September 22, 2025 • 8 mins
Shadow IT is no longer limited to unsanctioned apps. Increasingly, it includes unmonitored automation, where PowerShell scripts run outside any governance framework.
Recent research shows that more than 40 percent of employees already use technology beyond the reach of IT, and that number is expected to climb to three-quarters of the workforce by 2027. For those of us managing Microsoft environments, this is not a distant forecast but a clear signal that hidden automation is becoming the norm.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Shadow IT is no longer limited to unsanctioned apps.
(00:03):
Increasingly,it includes unmonitored automation,where PowerShell scripts run outside any governance framework.
Recent research shows that more than 40 percent of employees already use technology beyond the reach of IT,
and that number is expected to climb to three-quarters of the workforce by 2027.
For those of us managing Microsoft environments,this is not a distant forecast but a clear signal that hidden automation is becoming the norm.
(00:31):
PowerShell has become the backbone of how we manage Active Directory, Exchange, and Microsoft 365.
Yet when scripts are written and executed without oversight,
they turn into what we call Shadow PowerShell.
These untracked processes undermine audit readiness,
weaken security controls,and expose us to compliance findings.
(00:53):
The question is not whether Shadow PowerShell exists in our environment because it almost certainly does.
The real question is how we bring it under governance before auditors or attackers expose the gaps.
Why Shadow PowerShell Is Our Responsibility.
Shadow PowerShell often begins with good intentions.
Someone writes a quick script to solve a problem,it works,
(01:14):
and soon it is copied and reused in different teams.
Without central policies, these scripts multiply and become invisible automation.
They run without logging, without approvals, and often with privileges that were never reviewed.
This represents a governance issue that directly impacts compliance rather than simply being a technical nuisance.
(01:35):
Every unmonitored script represents a control gap that auditors can flag under frameworks such as SOX or NIST 800-53.
These gaps also erode the visibility we need to enforce enterprise security policies effectively.
The risk extends beyond theoretical concerns.
In May 2025,the Cybersecurity and Infrastructure Security Agency confirmed that attackers had targeted a widely used cloud backup application,
(02:03):
exploiting weaknesses in how permissions and automation were managed.
Although this case did not involve PowerShell, the lesson applies directly to our environments.
PowerShell Automation without centralized oversight creates blind spots,
and blind spots become opportunities for exploitation.
Shadow PowerShell falls into the same category and leaves us exposed to both regulatory penalties and operational disruption.
(02:28):
Where the Compliance Gaps Appear.
Microsoft environments are fertile ground for Shadow PowerShell.
Scripts often run locally with no audit logs, leaving no trace for compliance reviews.
Teams apply different execution standards across regions,
which breaks consistency across the enterprise.
Privileged accounts are used ad hoc, creating a sprawl of permissions with no clear link to policy.
(02:53):
In some cases, credentials are even hard-coded inside scripts.
Under SOX or NIST, these practices constitute violations rather than just weak implementations.
NIST SP 800-53 AU-2, for example, requires event logging that can reconstruct user actions.
(03:13):
If scripts run without a central record, compliance is broken by definition.
These blind spots represent liabilities we are directly accountable for,
extending well beyond operational issues.
Assessing the Risks in Our Environment.
To address Shadow PowerShell, we first need to see it clearly.
That starts with an inventory of the scripts running across Active Directory,
(03:36):
Exchange,and Microsoft 365.
We then need to review which of these scripts are executed with elevated privileges and how credentials are handled.
Any instance where passwords are stored inside a script is a clear red flag.
The final step involves mapping these findings against standards such as NIST or ISO 27001 to understand the compliance exposure.
(04:00):
In practice, we often find duplicate scripts across regions.
Tasks get executed with unrestricted rights.
Automation triggers without any approval process.
These represent signs that governance has broken down rather than just technical flaws.
Embedding PowerShell into the Security Strategy.
Disabling PowerShell is neither practical nor recommended.
(04:22):
Agencies like CISA and NSA emphasize that PowerShell should be monitored, not banned.
If we remove it, we lose visibility and weaken our ability to detect threats.
The better approach involves embedding PowerShell into our enterprise security strategy.
That means integrating automation with identity and access management so privileges are enforced consistently.
(04:44):
It means sending execution logs to SIEM platforms where they can be correlated with other events.
And it means linking approvals to IT service management systems so scripts cannot run outside defined processes.
When we take this approach,PowerShell shifts from being a compliance risk to being a controlled and auditable asset.
Governance Standards for Shadow PowerShell Control.
(05:07):
Governance becomes defensible when mapped to recognized frameworks.
The NIST Cybersecurity Framework highlights the need to control, detect, and respond to automation.
ISO 27001 requires us to apply risk assessments and consistent controls across operations.
SOX demands that financial systems are protected by evidence of control.
(05:30):
Microsoft's own security baselines emphasize constrained execution,
standardized policies,and Just Enough Administration.
