The short answer: shadow IT in creative teams is a symptom, not the disease
When you trigger a massive wave of shadow IT usage across the creative department, it almost always means one thing: the tools you've officially approved are not doing the job, and your creatives have stopped waiting for IT to catch up. They haven't gone rogue out of malice. They've gone rogue because they had a deadline on Tuesday and your procurement process takes six weeks.
The fix isn't a crackdown. It's a conversation — specifically, one that should have happened before you rolled out whatever it is they're now working around.
What is shadow IT, and why do creative teams do it more than most?
Shadow IT refers to any software, application, service, or device used within an organisation without the explicit knowledge or approval of the IT department. Think Canva accounts on personal emails, Notion workspaces outside the corporate tenant, Dropbox folders that live on someone's personal Google Drive.
Creative departments are disproportionately likely to generate shadow IT because their work is fundamentally tool-dependent. A developer can often work within constraints. A designer who can't access the right font library or a video editor stuck with a six-year-old version of Premiere is not just frustrated — they're professionally hamstrung.
According to Gartner, by 2027, 75% of employees will acquire, modify, or create technology outside IT's visibility. That figure isn't evenly distributed. It clusters heavily in marketing, design, and content functions — teams whose output lives or dies by the quality of their tooling.
What does shadow IT actually look like in a creative department?
- Designers using personal Adobe Creative Cloud licences because IT approved a legacy version
- Copywriters running content through ChatGPT or Claude without any organisational AI policy in place
- Social media teams managing brand accounts through third-party schedulers never reviewed by security
- Video teams storing large files on personal cloud storage because the corporate file share has a 2GB limit
- Freelancers being added to personal Slack workspaces because the official comms tool doesn't support external guests easily
Every single one of those is a data governance risk. None of them started as an act of rebellion.
What actually triggers a massive wave of shadow IT in creative teams?
It's rarely one thing. It's usually a slow accumulation of friction that eventually hits a tipping point — like a self-checkout machine that keeps asking for attendant approval until the person behind you in the queue quietly loses the will to live.
The most common triggers
1. A new enterprise tool rollout that doesn't fit creative workflows
This is the big one. IT rolls out a new Digital Asset Management (DAM) system, a new project management platform, or a new creative suite — and it's been procured entirely without meaningful input from the people who'll use it every day. The tool works fine for IT's requirements. It does not work for someone trying to export a 4K video file at 11pm before a product launch.
2. An AI policy vacuum
In 2024 and 2025, the single biggest driver of shadow IT in creative departments has been the absence of any approved AI tools. When organisations ban AI tools without providing an alternative, creatives don't stop using AI. They use it on personal devices, personal accounts, and personal email addresses — taking company data with them. A Salesforce survey (2024) found that 55% of workers who use AI at work do so without their employer's knowledge or approval.
3. Procurement and approval processes that move at geological speed
If requesting a new software licence requires a business case, a security review, a data protection impact assessment, a budget sign-off, and a steering group meeting — and the whole process takes three months — creative teams will have solved their problem another way by week two. You can't blame them.
4. Legacy infrastructure that simply can't keep up
Older corporate networks and storage systems weren't designed for the file sizes that modern creative work generates. When the official solution doesn't work, people find solutions that do.
5. A cultural gap between IT and creative functions
In many organisations, IT and creative teams speak completely different languages and have fundamentally different relationships with risk. IT is (quite reasonably) focused on security and compliance. Creative teams are focused on output and deadlines. When those two priorities are never reconciled in conversation, they get reconciled by shadow IT instead.
What are the actual risks of shadow IT in creative departments?
I want to be precise here, because the risks are real — but they're often presented in ways that are either overblown or so technical they lose the room. Here's what actually matters.
Data security and compliance risks
Data leakage is the primary concern. When creative teams upload brand assets, client briefs, unreleased campaign materials, or personal data to unsanctioned platforms, your organisation loses control of where that data lives, who can access it, and what the platform does with it.
Under UK GDPR and the Data Protection Act 2018, your organisation is still responsible for that data. "We didn't know they were using it" is not a defence that holds up particularly well with the ICO.
Intellectual property exposure
Many AI generation tools — particularly free-tier versions — train on user inputs. If a designer uploads an unreleased brand identity to a consumer AI tool to generate variations, that creative work may become part of a training dataset. The legal landscape here is still evolving, but the risk is not theoretical.
