Skip to main content
Stackbastion

Draft, not yet published

Shadow IT: the AI-generated internal tool nobody in compliance knows about

7 July 2026· 6 min read · by Stackbastion

Someone in ops built a little dashboard to track customer requests. Someone in HR made a tool to collect feedback. Someone in sales spun up an app to log leads. All of them work, all of them hold personal data, and none of them ever crossed a desk in IT or compliance. That’s shadow IT, and AI app builders have turned it from a trickle into a flood.

Shadow IT isn’t new. What’s new is that the barrier to creating a real, data-holding application dropped to zero. A non-developer can now describe a tool to an AI and have a working version by lunch. That’s genuinely useful. It also means your organization may be running personal data through apps that no one responsible has ever seen.

Why this is a real compliance gap

Under GDPR, your organization is the data controller for personal data it decides to process. That responsibility doesn’t depend on whether IT approved the tool, or whether anyone senior even knows it exists. If an employee built an app that stores customer emails, the organization is on the hook for that data, full stop.

Shadow IT breaks the assumptions compliance relies on:

  • Your data map is wrong. GDPR expects you to know what personal data you hold and where. A record of processing activities (Article 30) is supposed to list this. Shadow tools aren’t in it, so the map is incomplete by definition.
  • Nobody assessed the risk. These tools skipped whatever review a normal project gets. No one checked data residency, access control, or whether a data protection impact assessment was needed.
  • There’s no processor paperwork. The tool probably runs on a platform (a database host, an AI builder) that’s a processor handling your data. Without a DPA, that relationship isn’t documented.
  • Accountability is fuzzy. If the tool leaks, who reports it inside 72 hours? The builder may have moved on. Nobody’s watching.

The uncomfortable part is that none of this shows up until it’s tested: a data subject access request lands, a customer’s security team asks for your processing records, or the tool springs a leak. Then “we didn’t know it existed” becomes the story you have to tell a regulator, and it isn’t a good one.

How to find the shadow tools you already have

You can’t fix what you can’t see. Finding shadow IT is detective work, not a scan. Here’s a practical way to surface it:

  1. Ask the teams directly, without blame. The fastest method is a simple, non-punishing question to every team: “What tools or apps have you built or set up yourself to get your work done?” Framed as blame, you get silence. Framed as “we want to support these properly,” you get honest answers. Make clear nobody’s in trouble for having built something useful.

  2. Check the SaaS billing. Look at company card statements and expense reports for subscriptions to Lovable, Vercel, Supabase, Replit, Bolt, Airtable, and similar. A recurring charge nobody in IT recognizes is often a shadow tool.

  3. Check identity and login records. If you use single sign-on or a password manager, look at what apps people are logging into. Third-party apps connected to your Google or Microsoft accounts are another trail.

  4. Look at where data flows. Ask which spreadsheets and tools feed customer data. Follow the exports. A tool that receives a weekly export of customer records is holding personal data even if it feels like “just a spreadsheet with a front end.”

  5. Watch for the tell-tale signs. A public URL on a platform subdomain (like something.lovable.app), a login page nobody in IT set up, a form collecting customer details that isn’t on your main site. These are shadow tools wearing a coat.

What to do with each one you find

Finding them is half the job. For each tool, run a short triage:

  1. Does it touch personal data? If no (say, an internal calculator with no personal data), the compliance risk is low and you can note it and move on. If yes, keep going.
  2. What data, and whose? Employees, customers, both? Sensitive categories like health or finance data raise the stakes and may trigger a data protection impact assessment.
  3. Where does the data live? Find the region. If it’s outside the UK/EU, you have a transfer to account for.
  4. Is there a DPA with the platform? If the tool runs on a processor, you need one.
  5. Who owns it now? Assign a named, accountable person, even if that’s just “the team lead who uses it most.”
  6. Keep, fix, or retire? Some shadow tools are worth adopting properly. Some should be rebuilt on sanctioned infrastructure. Some should be shut down because a supported tool already does the job. Decide, don’t leave it in limbo.

The goal isn’t to punish the people who built useful things. It’s to bring those things into the light, because a tool compliance knows about and has assessed is a manageable asset, and one it doesn’t is a liability waiting for a bad day.

Or, we do it for you

Running the inventory, finding the shadow tools, checking each one’s data residency and DPA status, and either fixing or retiring them is a repeatable process, and it’s one we run for SME teams. See how we approach it on our for-SME page, or start with a free audit on the one tool that worries you most.

FAQ

Isn’t banning these tools the simplest fix?

Rarely, and it usually backfires. People built them because the sanctioned tools didn’t do the job, so a ban just pushes the behaviour further underground. Bringing tools into a supported, reviewed process keeps the productivity gain while closing the compliance gap. Adoption beats prohibition.

A tool only holds internal employee data. Is it still a problem?

Yes. Employee data is personal data under GDPR. An internal HR feedback tool with names and comments carries the same core obligations as a customer-facing one. Internal doesn’t mean exempt.

How often should we do this sweep?

At least once, thoroughly, to get a baseline, then lightly on a recurring basis, since new tools appear constantly. Many teams fold the question into regular team check-ins or onboarding so it becomes routine rather than a one-off fire drill.

The person who built it left the company. Now what?

That’s the most urgent category. An unowned tool holding personal data has no one to notice a breach or answer an access request. Assign a new owner immediately, or if nobody will own it, back up anything needed and retire it. An orphaned data-holding tool is the worst version of shadow IT.