The invisible parallel world of shadow IT and shadow AI in German industry

The invisible Excel economy: How shadow IT really controls German companies

From Excel macro to AI time bomb: The creeping loss of control in German SMEs

In almost every German industrial company, an invisible time bomb is ticking: shadow IT. Because official IT processes are often too rigid, too slow, or chronically underfunded, motivated specialists take matters into their own hands. They build complex Excel macros, construct their own databases, or secretly use generative AI tools like ChatGPT to manage their daily work. What at first glance appears to be a pragmatic solution and often keeps the company running, in reality harbors massive risks. With the strict regulations of the new EU AI Act and the threat of GDPR fines amounting to millions, this uncontrolled proliferation becomes an existential threat. But strict IT bans are the wrong approach. Take a look behind the scenes of this clandestine digitalization and discover why the "rebels" from the specialist departments are actually your best innovation scouts – and how you can channel this valuable energy into a secure, regulated, and highly productive future through concepts like "Managed AI" and "Citizen Development.".

When the smartest solutions emerge in secret, and the greatest risk is not the technology, but the silence surrounding it

In almost every industrial company, a parallel digital world exists that doesn't appear in any IT inventory, isn't recorded in any organizational chart, and yet keeps operations running. These are the self-built Excel macros in purchasing, the makeshift Access databases in quality assurance, and the hand-crafted Python scripts in logistics. They weren't developed, documented, or approved by the IT department. And yet, they often work better than the official systems. What at first glance appears to be a governance problem reveals, upon closer inspection, a fundamental weakness in how German companies organize their digitalization. This phenomenon is not a fringe issue. It's a structural feature of the German industrial landscape that has reached a completely new dimension with the rise of generative AI. The question is no longer whether companies need to address this, but how quickly they can react before the situation becomes uncontrollable.

The hidden Excel economy as a reflection of failed digitalization

Shadow IT in German companies is not a new phenomenon, but its impact is systematically underestimated. According to the analyst firm Gartner, over 40 percent of employees in companies already use technologies that are not managed by their IT departments. This figure is expected to rise to 75 percent by 2027. Behind these figures lies an ecosystem of self-built solutions whose complexity and prevalence are likely to surprise most IT managers.

This finding is as commonplace as it is sobering in industrial practice. In production control, Excel-based planning boards exist that were originally intended only as a temporary stopgap solution but have now been controlling the production planning of entire departments for years. In purchasing, self-written macros compare delivery times from various sources because the ERP system doesn't offer this function with the necessary granularity. In logistics, a custom-built tool tracks shipment numbers because the official interface to the freight forwarder was never properly implemented. In quality management, Access databases are used that map regulatory-relevant processes without the IT department being aware of it.

The reasons for this are multifaceted, but a pattern repeats itself: specialist departments are under time pressure, the IT department has neither the budget nor the capacity for seemingly minor requests, and the existing company systems are too rigid or too slow to adapt. In this gap between operational needs and institutional responsiveness, a parallel world emerges, created by the employees themselves, who experience the problem every day at their own desks.

German SMEs are particularly affected by this. In companies with 10 to 200 employees, IT departments are often lean, frequently consisting of just one part-time administrator or an external service provider primarily responsible for day-to-day operations. When official processes are too slow or suitable solutions are lacking, teams organize themselves. And shadow IT quietly grows alongside them.

The invisible engine of innovation in the hallway

What makes shadow IT so paradoxical is the fact that it is simultaneously a symptom of a problem and an expression of problem-solving skills. The employees who build these improvised tools are not rebels. They are highly motivated professionals who know their processes intimately and compensate for the shortcomings of official systems through their own initiative. They are not acting out of malice, but out of pragmatic motivation.

This observation has a strategic dimension that many companies overlook. Shadow IT reveals with surgical precision where the real automation potential lies. If a purchasing employee writes a macro that automatically compares order numbers, it's because this process is clearly too complex, error-prone, and time-consuming to do manually. If someone in production planning creates their own planning board in Excel, it's a clear signal that the official planning system doesn't meet operational requirements.

