standards
Compliance gapA situation where policy or regulatory requirements aren’t being met
Fast-trackedGiven expedited review rather than the standard slower process
InventoryA complete list of what’s currently in use, as a first step before deciding action

Key Takeaways

  • Describe the observation neutrally first — shadow IT is usually adopted out of convenience, not malice.
  • Ask about the tool’s origin and what data it touches before proposing a fix.
  • Frame the risk concretely, such as lack of visibility or a compliance gap, rather than citing policy alone.
  • Propose a constructive path, like a fast-tracked review or finding an approved alternative, instead of just demanding removal.
  • Escalate to security promptly if the tool handles sensitive data or the pattern is widespread across the team.