Shadow IT Policy Template Guide

A shadow IT policy only works if it is plain-language, proportionate, and paired with a fast procurement process. This guide provides template language and implementation notes for each key policy section.

Policy Document Structure

Sections 1-2

Foundation

Scope, purpose, and data classification triggers

Section 3

Amnesty

The most important element for launch success

Sections 4-6

Governance

Procurement, enforcement, and AI provisions

1
📜

Policy purpose and scope

Purpose

Sets the organizational context and defines what is covered. Keep this to 2-3 sentences. Overly long scope definitions create loopholes and confusion.

Template language

This policy governs the use of any software, application, cloud service, or digital tool used for work purposes at [Company Name] that has not been formally approved through the IT procurement process. It applies to all employees, contractors, and consultants. Tools used exclusively for personal purposes unrelated to work are exempt.

Implementation notes

  • Include contractors and consultants explicitly, not just employees
  • The 'personal purposes' exemption prevents over-reach into personal tools
  • Avoid defining shadow IT as 'unauthorized' in the opening section, as it sets an adversarial tone
2
📁

Data classification trigger

Purpose

Defines which tools require approval and at what threshold. Without a data classification trigger, the policy is unenforceable because it is unclear what counts as a violation. Most organizations use a three-tier model.

Template language

Tools that access, store, or process Company Confidential data (including customer PII, financial records, source code, and strategic documents) require formal IT approval before use. Tools that access only Company Internal data (non-public operational data) require registration with IT within 30 days of first use. Tools that access only Company Public data have no approval requirement.

Implementation notes

  • Define each data classification tier clearly in your data governance policy and cross-reference it here
  • PII, source code, and financial data should always be Confidential
  • The 30-day grace period for Internal data reduces friction without eliminating oversight
  • AI tools that receive any company data should default to Confidential classification
3
🆕

Amnesty window

Purpose

The amnesty window is the most important element of a shadow IT governance program launch. Without it, employees hide existing tools rather than disclosing them, and your shadow app registry starts with artificially low numbers.

Template language

From [Start Date] to [End Date, 60 days later], all employees may self-report any tools currently in use for work purposes without risk of disciplinary action. The only obligation during the amnesty period is to complete the Tool Registration Form at [link]. Tools self-reported during the amnesty window will receive a risk review within 15 business days, and no tool will be removed without a minimum 30-day transition period and an approved alternative being provided.

Implementation notes

  • 60 days is the minimum effective amnesty window. Shorter periods reduce disclosure rates
  • The 15-business-day review commitment creates a manageable workload for IT
  • The 'no removal without alternative' clause is essential for trust. Include it explicitly
  • Send the amnesty communication from the CEO or CTO, not from IT. Executive sponsorship increases disclosure by 30-50%
4
✅

Approved software catalog and procurement

Purpose

Defines how employees get tools approved and sets expectations for how long it takes. Slow procurement is the primary driver of shadow IT. The policy must commit to response times, not just describe a process.

Template language

IT maintains an Approved Software Catalog at [internal link]. Employees may request approval for any new tool via the Software Request Form at [link]. IT commits to the following response times: Tier 1 tools (no Company data, under $50/month): self-approved within 1 business day via automated review. Tier 2 tools (Internal data, $50-$500/month): decision within 3 business days. Tier 3 tools (Confidential data or over $500/month): decision within 15 business days. Requests pending beyond these timelines may be escalated to the IT Manager.

Implementation notes

  • The Tier 1 self-approval pathway is critical for reducing shadow IT at the margins
  • Publishing the SLA and allowing escalation creates accountability
  • Review AI tools monthly under a dedicated fast-track AI review process
  • Communicate the catalog to new employees during onboarding
5
🛡

Enforcement and consequences

Purpose

Defines what happens when a tool is used outside the policy. Effective enforcement is tiered by risk, not one-size-fits-all. Heavy-handed enforcement for low-risk tools erodes trust and drives shadow IT underground.

Template language

Tools used for work purposes that have not been approved or registered as required by this policy are subject to the following actions based on data risk: Tools accessing Company Confidential data: immediate data quarantine and mandatory migration to an approved alternative within 7 calendar days. Tools accessing Company Internal data: 30-day remediation notice with IT support to find an approved alternative. Tools accessing only Company Public data: registration request, no other action required. Repeated policy violations after written notice may result in disciplinary action in accordance with the Company Conduct Policy.

Implementation notes

  • Always pair enforcement actions with IT support to find alternatives
  • Avoid blanket 'all shadow IT is immediately blocked' language. It is unenforceable and damages culture
  • The 7-day window for Confidential data is aggressive but appropriate for regulated data
  • Document every enforcement action in the shadow app registry for audit trail purposes
6
📋

AI tool specific provisions

Purpose

AI tools are the fastest-growing shadow IT category and carry unique risks: data training exposure, output reliability, and regulatory classification. A specific AI tool section sends the right signal that the organization takes AI governance seriously.

Template language

AI tools including but not limited to large language model assistants, AI coding tools, image generation tools, and AI-powered research tools are subject to additional review requirements regardless of cost tier. Any AI tool that receives Company data as input requires Tier 3 review, including confirmation that: (1) the vendor offers a data processing agreement confirming company data will not be used for model training, (2) data residency requirements are met, and (3) the tool is accessible under the company identity provider. Employees may use personal AI tools for personal tasks but must not input Company Confidential or Internal data into any AI tool not on the Approved Software Catalog.

Implementation notes

  • Training data opt-out is non-negotiable for any AI tool receiving company data
  • The personal-use carve-out prevents the policy from being unenforceable for personal ChatGPT
  • Update this section quarterly as the AI tool landscape changes rapidly
  • Name specific approved AI alternatives in the catalog alongside this section

Shadow IT Policy: Dos and Don'ts

✓ Do

Write in plain English, not legal language
Include a 60-day amnesty window at launch
Commit to specific SLA response times for procurement
Tier enforcement by data risk, not by tool cost
Update the policy annually and after major AI tool releases
Cross-reference the Approved Software Catalog in the policy

✗ Don't

Block tools before providing approved alternatives
Make the policy longer than 2 pages
Apply the same enforcement to all tools regardless of risk
Leave AI tools ungoverned in a general 'software' clause
Launch enforcement before the amnesty window closes
Write a policy without executive and legal sign-off

Need a Complete Policy Package?

Digital Signet delivers a complete shadow IT policy package: finalized policy document, approved software catalog template, procurement intake form, and employee communication kit.

Get a Free Policy Review →

How to Run a Shadow IT Audit →

Discover what is running before you enforce policy.

Approved Alternatives Guide →

Build an approved catalog that employees actually want to use.