Why Shadow IT Might Be Your Strongest Control

Mar 17, 2026

Bill Bensing, Chief Technologist and co-founder of Attestify, explains how shadow IT often signals experimentation and innovation rather than just risk. He discusses why teams build unofficial solutions, how small experiments validate ideas quickly, and the Exploration‑Validation‑Operation model for moving work into formal operations. The conversation covers safe sandboxes, building innovation communities, and how auditors can support without stifling creativity.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ADVICE

Provide Sandboxes And Formal Pathways

Enable experimentation with both organizational pathways and low-friction environments (sandboxes, SharePoint, Git repos).
Bensing gave teams on-demand SharePoint sites and Dev environments so they could FUBAR and prototype, then feed requirements into ERP.

ADVICE

Create A Community Flywheel Around Successes

Celebrate wins and build flywheels by having teams present successes and share learnings regularly.
Bensing recommends presentations and community events so one hit out of ten can scale into broader organizational adoption.

ADVICE

Form A Guiding Coalition And Fund Learning

Build a guiding coalition and upskill interested staff with targeted training and funded learning (e.g., Pluralsight).
Bensing recruits willing practitioners, funds guided courses, and assigns a technical leader to coach them into validation.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

The Institute of Internal Auditors Presents: All Things Internal Audit Tech

In this episode, Daniel McCarville speaks with Bill Bensing about shadow IT and why it continues to emerge inside organizations. They explore how shadow IT often signals innovation rather than just risk, and how internal auditors can help organizations balance experimentation, governance, and operational control. The conversation also introduces a practical framework for understanding how ideas move from exploration to validation and ultimately into formal operations.

HOST:
- Daniel McCarville Associate Vice President of Internal Audit Arch Capital

GUEST:
- Bill Bensing Chief Technologist and Co-Founder Attestify

KEY POINTS:

Introduction [00:00:02-00:00:39]
What Is Shadow IT? [00:00:39-00:01:56]
Why Shadow IT Exists in Organizations [00:02:13-00:05:08]
Shadow IT as a Source of Innovation [00:05:33-00:08:03]
Why Small Internal Solutions Can Deliver Big Value [00:06:10-00:07:33]
The Role of Shadow IT in Validating Ideas [00:09:14-00:10:56]
Why Innovation Often Fails to Take Hold [00:12:41-00:14:00]
How Leaders Can Enable Innovation Safely [00:14:00-00:16:54]
Building Communities and Internal Flywheels of Innovation [00:17:00-00:18:55]
Developing Internal Innovation Teams [00:19:08-00:21:24]
Why Experimentation and Imperfection Are Necessary for Innovation [00:21:59-00:22:59]
How Auditors Should Rethink Shadow IT Risk [00:23:02-00:24:17]
The Exploration-Validation-Operation Model [00:24:17-00:28:07]
Internal Audit's Role Across the Innovation Lifecycle [00:28:07-00:31:11]
Addressing Shadow IT Risks Without Stifling Innovation [00:32:29-00:35:32]
Why Building Tools Strengthens Career Growth [00:37:11-00:39:04]
Learning Principles vs. Learning Tools [00:39:21-00:41:51]
How Auditors Can Encourage Innovation While Maintaining Controls [00:41:59-00:46:30]
Final Thoughts: Enabling Coordination Across the Three Lines [00:47:39-00:50:14]

Visit The IIA's website or YouTube channel for related topics and more.

IIA RELATED CONTENT: Interested in this topic? Visit the links below for more resources:

Follow All Things Internal Audit: