Shadow IT comprises information technology systems, such as devices, software, services, and applications employees are using without the explicit approval of the company’s IT department. It’s not being actively managed and monitored by the company’s security team, meaning shadow IT can introduce serious security vulnerabilities. Vulnerability scanners only scan what is known — the sources the company feeds the system for scanning — so they overlook shadow IT because the company isn’t aware it exists. On the other hand, attack surface management solutions identify shadow IT through comprehensive digital supply chain discovery.