• Home
  • Blog
  • Minimize the Risk of Shadow RPA

Anyone who’s worked in a mid-sized to large business knows the traditional ways of the IT department. IT was strict—you couldn’t do anything on your work computer without permission. You couldn’t download software, use USB sticks to move data to another device, deploy third-party storage products for backup, or anything else for that matter.  

Some companies are still like this—for security and governance reasons, of course. But about 15 years ago, many users began bringing in their hardware and software and subscribing to their favorite cloud-based apps. Shadow IT was born. Not incidentally, that was when the software-as-a-service, or SaaS, market began to take off.

Today, with the skyrocketing market for low-code/no-code (NCLC) tools, shadow IT is again a hot topic. As Robotic Process Automation (RPA) and intelligent automation have shifted toward NCLC to meet the demands of line-of-business citizen developers, so has the potential for these automation technologies to go from being IT-managed to shadow RPA.

What’s the answer? Wrangle RPA deployments hiding within business units into a partnership. Create a collaborative, federated model for deploying RPA that takes what’s good about shadow IT—which is real—and applies it to your overall business strategy through combining central authority with business unit-led innovation.

How has shadow IT grown and flourished?

Shadow IT is created when business functions or departments bring in technology outside the knowledge or control of IT. There are five reasons why shadow IT has taken off:

1. Meeting the needs of business units and users. Employees want—and need—the tools that allow them to do their jobs efficiently and effectively. If they don’t have the software, hardware, and services that meet those needs through their company, they find their solutions.

2. Users prefer their consumer-like software, services, and hardware. Their smartphones, tablets, computers, and brands are set up the way they like. This is their way of being more productive and efficient at their jobs.

3. Technology became markedly easier to use. The technology is now accessible, and users have become completely comfortable with downloading and installing cloud-based apps and services in their private life. So, it’s only natural this activity spills over into the working world, where they seek to make their day-to-day role easier/more efficient. 

4. New vendor sales techniques. More recently, another trend has emerged. Tech vendors used to spend long days in boardrooms trying to convince CIOs and other tech decision-makers to buy their products. Today, vendors are increasingly targeting department heads, line-of-business leaders, and even users to get a lower-level entry point into the organization, encouraging shadow IT.

5. Tech budgets are being distributed through business units. At the same time, although CIOs may have historically kept a tight hold on the IT purse strings, new tech leaders want to dole out investment for specific pilot projects—or even reallocate those dollars to the business units to decide how to spend. The 2020 State of Tech Spend reported that 26% of IT budgets were controlled by business units—a percentage that increased 28% for enterprises with above 10,000 employees.

Potential problems caused by shadow RPA

Shadow IT—or, specifically, shadow RPA—isn’t all bad. It enables business units to capture productivity and efficiency gains quickly and decisively—without waiting for the official nod from IT. Indeed, one of the benefits of RPA touted by eager sales reps is that it can easily be done without involving IT. Automation Anywhere has many success stories that could be characterized as shadow RPA efforts.

But if IT teams aren’t aware of RPA software projects within the various lines of business, problems can occur. Here are the three areas of RPA deployment within business units that should see a partnership between IT and the respective teams.

Managing enterprise security risks 

To enable employees to automate their work, IT and the business unit should partner to ensure there are appropriate role-based access oversight tools built into the RPA platform. IT should work with the lines of business to educate them on security risks and the requirements any RPA tool would need to meet. Establishing governance frameworks will help IT and employees who want to automate to move faster without putting the organization at considerable risk by increasing the attack vulnerabilities.

Enterprise system interoperability

Since IT has oversight of a company’s core business applications, collaboration with business units is essential to understand what the units will automate to ensure compatibility with IT systems and plans. If IT is planning a systems overhaul or has planned patches and application updates, business-led automations may break if not communicated and coordinated.

Effective RPA scaling

If islands of RPA pop up in different parts of your organization, it will be difficult to grow to an enterprise-wide RPA initiative. Different business units may have chosen different RPA solutions. Sooner or later, it will be important to standardize, which may result in wasted resources for those business units that invested in a different vendor’s solution. 

How to reap the benefits and eliminate the pitfalls of shadow RPA

The shadow RPA challenge is to balance agility and innovation against the risks. Traditionally, IT would discourage shadow RPA—blocking access to unapproved software or vendors, locking down admin privileges, shutting USB ports, and other rigid practices. But that would limit innovation.

A much better approach is to establish an RPA Center of Excellence (CoE) that includes IT and the business units and delivers the governance, education and training, vendor selection, and IT operations guidelines that are required to scale RPA success. 


The top priority is to establish governance for RPA initiatives, no matter where they are being deployed in your business. That can lead to a thorough enterprise-wide understanding regarding processes, protocols, and decision-making around security and compliance of data and system access and use. It’s also important to create new or update existing procedures to define ownership, responsibility, and accountability for cybersecurity as well as regulatory mandates.


Without the support of your employees in distributed business units, reining in shadow RPA would not be possible. You must educate your workers about how critical enterprise security is and how shadow operations can increase security risks. You must also train them to accept that security is their responsibility, as well as IT’s, and to follow defined processes.

Vendor selection and standardization

Speaking of employee buy-in, you should consider business unit input into the purchasing decision of RPA and related tools and then monitor and enforce those standards across the enterprise. This is an essential step to avoiding problems with shadow RPA.

IT operations

Eventually, after initial pilots or proof of concept, IT operations will need to be involved in managing the installation and acceptance of new software applications and tools. IT will also provide the infrastructure resources required to host the software and establish acceptance criteria for production release.

Collaboration is key

Working together with solutions from multiple sources, with open communication, visibility, and training, IT and users can make RPA initiatives successful and minimize risk.

See How Automation Anywhere Can Help.

About Saba Mirza

user image

Saba Mirza is the head of product marketing for the Automation Anywhere Enterprise platform, including Enterprise A2019 cloud-native RPA platform, analytics, and security.

Subscribe via EmailView All Posts LinkedIn

Get to know the Automation Success Platform.

Try Automation Anywhere

For Businesses

Sign up to get quick access to a full, personalized product demo

For Students & Developers

Start your RPA journey instantly with FREE access to Community Edition