Licence and contractual exposure
Consumer-grade tools often have terms of service that are incompatible with commercial use. If your creative team is producing client-facing work using a free tool that prohibits commercial application, your organisation may be in breach of those terms — and any IP generated could be contested.
Operational fragmentation
When every member of a creative team is using different unsanctioned tools, version control, file handover, and collaboration become a genuine operational problem. I've seen creative departments where the brand assets exist in seven different cloud storage locations, none of which anyone else in the organisation can access. That's not a security problem. That's just chaos.
Approved vs. Shadow IT in Creative Departments: A Practical Comparison
| Factor | Approved IT | Shadow IT |
|---|---|---|
| Security review | Completed before deployment | None — unknown risk profile |
| Data governance | Covered under organisational policy | Governed by third-party T&Cs, often consumer-grade |
| Licence compliance | Commercially licensed for organisational use | Frequently personal/free tier — may prohibit commercial use |
| Support and accountability | IT-supported, auditable | Self-managed, invisible to IT |
| Fitness for creative purpose | Often poor — procured without creative input | Usually excellent — chosen by the people doing the work |
| Speed of access | Slow — procurement and approval cycles | Immediate — sign up with an email address |
| Cost visibility | Centralised, budgeted | Hidden — often expensed or personally funded |
| Integration with other systems | Planned and managed | Ad hoc, often creates data silos |
The uncomfortable truth in that table: the column that wins on actual creative output is almost always shadow IT. That's not an argument for allowing it unchecked. It's an argument for understanding why it keeps winning.
How do you actually fix this? A practical approach for digital leaders
I've spent the better part of two decades helping organisations navigate technology change, and the one thing I'd stake a reasonable amount on is this: you cannot govern your way out of a shadow IT problem that was caused by a failure of empathy. You can write all the policies you like. People will work around them at the speed of a deadline.
Step 1: Run a shadow IT audit — without making it a witch hunt
Before you can address the problem, you need to understand its shape. Tools like Microsoft Defender for Cloud Apps or Netskope can surface unsanctioned cloud app usage across your network. What you do with that information matters enormously.
The audit is intelligence-gathering, not evidence collection. If the first thing you do with the findings is send a disciplinary memo, you've confirmed every creative team's worst fear about IT — and driven the problem further underground.
Step 2: Have the actual conversation with the creative team
Sit down with creative leads and ask them, genuinely, what tools they're using and why. Not to catch them out. To understand what the approved toolset is failing to provide. This conversation is usually revelatory and almost always slightly uncomfortable for the technology function, because the answers tend to be straightforward and the problems tend to be fixable.
Step 3: Build a fast-track approval pathway for creative tools
The standard procurement process was not designed for a world where a new AI tool launches every fortnight. Build a lightweight, time-boxed approval process specifically for creative software — one that can complete a basic security and data protection review in two weeks, not three months. Involve your DPO (Data Protection Officer) early, not as a final gate.
Step 4: Develop an AI use policy that doesn't just say no
If your organisation's current AI policy is "don't use it", you have not got an AI policy. You have a wish. Create a tiered framework: tools that are approved for general use, tools approved for use with non-sensitive data, and tools that require case-by-case review. Give creative teams a sanctioned path to the capabilities they're going to use anyway.
Step 5: Embed a creative technology advocate in the IT function
One of the structural fixes that I've seen work consistently is placing someone — a Creative Technology Lead or equivalent — who genuinely understands both creative workflows and IT governance. They act as a translator. They prevent the IT function from approving tools that technically pass security review but are completely unusable by a motion graphics team. That role pays for itself within about six months.
Step 6: Establish a regular creative tech review cycle
Set a quarterly or bi-annual review of the approved creative toolset. Technology moves fast in this space. What was best-in-class eighteen months ago may already be obsolete. Giving creative teams a formal mechanism to raise new tool requests — and a commitment to a response within a defined timeframe — reduces the incentive to go rogue.
What does good governance of creative technology actually look like?
It looks less like a firewall and more like a framework. The organisations that manage this well tend to share a few characteristics.
