Shadow IT has existed as long as enterprise IT departments have. Whenever the gap between what employees need and what IT can deliver becomes too wide, people find their own solutions. Spreadsheets, personal cloud drives, consumer apps — these have been the traditional face of shadow IT. But in 2026, the problem has evolved into something qualitatively different, and far more dangerous. The proliferation of low-code and no-code platforms has put sophisticated development capabilities into the hands of every employee. Business users are now building custom applications, automating complex workflows, and deploying AI agents — entirely outside of IT visibility and security governance.
Understanding and addressing the risks of shadow IT in the low-code era requires a fundamentally different approach from the shadow IT policies that organizations have relied on for the past decade. This article examines the modern shadow IT threat landscape, its security implications, and what organizations can do to detect and manage these risks effectively.
Shadow IT Then and Now: What Has Changed
Traditional shadow IT — a rogue spreadsheet, a personal Dropbox account, an unauthorized SaaS tool — was a governance and compliance challenge. The data might be in the wrong place, but the risk was largely bounded. The app could not take actions. It could not connect to other systems. It could not make decisions or trigger workflows.
Modern shadow IT is different in kind, not just degree. Low-code and no-code platforms like Microsoft Power Platform, Salesforce, ServiceNow, and UiPath enable business users to build applications and automations that connect to enterprise systems, move sensitive data across organizational boundaries, make automated decisions, and — increasingly — deploy AI agents that act autonomously on behalf of the business. These are not passive repositories of data. They are active software systems with real attack surfaces.
A survey by Everest Group estimated that shadow IT represents more than 50% of total IT expenditure in many enterprises. Gartner has noted that approximately 30% of security breaches can be attributed to shadow IT. With low-code platforms dramatically lowering the barrier to creating sophisticated software systems, these figures are likely to worsen.
Nokod Security’s research into real enterprise environments consistently finds that the actual number of low-code apps and automations is five to ten times larger than what IT believes exists. You can explore Nokod’s perspective on shadow engineering and LCNC security for a deeper look at how this problem manifests in practice.
Why Shadow IT Detection Is Harder Than Ever
Traditional shadow IT detection focused on network monitoring and endpoint management: look for unauthorized traffic to known consumer services, restrict access to unapproved URLs, manage software installation on corporate devices. These approaches were imperfect but moderately effective.
Low-code shadow IT is largely invisible to these controls. Power Platform apps run within Microsoft’s own cloud infrastructure, on the same network paths as authorized Microsoft 365 services. Salesforce automations operate within an environment that the enterprise already licenses and trusts. ServiceNow citizen developer projects exist inside a platform that IT actively manages. Network monitoring cannot distinguish authorized from unauthorized applications built on the same platform.
| Shadow IT Type | Detection Challenge | Risk Level |
| Low-code apps (Power Apps, Retool) | Runs on licensed enterprise platform, invisible to network monitoring | High |
| Automated workflows (Power Automate) | Uses trusted connectors and service accounts | High |
| AI agents (Copilot Studio, Agentforce) | Built with UI tools, no code to scan, behavioral risks | Critical |
| RPA automations (UiPath, citizen dev) | Operate within licensed RPA environment | High |
| BI reports (Power BI, embedded) | Shared via normal enterprise sharing mechanisms | Medium-High |
The Security Risks of Shadow IT in Low-Code Environments
When business users build and deploy low-code applications outside of security oversight, the resulting risks fall into several categories:
- Data Leakage: Apps and automations built without DLP policy awareness routinely connect sensitive data to unauthorized destinations — sending customer records to personal email, exporting financial data to consumer cloud storage, or making internal data publicly accessible via API.
- Excess Permissions: Low-code apps typically run in the context of their creator’s identity. A finance director building a Power Apps solution may inadvertently give that app access to every financial system in the organization.
- Injection Vulnerabilities: Apps built by non-developers rarely implement input validation correctly, leaving them vulnerable to SQL injection, formula injection, and prompt injection attacks.
- Orphaned Applications: When the business user who built an app leaves or changes roles, the app continues to operate — often with active connections to sensitive data — with no owner and no monitoring.
- Compliance Violations: Apps that process regulated data (PII, financial records, health information) without appropriate controls create direct GDPR, HIPAA, and PCI DSS compliance exposure.
- Supply Chain Risk: Unvetted third-party connectors and integrations embedded in shadow IT applications introduce external dependencies that carry their own vulnerabilities.
Shadow IT Risk Assessment: A Framework for Security Teams
Effective shadow IT risk assessment in the low-code era requires a structured approach that goes beyond what traditional IT asset management provides. Security teams need to:
- Discover the Full Inventory: Use platform-native APIs and purpose-built security tools to enumerate every app, automation, and AI agent across all low-code environments. Accept that the true number will be much larger than current estimates.
- Map Data Access Paths: For each discovered asset, determine what data it can access, from which systems, with what permissions — and whether those access paths are authorized by policy.
- Identify Sensitive Data Exposure: Flag all assets that have access to data subject to regulatory protection, including PII, financial records, health data, and credentials.
- Assess Sharing and Exposure: Determine whether apps are shared internally with appropriate audiences or exposed externally — and whether those sharing decisions were deliberate and authorized.
- Prioritize Remediation: Rank findings by severity and business impact, and provide actionable remediation guidance that can be understood and acted upon by both security teams and business users.
For a broader understanding of shadow IT security principles and enterprise governance frameworks, the ISACA guidance on shadow AI and shadow IT provides a valuable reference: isaca.org.
How Nokod Addresses Shadow IT Monitoring and Detection
Nokod Security was purpose-built to solve the shadow IT and shadow engineering problem in low-code and no-code environments. The platform connects directly to enterprise platform environments — including Microsoft Power Platform, Copilot Studio, Salesforce, ServiceNow, UiPath, and Retool — and within minutes delivers a complete inventory of everything that exists, including the shadow IT that IT never knew about.
From that inventory, Nokod automatically applies risk scoring across multiple dimensions: data sensitivity, permission levels, external exposure, compliance alignment, and application health. Security teams receive prioritized findings they can act on immediately, along with role-appropriate remediation guidance for both security architects and the business users who built the at-risk applications.
Trusted by Fortune 500 companies, Nokod gives organizations the capability to govern the full breadth of their low-code environment — bringing shadow IT into the light and transforming it from an invisible liability into a manageable, secure aspect of enterprise digital transformation.
For additional insights on how enterprises are navigating agentic AI security and shadow AI governance.
Conclusion
Shadow IT has always been a security challenge, but low-code and no-code platforms have transformed it from a nuisance into a critical risk. Business users are now building sophisticated applications, automations, and AI agents that operate entirely outside of security visibility — moving sensitive data, making automated decisions, and creating attack surfaces that traditional security tools cannot detect. Nokod Security provides the discovery, assessment, monitoring, and remediation capabilities that enterprises need to bring their low-code shadow IT under control, enabling business users to innovate freely while giving security teams the visibility and governance they require.