In industrial practice, the same areas repeatedly emerge where shadow IT arises: procurement and supplier comparison, production planning and work preparation, logistics and shipment tracking, quality management and documentation, as well as reporting and data preparation for management. All these areas have in common that they lie at the interface between daily operations and existing IT systems, where the gap between what is needed and what is available is greatest.

Companies like Bosch recognized this phenomenon and addressed it strategically. The technology group observed that individual business units, frustrated by long waiting times from central IT, were developing applications independently. IT regularly resorted to makeshift solutions, including massive Excel files full of macros without any maintenance structure. The answer wasn't prohibition, but rather the introduction of a low-code platform that gave business units autonomy while simultaneously ensuring central governance. In four years, this resulted in over 500 productive applications with more than 400 active developers and 24,000 end users.

The risk of lone knowledge holders

However productive these shadow IT solution builders may be, they create a systemic risk known in management literature as the bus factor. This term describes the number of people who could be absent before a critical process grinds to a halt. For many shadow IT solutions, this factor is one. A single person built the tool, a single person understands it, a single person can maintain it. If that person leaves the company, goes on vacation, or falls ill, half the department is left staring at a blank screen.

This risk is not hypothetical. The consequences are regularly evident in practice. A manufacturing company that supplied the pharmaceutical industry had built its entire quality management system using Excel and Access. The system functioned for years, was continuously developed, and adapted to regulatory requirements. When the responsible employee left the company, the system continued to be used, but during a computer migration, part of the Access database was corrupted, and data was lost. Further development was impossible because no one understood the system's structure. For a company subject to regulatory requirements, this is a potentially existential threat.

The lack of documentation, version control, and structured handover processes turns every shadow IT solution into a ticking time bomb. The uncontrolled proliferation of versions leads to inexplicable errors in monthly reports, missing signatures and changelogs create audit risks, and the reliance on individual paths and configurations makes every migration an adventure. All of this happens under the radar of official IT governance, which is often unaware of the existence of these systems.

The silent cost driver in the shadows

The financial impact of shadow IT is significant, even if it rarely appears as a separate line item on the balance sheet. Direct costs include duplicate licenses, inefficient processes, and data loss. Indirect costs arise from security incidents, which, according to IBM, average $4.45 million per data breach. GDPR fines can reach up to four percent of annual revenue, and the productivity losses from disparate, incompatible systems add up to substantial sums over time.

In Germany, data protection authorities have increasingly imposed hefty fines in recent years. Fines in the millions are no longer uncommon when personal data is processed without a sufficient legal basis or is inadequately protected. Shadow IT solutions, which store sensitive data in uncontrolled Excel files or private cloud storage, are particularly vulnerable to violations of the General Data Protection Regulation (GDPR).

Approximately 70 percent of organizations have experienced security incidents directly related to unauthorized technology. Shadow IT usage has increased by 59 percent since the widespread adoption of remote work, and 54 percent of IT teams describe their organizations as significantly more vulnerable to data breaches than before. Nearly half of all cyberattacks are now linked to shadow IT, with the average cost of remediating these breaches exceeding $4.2 million.

However, the costs don't only arise from security incidents. If IT departments lack an overview of the actual IT landscape, redundancies, incompatibilities, and a gradual decline in data quality occur. Every shadow IT solution that keeps data in its own silo undermines the company's ability to make informed decisions based on consistent information.

From Excel macros to shadow AI: The new dimension of loss of control

What was already a serious problem with traditional shadow IT solutions has reached a completely new level with the advent of generative AI tools. Shadow AI, meaning the unauthorized use of AI applications by employees without the knowledge or oversight of the IT department, is spreading at a speed that is alarming even experienced IT managers.

