Shallow_IT_We all know shadow IT spells bad news for any enterprise—it’s basically the use of any system or file sharing that circumvents IT and organizational approval.

To no one’s surprise, this happens all-too-often, where the channels to go through IT can be more of a headache than it’s worth.

The only problem is it can mean big trouble in the event of a breach.

(Spoiler alert: it’s never more trouble than it’s worth to avoid big featured news pages of your company leaking valuable customer information).


As this article from Government Technology suggests, many don’t realize accepting the End User License Agreements and/or Terms and Conditions “are not something an employee can legally agree to on behalf of the county.” This is due to most cloud vendor’s “indemnification clause,” which “absolves the vendor of any responsibility.”

In fact, a big overarching issue in IT is being unaware of the many shadow IT apps that exist in the organization. This has prompted officials to begin the transition into “shallow IT,” and usher in a new concept to the IT world.

Enough context—let’s dive in to the bread and butter of the issue.

What is Shallow IT?

If you pop a “shallow IT” Google search, you’ll receive some ambiguous results at best. There are a few useful links at the top, and then it’s all downhill from there with scattered topics and websites that don’t pertain to shallow IT at all.

Shallow IT is a concept that involves thinking outside of the box, and seeing which technologies deliver the most value to your organization. Think of a video game: while it may have all the flashy graphics you want, by playing the demo, you find the controls really aren’t to your liking, and so you pass up spending that $60. In lieu of your decision, you do more research and find the game that suits your wants and needs most, and for the best price.

That’s the beauty of shallow IT; to find out the solution that fits best with your organization. It’s like shadow IT’s more responsible, budget-conscious sibling.

Regardless of your method, you don’t want to buy the first solution that comes your way. Implementing shallow IT isn’t easy, and it requires communication across your entire enterprise (much like IAM, which we’ll get into shortly).

How Shallow IT Links to IAM

There’s a time when your IT department needs to figure out what should stay in-house and what needs to be handed over to outside vendors. Every company is in some stage of determining this, at varying paces and speeds. The fact remains, though, that identity and access management in particular is one of those game-changer elements that’s nearly impossible for IT to deploy alone.

Why is that, you may ask? IT is overburdened already with provisioning, software updates and solutions to server crashes and bugs, not to mention security. How can you catch a big bad shark if you only have a handheld fishing net?

Some ways shallow IT can be helpful with IAM are:

  • Facilitating organization-wide communication
  • Metrics to gain buy-in from the right people
  • Transparency to risk management audits
  • Helps the organization figure out what’s best for their employees (i.e. create “zones,” according to the previously referenced article)
  • Propels discovery of shadow IT apps that exist in the enterprise

The Takeaway

Shallow IT will eventually start to gain more traction in organizations as it emerges and becomes more widespread. However, while it is valuable to implement and encourage more communication, nothing substitutes a comprehensive identity management strategy.

A great first step is pursuing the ideas of shallow IT to figure out how to proceed in the vast realm that is identity management. If nothing else, remember one of the main things shallow IT lends to IAM: averting risk and securing data.

SaaS Advisory Data Sheet



At Identropy, we combine expertise with empathy to help clients plan, build and run identity and access management solutions that enable their business. Since 2006, we have evolved with the industry and positioned ourselves to become a leading firm providing innovative consulting services within Identity & Access Management and Access Governance.