Shadow IT refers to which of the following?

Shadow IT means using unsanctioned or unknown systems, devices, or services that still create cyber risk. When people adopt apps, cloud services, or hardware without going through the formal security and governance processes, security teams can’t monitor, patch, or manage them effectively. That gap can lead to data leaks, weak configurations, and compliance issues because the organization’s asset inventory, access controls, and incident response plans don’t cover these shadow tools. This is why the description focusing on unapproved or unknown systems that slip past official controls is the best match. Official corporate IT and contracted external vendors fall under established governance and security controls, so they’re not examples of shadow IT. Likewise, a set of approved cloud services is the opposite of shadow IT, since those are sanctioned and managed.