- They have a clear, published list of approved tools for creative functions — not buried in an intranet that nobody visits
- They operate a rapid exception process for tools not on the approved list
- They treat AI governance as a living document, reviewed at least quarterly
- They have defined data classification guidelines that creative teams actually understand — not 40-page policy documents written for lawyers
- They measure tool adoption and satisfaction as a genuine metric, not an afterthought
- IT leadership and creative leadership meet regularly — not just when something goes wrong
None of that is technically complex. All of it requires organisational will and a genuine belief that the people doing the creative work are worth listening to.
A note on AI specifically — because this is where it's most acute right now
The AI situation in creative departments deserves its own brief treatment, because it's moving faster than most governance frameworks can track.
As of 2025, the majority of creative professionals are using generative AI tools in some form. Adobe Firefly, Midjourney, RunwayML, ElevenLabs, Kling, Sora — the toolset is expanding monthly. Most organisations have not approved any of them. Most creative teams are using several of them.
The organisations handling this best are not the ones with the most restrictive policies. They're the ones that have moved fastest to understand the tools, assess the risks proportionately, and provide sanctioned alternatives. Microsoft 365 Copilot, Adobe Firefly integrated within Creative Cloud, and Google Workspace AI features all offer enterprise-grade AI with data processing agreements that a DPO can actually work with.
If your creative team is using consumer ChatGPT on personal accounts to write copy for client campaigns, the answer is not to ban AI. It's to give them access to an enterprise-licensed AI tool with appropriate data governance in place — and to do it quickly enough that the personal account becomes unnecessary.
Frequently Asked Questions
What is the most common cause of shadow IT in creative departments?
The single most common cause is a mismatch between the tools IT has approved and the tools creative teams actually need to do their work. This is usually the result of procurement decisions made without meaningful input from the creative function. When the approved tool doesn't work well enough, people find one that does.
Is shadow IT illegal?
Shadow IT is not inherently illegal, but it can create legal exposure. The primary risks are data protection compliance (under UK GDPR and similar frameworks), intellectual property issues, and licence violations if tools with personal or free-tier licences are used for commercial purposes. The organisation remains responsible for data even when it's processed through unsanctioned tools.
How do I detect shadow IT usage in my organisation?
Cloud Access Security Broker (CASB) tools such as Microsoft Defender for Cloud Apps, Netskope, or Zscaler can identify unsanctioned cloud application usage across your network. Browser-based tools and mobile device management (MDM) solutions can also surface shadow IT activity. The important thing is what you do with that information — it should inform a conversation, not a crackdown.
How do I stop creatives from using AI tools without approval?
Prohibition alone does not work. The most effective approach is to provide a sanctioned alternative quickly — enterprise-licensed AI tools with appropriate data processing agreements — while clearly communicating what the risks of unsanctioned tools are. People are generally reasonable when they understand the genuine risk, rather than being told "no" without explanation.
Should I punish employees for using shadow IT?
Almost certainly not, at least not as a first response. In most cases, employees using unsanctioned tools are not acting maliciously — they're trying to do their jobs. A punitive response drives the behaviour underground rather than eliminating it, and it damages the relationship between IT and the business functions you're trying to support. Address the underlying cause first.
What's the difference between shadow IT and a bring-your-own-device (BYOD) policy?
BYOD (Bring Your Own Device) refers to employees using personal hardware — phones, laptops — for work purposes, usually within a defined policy framework. Shadow IT refers to unsanctioned software and services, regardless of what device they run on. The two often overlap, particularly in creative teams where personal devices are commonly used for work.
How do I build a business case for better creative tooling?
Frame it in terms of risk, not preference. The business case for a proper creative technology framework includes: reduced data protection risk, reduced IP exposure, improved operational efficiency (less time lost to tool fragmentation), and reduced licence compliance risk. Quantify the cost of a potential ICO investigation or a data breach against the cost of an enterprise software licence — the maths tends to be fairly persuasive.
How quickly can shadow IT spread through a creative team?
Extremely quickly. Creative teams are highly collaborative and tool recommendations spread peer-to-peer within days. Once one designer starts using a new AI image tool and shows a colleague the output at lunch, you can have a department-wide adoption within a week. This is actually a useful insight for approved tool rollouts — if you can make the right tool the obviously good choice, the same network effect works in your favour.
Nicholas Hodder is a digital transformation and technology leader with over 20 years of experience across public sector, commercial, and third sector organisations. He works with leadership teams on the human side of technology change — the bit that the vendor slide decks tend to skip over. He also does stand-up comedy, which is either a conflict of interest or excellent research, depending on the day.