By aligning our PowerShell governance with these frameworks,
we can demonstrate that policies are actively enforced and monitored rather than just written down.
Compliance then becomes part of daily operations rather than a last-minute scramble during audits.
(05:53):
Core Components of Shadow PowerShell Governance.
Moving from Shadow PowerShell to governed automation requires structure.
Delegation must be policy-driven so that only approved individuals can execute defined scripts.
Logging has to be centralized so every action is traceable.
Approval workflows should be connected to ITSM systems,
(06:14):
and credentials need to be removed from scripts and stored securely in vaults.
Script libraries should be built and maintained so that teams can reuse and update automation rather than duplicating it.
Operational Impact (06:26):
Shadow PowerShell vs.
Governed Automation.
The contrast between Shadow PowerShell and governed automation is sharp.
Organizations that allow unmonitored scripts to spread face repeated audit findings,
uncontrolled permissions,duplicated work,and little visibility.
Those that embed PowerShell into governance frameworks can demonstrate compliance,
(06:50):
enforce role-based access,and build automation that scales consistently across the enterprise.
For us in IT management, the impact goes beyond avoiding fines.
Creating the conditions for IT to support strategic initiatives rather than being seen as a source of risk becomes possible.
By eliminating Shadow PowerShell,we free our teams from firefighting and position IT as an enabler of business transformation.
Strategic Imperative (07:17):
Governing Shadow IT for Future Growth.
Shadow PowerShell exists in most Microsoft environments today.
As automation demand grows and Shadow IT spreads to three-quarters of the workforce by 2027,
these risks will only increase.
The technical reality requires immediate action rather than delayed responses.
(07:39):
Implementing centralized PowerShell governance,establishing secure delegation frameworks,
and ensuring compliance-ready audit logging creates the foundation for scalable automation.
These technical implementations directly support strategic business objectives while maintaining security posture.
By embedding PowerShell into our security strategy and aligning with frameworks such as NIST and SOX,
(08:03):
we transform Shadow PowerShell from a liability into a managed enterprise asset that drives operational efficiency.
Shadow PowerShell remains a hidden compliance risk.
Without centralized monitoring and reporting, automation continues to run blind.
Rhenus Logistics, a €7.
5 billion global provider operating across Europe,
(08:25):
Asia,and North America,faced this challenge when managing automation across their complex multi-domain infrastructure.
Their monitoring and governance framework with ScriptRunner delivered the visibility and compliance readiness needed to manage PowerShell automation at enterprise scale,
consolidating more than 400 scripts into policy-controlled workflows and providing SOX- and NIST-aligned audit trails.
Shadow IT is no longer limited to unsanctioned apps.
(00:03):
Increasingly,it includes unmonitored automation,where PowerShell scripts run outside any governance framework.
Recent research shows that more than 40 percent of employees already use technology beyond the reach of IT,
and that number is expected to climb to three-quarters of the workforce by 2027.
For those of us managing Microsoft environments,this is not a distant forecast but a clear signal that hidden automation is becoming the norm.
(00:31):
PowerShell has become the backbone of how we manage Active Directory, Exchange, and Microsoft 365.
Yet when scripts are written and executed without oversight,
they turn into what we call Shadow PowerShell.
These untracked processes undermine audit readiness,
weaken security controls,and expose us to compliance findings.
(00:53):
The question is not whether Shadow PowerShell exists in our environment because it almost certainly does.
The real question is how we bring it under governance before auditors or attackers expose the gaps.
Why Shadow PowerShell Is Our Responsibility.
Shadow PowerShell often begins with good intentions.
Someone writes a quick script to solve a problem,it works,
(01:14):
and soon it is copied and reused in different teams.
Without central policies, these scripts multiply and become invisible automation.
They run without logging, without approvals, and often with privileges that were never reviewed.
This represents a governance issue that directly impacts compliance rather than simply being a technical nuisance.
(01:35):
Every unmonitored script represents a control gap that auditors can flag under frameworks such as SOX or NIST 800-53.
These gaps also erode the visibility we need to enforce enterprise security policies effectively.
The risk extends beyond theoretical concerns.
In May 2025,the Cybersecurity and Infrastructure Security Agency confirmed that attackers had targeted a widely used cloud backup application,
(02:03):
exploiting weaknesses in how permissions and automation were managed.
Although this case did not involve PowerShell, the lesson applies directly to our environments.
PowerShell Automation without centralized oversight creates blind spots,
and blind spots become opportunities for exploitation.
Shadow PowerShell falls into the same category and leaves us exposed to both regulatory penalties and operational disruption.
(02:28):
Where the Compliance Gaps Appear.
Microsoft environments are fertile ground for Shadow PowerShell.
Scripts often run locally with no audit logs, leaving no trace for compliance reviews.
