Taming Shadow IT: What Security Teams Can Do About Unapproved Apps and Extensions

Shadow IT is one of the most pressing issues in cybersecurity today. As more employees use unsanctioned browser extensions, productivity plugins, and generative AI tools, organizations are exposed to more risk.

When these tools enter the environment without IT’s knowledge, they can create data exposure points, introduce new vulnerabilities, and make it easier for attackers to find privileged access paths. In many cases, the employee doesn’t even realize the risk they’ve introduced.

How Risk Creeps In: Extensions, AI Tools, and Unapproved Apps

Every app or extension installed on a corporate machine without being vetted carries risk. End users typically don’t have the knowledge or skills necessary to make informed, risk-based decisions on behalf of the organization. That responsibility must sit with a security steering committee or advisory group that can properly assess the trade-offs of usability versus risk.

Most security practitioners will have seen firsthand how some of the most used extensions quietly request elevated permissions, read data from active tabs, or track behavior across domains. When you multiply that by the number of employees in a typical enterprise, many of whom will have ten or more extensions installed, it’s easy to see how quickly things can spiral.

AI-based productivity tools make things even more complicated. These applications often retain input data to improve their models or support future queries. That means employees may inadvertently feed sensitive company information into opaque, third-party systems with questionable data handling practices.

Why Organizations Still Struggle to Tame Shadow Tech

Shadow IT proliferates for a variety of reasons:

• App Availability: Employees can – and do - install tools with just a few clicks.
• Lack of Visibility: Most organizations still lack effective tooling for monitoring what’s being added to the environment in real time.
• Insufficient Governance: Policies may exist on paper, but without enforcement mechanisms or education, they can be easily bypassed.
• Decentralized Procurement: Without centralized oversight, risk assessments fall through the cracks.
• Operational Compromises: When balancing speed and security, most organizations choose speed and just accept the risk.

Many of these controls only get implemented at later stages of a security maturity journey. Until then, there are simply too many avenues for shadow IT, shadow AI, and rogue extensions to make their way in.

From Risk to Readiness: What Security Teams Can Do Now

However, the goal here isn’t to prevent staff from using tools that can help them work faster and to a higher standard. It’s about making smarter, more risk-aware decisions across the board. Security teams should take the following steps to achieve this goal:

• Audit your environment: Start by identifying the browser extensions, SaaS apps, and AI tools in use across your endpoints and cloud environments.
• Establish approval workflows: Set up a formal process for reviewing and approving new tools before they’re used in production.
• Train employees: Help your workforce understand why some tools are risky and how to spot red flags.
• Deploy real-time monitoring: Use tools that alert you when unsanctioned software is installed or sensitive data is at risk.
• Take a layered approach: Address the problem from multiple angles – visibility, control governance, and education.

How Fortra Helps: Visibility and Control for Shadow IT

At Fortra, we have a range of tools designed to help organizations shine a light on shadow IT and reclaim control. Here’s how our solutions work together to mitigate these risks:

Cloud Access Security Broker (Fortra CASB)

Fortra CASB provides deep visibility into cloud app usage and employee behaviors. It can identify and monitor unsanctioned applications, distinguish between corporate and personal app use, and enforce sharing and access controls across collaboration and email platforms.

• Prevent risky behaviors like uploading data to personal cloud accounts
• Block logins from untrusted locations or devices
• Apply fine-grained access controls and policy enforcement

Data Loss Prevention (Fortra DLP)

Fortra DLP helps prevent sensitive data from leaking via unapproved tools. It can monitor data in motion, at rest, and in use across endpoints, networks, email, and cloud platforms.

• Detect sensitive content shared through unauthorized extensions or AI tools
• Block or redact high-risk data transfers in real time
• Supports regulatory compliance with pre-built policies for GDPR, HIPAA, PCI DSS, and more

Vulnerability Management (Fortra VM)

Fortra Vulnerability Management goes beyond basic scanning. It helps identify high-risk extensions or unpatched apps that could serve as entry points for attackers.

• Prioritize vulnerabilities based on exploitability and asset importance
• Monitor trends in exploited software and stay ahead of attack vectors
• Report on security posture across your environment

Together, these tools offered a layered defense strategy that brings visibility, control, and precision to an area that’s traditionally been difficult to govern.

Gaining Control Over the Unseen

The growing presence of AI assistants, browser add-ons, and unsanctioned SaaS tools presents a major security risk. Organizations need a better way to monitor, evaluate, and control the technologies entering their environments.

At Fortra, we’re dedicated to helping businesses move from reactive firefighting to proactive risk management. That starts with seeing what you couldn’t before, and making sure your security stack is ready to respond.

Want to find out more about how Fortra can help your organization tame shadow IT? Contact us today.