shadowitcalculator.com
Tool / A2policy template walkthrough

Shadow IT Policy Template Guide

A six-section policy template with sample language and implementation notes. Pair this guide with the Policy Generator at /policy-generator for an org-customized output.

Document structure

Sections 1 to 2

Foundation

Scope, purpose, data classification triggers

Section 3

Amnesty

The most important launch element

Sections 4 to 6

Governance

Procurement, enforcement, AI provisions

Section 01

Policy purpose and scope

Purpose

Sets the organizational context and defines what is covered. Keep this to 2 to 3 sentences. Overly long scope definitions create loopholes and confusion.

Notes

  • Include contractors and consultants explicitly
  • The personal-purposes exemption prevents over-reach into personal tools
  • Avoid framing shadow IT as adversarial in the opening section

Template language

This policy governs the use of any software, application, cloud service, or digital tool used for work purposes at [Company Name] that has not been formally approved through the IT procurement process. It applies to all employees, contractors, and consultants. Tools used exclusively for personal purposes unrelated to work are exempt.

Section 02

Data classification trigger

Purpose

Defines which tools require approval and at what threshold. Without a data classification trigger the policy is unenforceable because it is unclear what counts as a violation.

Notes

  • Cross-reference your data classification policy
  • PII, source code, and financial data are always Confidential
  • AI tools that receive any company data default to Confidential

Template language

Tools that access, store, or process Company Confidential data (including customer PII, financial records, source code, and strategic documents) require formal IT approval before use. Tools that access only Company Internal data require registration with IT within 30 days of first use. Tools that access only Company Public data have no approval requirement.

Section 03

Amnesty window

Purpose

Without an amnesty window, employees hide existing tools and your registry starts artificially low. The 60-day amnesty is the most important launch element.

Notes

  • 60 days is the minimum effective window
  • The 15-business-day review commitment is a manageable workload
  • Send the comms from the CEO or CTO; executive sponsorship lifts disclosure 30 to 50%

Template language

From [Start Date] to [End Date, 60 days later], all employees may self-report any tools currently in use for work without disciplinary risk. The only obligation during the amnesty window is to complete the Tool Registration Form. Tools self-reported during the window will receive a risk review within 15 business days, and no tool will be removed without a 30-day transition period and an approved alternative.

Section 04

Approved catalog and tiered procurement

Purpose

Slow procurement is the primary driver of shadow IT. The policy must commit to response times, not just describe a process.

Notes

  • The Tier 1 self-approval pathway is critical for reducing marginal shadow IT
  • Publishing the SLA and allowing escalation creates accountability
  • Run a fast-track AI review process monthly

Template language

IT maintains an Approved Software Catalog. Employees may request approval via the Software Request Form. Response time SLAs: Tier 1 (no Company data, under $50/month) self-approved within 1 business day. Tier 2 (Internal data, $50 to $500/month) decision within 3 business days. Tier 3 (Confidential data or above $500/month) decision within 15 business days. Requests pending beyond these timelines may be escalated to the IT Manager.

Section 05

Enforcement and consequences

Purpose

Effective enforcement is tiered by risk, not one-size-fits-all. Heavy-handed enforcement for low-risk tools erodes trust and pushes shadow IT underground.

Notes

  • Always pair enforcement actions with IT support to find alternatives
  • Avoid blanket all-shadow-blocked language; it is unenforceable
  • Document every enforcement action in the registry

Template language

Tools used for work that have not been approved or registered are subject to actions based on data risk: Tools accessing Company Confidential data: data quarantine and migration to an approved alternative within 7 calendar days. Tools accessing Company Internal data: 30-day remediation notice with IT support to find an alternative. Tools accessing only Public data: registration request, no other action. Repeat violations after written notice may result in disciplinary action under the Conduct Policy.

Section 06

AI tool provisions

Purpose

AI tools are the fastest-growing shadow IT category and carry unique risks: training-data ingestion, output reliability, and regulatory classification.

Notes

  • Training-data opt-out is non-negotiable
  • The personal-use carve-out keeps the policy enforceable
  • Update this section quarterly; the AI landscape moves fast

Template language

AI tools (LLM assistants, AI coding tools, image generation, AI-powered research) are subject to additional review regardless of cost tier. Any AI tool receiving Company data requires Tier 3 review with confirmation that: (1) the vendor offers a DPA confirming company data is not used for training, (2) data residency requirements are met, and (3) the tool is accessible under company SSO. Employees may use personal AI tools for personal tasks but must not input Company Confidential or Internal data into any AI tool not on the Approved Catalog.

Do

  • +Write in plain English, not legal language
  • +Include a 60-day amnesty window at launch
  • +Commit to specific SLA response times for procurement
  • +Tier enforcement by data risk, not by tool cost
  • +Update the policy annually and after major AI releases
  • +Cross-reference the Approved Catalog in the policy

Avoid

  • xBlock tools before providing approved alternatives
  • xMake the policy longer than 2 pages
  • xApply uniform enforcement regardless of risk
  • xLeave AI tools ungoverned in a generic software clause
  • xLaunch enforcement before the amnesty window closes
  • xSkip executive and legal sign-off

Skip the writing

Generate a customized policy in two minutes

The policy generator turns these six sections into a policy parameterized to your industry, frameworks, and risk tolerance.

Open the policy generator

FAQ

Common questions

01How long should a shadow IT policy be?

Two pages is the upper limit for a usable, plain-English policy. Anything longer is read by Legal and ignored by everyone else. The six sections in this guide fit comfortably inside that limit. Move detail to subsidiary documents (the Approved Catalog, the data classification standard) rather than padding the policy itself.

02Is a separate AI policy needed?

Most organizations do better with a dedicated AI provisions section inside the shadow IT policy than with a free-standing AI policy. The substantive obligations (training-data opt-out, SSO, no Confidential data on personal accounts) are the same; folding them into the shadow IT policy reduces redundancy and makes the AI section visible alongside the SaaS rules staff already follow.

03What goes in the approved catalog?

Every approved SaaS or AI tool, with vendor name, primary purpose, data sensitivity tier, SSO status, the procurement contact, and the request form for additional seats. Pin links to internal user guides and any DPA or sub-processor list. Update the catalog quarterly; review against the registry to spot drift.

Related tools

Tool / 03

Policy generator

Output a customized policy in minutes.

Tool / A1

Audit guide

Discover what is running before you enforce policy.

Tool / A3

Approved alternatives

Build the catalog the policy points at.