Teams apply different execution standards across regions,
which breaks consistency across the enterprise.
Privileged accounts are used ad hoc, creating a sprawl of permissions with no clear link to policy.
(02:53):
In some cases, credentials are even hard-coded inside scripts.
Under SOX or NIST, these practices constitute violations rather than just weak implementations.
NIST SP 800-53 AU-2, for example, requires event logging that can reconstruct user actions.
(03:13):
If scripts run without a central record, compliance is broken by definition.
These blind spots represent liabilities we are directly accountable for,
extending well beyond operational issues.
Assessing the Risks in Our Environment.
To address Shadow PowerShell, we first need to see it clearly.
That starts with an inventory of the scripts running across Active Directory,
(03:36):
Exchange,and Microsoft 365.
We then need to review which of these scripts are executed with elevated privileges and how credentials are handled.
Any instance where passwords are stored inside a script is a clear red flag.
The final step involves mapping these findings against standards such as NIST or ISO 27001 to understand the compliance exposure.
(04:00):
In practice, we often find duplicate scripts across regions.
Tasks get executed with unrestricted rights.
Automation triggers without any approval process.
These represent signs that governance has broken down rather than just technical flaws.
Embedding PowerShell into the Security Strategy.
Disabling PowerShell is neither practical nor recommended.
(04:22):
Agencies like CISA and NSA emphasize that PowerShell should be monitored, not banned.
If we remove it, we lose visibility and weaken our ability to detect threats.
The better approach involves embedding PowerShell into our enterprise security strategy.
That means integrating automation with identity and access management so privileges are enforced consistently.
(04:44):
It means sending execution logs to SIEM platforms where they can be correlated with other events.
And it means linking approvals to IT service management systems so scripts cannot run outside defined processes.
When we take this approach,PowerShell shifts from being a compliance risk to being a controlled and auditable asset.
Governance Standards for Shadow PowerShell Control.
(05:07):
Governance becomes defensible when mapped to recognized frameworks.
The NIST Cybersecurity Framework highlights the need to control, detect, and respond to automation.
ISO 27001 requires us to apply risk assessments and consistent controls across operations.
SOX demands that financial systems are protected by evidence of control.
(05:30):
Microsoft's own security baselines emphasize constrained execution,
standardized policies,and Just Enough Administration.
By aligning our PowerShell governance with these frameworks,
we can demonstrate that policies are actively enforced and monitored rather than just written down.
Compliance then becomes part of daily operations rather than a last-minute scramble during audits.
(05:53):
Core Components of Shadow PowerShell Governance.
Moving from Shadow PowerShell to governed automation requires structure.
Delegation must be policy-driven so that only approved individuals can execute defined scripts.
Logging has to be centralized so every action is traceable.
Approval workflows should be connected to ITSM systems,
(06:14):
and credentials need to be removed from scripts and stored securely in vaults.
Script libraries should be built and maintained so that teams can reuse and update automation rather than duplicating it.
Operational Impact (06:26):
Shadow PowerShell vs.
Governed Automation.
The contrast between Shadow PowerShell and governed automation is sharp.
Organizations that allow unmonitored scripts to spread face repeated audit findings,
uncontrolled permissions,duplicated work,and little visibility.
Those that embed PowerShell into governance frameworks can demonstrate compliance,
(06:50):
enforce role-based access,and build automation that scales consistently across the enterprise.
For us in IT management, the impact goes beyond avoiding fines.
Creating the conditions for IT to support strategic initiatives rather than being seen as a source of risk becomes possible.
By eliminating Shadow PowerShell,we free our teams from firefighting and position IT as an enabler of business transformation.
Strategic Imperative (07:17):
Governing Shadow IT for Future Growth.
Shadow PowerShell exists in most Microsoft environments today.
As automation demand grows and Shadow IT spreads to three-quarters of the workforce by 2027,
these risks will only increase.
The technical reality requires immediate action rather than delayed responses.
(07:39):
Implementing centralized PowerShell governance,establishing secure delegation frameworks,
and ensuring compliance-ready audit logging creates the foundation for scalable automation.
These technical implementations directly support strategic business objectives while maintaining security posture.
By embedding PowerShell into our security strategy and aligning with frameworks such as NIST and SOX,
(08:03):
we transform Shadow PowerShell from a liability into a managed enterprise asset that drives operational efficiency.
Shadow PowerShell remains a hidden compliance risk.
Without centralized monitoring and reporting, automation continues to run blind.
Rhenus Logistics, a €7.
5 billion global provider operating across Europe,
(08:25):
Asia,and North America,faced this challenge when managing automation across their complex multi-domain infrastructure.
Their monitoring and governance framework with ScriptRunner delivered the visibility and compliance readiness needed to manage PowerShell automation at enterprise scale,
consolidating more than 400 scripts into policy-controlled workflows and providing SOX- and NIST-aligned audit trails.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!