Information technology systems, either hardware or software, introduced into an enterprise by employees and other users. Shadow IT is not usually malicious in intent, but is instead introduced for the convenience or productivity of the users who put it there. It can become a threat because of the ways in which it escapes proper management and expands an enterprise's attack surface.