The data for Germany is clear. A representative Bitkom survey of 604 companies with 20 or more employees shows that in eight percent of companies, the private use of AI for professional purposes is already widespread, double the figure from the previous year. Seventeen percent have isolated cases, and another 17 percent suspect its use but cannot prove it. The proportion of companies that categorically rule out shadow AI fell from 37 to 29 percent. Software AG found in its study that over half of all knowledge workers in the US, UK, and Germany use AI tools not provided by their companies. Seventy-five percent are already using AI, and the study predicts this figure will rise to 90 percent.

The situation is particularly critical in the public sector. A survey commissioned by Microsoft and conducted by Civey revealed that at the federal level, almost half of all employees in politics and administration (45 percent) use AI tools that have not been reviewed and deemed secure by their own organization. At the municipal level, this figure is 36 percent, and at the state level, it is 19 percent.

The difference between traditional shadow IT and shadow AI lies in the nature of the risks. While an Excel spreadsheet exists locally on a computer, using external AI services means that company data flows into third-party systems. When a controller uses Excel Copilot for confidential forecasts, when marketing enters advertising copy containing confidential product information into ChatGPT, or when developers feed proprietary code into GitHub Copilot, sensitive company data leaves the controlled environment. The data can be used to train AI models and is potentially irretrievable. The amount of company data migrating to public AI services has increased by 485 percent within a year. Ninety percent of IT managers fear data privacy or security incidents due to this uncontrolled use.

Here you will learn how your company can implement customized AI solutions quickly, securely and without high entry barriers.

A managed AI platform is your all-inclusive, worry-free solution for artificial intelligence. Instead of dealing with complex technology, expensive infrastructure, and lengthy development processes, you receive a ready-made solution tailored to your needs from a specialized partner – often within just a few days.

The key advantages at a glance:

⚡ Rapid implementation: From idea to ready-to-use application in days, not months. We deliver practical solutions that create immediate added value.

🔒 Maximum data security: Your sensitive data stays with you. We guarantee secure and compliant processing without sharing data with third parties.

💸 No financial risk: You only pay for results. High upfront investments in hardware, software, or personnel are completely eliminated.

🎯 Focus on your core business: Concentrate on what you do best. We take care of the entire technical implementation, operation, and maintenance of your AI solution.

📈 Future-proof & scalable: Your AI grows with you. We ensure continuous optimization and scalability, and flexibly adapt the models to new requirements.

More information here:

• Managed AI Platform

The regulatory minefield: EU AI Act and GDPR as a double burden

The regulatory framework further exacerbates the seriousness of shadow AI. With the EU AI Act, the European Union created its first binding legal framework for artificial intelligence, which has been in force since August 2024. Since February 2025, certain AI practices have been prohibited, including biometric categorization based on sensitive characteristics and emotion recognition in the workplace. From August 2026, most rules for high-risk AI systems will become mandatory, including comprehensive requirements for risk management, transparency, and human oversight.

This presents companies with a twofold challenge. On the one hand, they must comply with the GDPR requirements when handling personal data, which are regularly violated when AI tools are used without proper oversight. On the other hand, they must ensure that all AI systems used within the company comply with the AI ​​Act. If employees use AI tools whose existence the IT department isn't even aware of, compliant use is, by definition, impossible.

The mandatory requirement for AI competence within companies, which has been in effect since February 2025, further exacerbates the situation. Companies must demonstrate that employees using AI are appropriately trained. This training is naturally lacking in the case of shadow AI. The EU AI Act also requires an AI inventory of all systems used within the company. Shadow AI renders this inventory a farce.

At the same time, only 23 percent of German companies have established rules for the use of AI tools, although this figure represents a significant increase from 15 percent last year. A further 31 percent are planning to do so. However, 16 percent intend to continue refraining from using them, and 24 percent have not yet addressed the issue. In a world where regulatory requirements are growing exponentially, this passivity is a dangerous game.

The skills gap as a catalyst for the shadow economy

The reasons for the proliferation of shadow IT and shadow AI are not solely due to the inertia of IT departments. They are deeply rooted in the structural deficiencies of Germany's digitalization. An AI study from 2025 paints a sobering picture: 68 percent of the surveyed medium-sized companies lack a well-developed AI strategy. 82 percent report a massive skills gap in AI, while only 21 percent have a structured AI training program. 76 percent struggle with insufficient data quality and data silos between systems, and 83 percent lack a comprehensive data strategy.

