End-User Computing (EUC) encompasses every device, application, and data environment that employees directly interact with to perform their work — managed desktops, laptops, mobile devices, web browsers, productivity suites, and locally installed software. Shadow IT is the subset of EUC that operates outside IT's knowledge, approval, or control: unauthorized SaaS applications, personal cloud storage used for work data, unapproved communication tools, and departmental software purchased without IT involvement. Together, EUC and shadow IT constitute the unmanaged or under-managed frontier of an organization's IT estate. IS operations is responsible for maintaining visibility, control, and policy compliance across the entire EUC landscape — including the shadow portions employees do not report. EUC is not limited to desktops; it includes any user-facing technology. Shadow IT is not inherently malicious — most shadow IT is adopted for legitimate productivity reasons — but it creates risk through absent governance, auditability, and security controls.
Where it stops · what it isn't
- —EUC includes: managed endpoints (Windows/macOS desktops, laptops, corporate mobile devices), user-installed applications, BYOD devices used for work, and personal cloud storage (Dropbox, Google Drive, OneDrive) accessed for business purposes.
- —Shadow IT includes: SaaS tools subscribed to by departments without IT approval (e.g., Slack, Trello, analytics platforms), no-code/low-code platforms, AI tools (ChatGPT, Copilot) used to process work data, and unauthorized third-party integrations connected via OAuth.
- —EUC does NOT include server infrastructure, network equipment, or core back-end systems managed exclusively by IT operations — those fall under infrastructure management competencies.
- —Shadow IT does NOT include IT-sanctioned pilot programs, even if not yet formally approved — the defining characteristic is the absence of IT awareness and governance.
- —This competency does NOT cover OT (operational technology) security, although OT/IT convergence creates adjacent shadow IT risks in manufacturing environments.
- —BYOD sits at the intersection of EUC and shadow IT: a personal device used for work may be within policy (EUC) or outside it (shadow IT) depending on whether MDM controls are applied.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFInformation Systems Operations and Business Resilience (CISA Domain 4)
REQUIRESIT Asset Management / CMDB (inventory of authorized endpoints and applications)Acceptable Use Policy (AUP) framework
RELATED TOIT Change and Configuration Management (patch and update cycles for endpoints)Operational Log Management (audit trails for endpoint and application activity)Problem and Incident Management (breach response when shadow IT is compromised)
ENABLESData Loss Prevention (DLP) enforcement on endpointsZero-Trust Architecture implementation
CONSTRAINSBusiness Resilience (unmanaged endpoints are single points of failure in continuity scenarios)