McKinsey confirms these findings on a broader scale. Only 28 percent of respondents in Germany report using AI regularly, compared to 76 percent in the US. 33 percent of employees lack the necessary skills for their current role, and 44 percent of employees did not dedicate a single day to training or professional development in the past year. The demand for AI skills has increased sevenfold in two years and is now considered the fastest-growing skill.

This skills gap creates a vicious cycle. Because official structures are too slow, employees help themselves. Because they help themselves, there is insufficient pressure on the organization to provide official solutions. Because no official solutions are developed, shadow IT continues to grow. The KfW study on digitalization in SMEs shows that while 35 percent of companies have implemented digitalization projects within three years—an increase of one-third—this progress is extremely unevenly distributed. Knowledge-based service providers, internationally operating companies, and R&D drivers are investing heavily, while small and regionally operating businesses are falling behind. The digitalization gap is widening, and it is precisely in this gap that shadow IT thrives.

Digital dependency as a fundamental structural problem

The problem of shadow IT and shadow AI is embedded in a broader context of digital dependency that affects the entire German economy. According to a Bitkom study, 89 percent of companies that import digital goods or services are dependent on them, with 51 percent being highly dependent. Ninety-five percent state that they would only be able to survive for a short time if imports of digital services or technologies were to be halted. More than 80 percent of companies feel dependent on non-European providers in at least one technology area, particularly in software, hardware, infrastructure, and generative AI.

This dependency affects the shadow IT problem on two levels. First, employees predominantly use US-based services like ChatGPT, Google Gemini, or Microsoft Copilot for their uncontrolled use of AI, which increases data flows to non-European jurisdictions. Second, European alternatives are lacking that would allow companies to provide their employees with data protection-compliant AI tools. Companies rated the German government's measures to increase digital sovereignty with a grade of 5.1 (on a scale where 1 is the best and 6 is the worst). 55 percent expect this dependency to increase further over the next five years.

For industrial companies, this means that the decision between shadow AI and managed AI is also a question of technological sovereignty. Those who do not provide their employees with controlled AI tools risk confidential company and customer data falling into the hands of providers whose data protection practices and geopolitical ties are increasingly being scrutinized.

Managed AI as a strategic response to the anarchy in the shadows

Regain control without stifling your teams' creativity

The solution to the problem of shadow IT and shadow AI does not lie in prohibitions. Any attempt to prevent the use of unauthorized tools through prohibition is doomed to failure because it does not address the root cause. Employees do not use these tools out of spite, but because they are solving real problems. The key lies in a concept increasingly discussed under the term Managed AI, which is based on the idea of ​​channeling the innovative energy of the workforce instead of suppressing it.

Managed AI represents a systematic approach where AI solutions are not implemented as monolithic, large-scale projects, but rather provided as modular, controlled tools that can be deployed directly at the point of use. The crucial difference to shadow AI lies in governance: The solutions are approved, documented, GDPR-compliant, and integrated into the existing IT architecture, without sacrificing the agility and proximity to the problem that make shadow solutions so effective.

This approach offers several advantages simultaneously. First, problem-solving expertise remains where it belongs: with the departments that best understand the needs. Instead of requirements wandering through endless meeting cascades and ticketing systems until they eventually land with an external developer who has never seen the actual process, solutions are developed directly at the workplace. Second, security and compliance risks are systematically addressed because all tools are centrally managed and monitored. Third, knowledge about the solutions is documented and institutionalized, increasing the bus factor from one to a more robust foundation.

Companies investing in automation and managed AI see an average reduction in operating costs of 22 percent. The return on investment for robotic process automation can reach 30 to 200 percent in the first year alone. Companies that systematically optimize their data quality report a 34.8 percent improvement insegenaccuracy and 41.2 percent faster early detection of financial anomalies.

Citizen Developer: The Formalization of the Informal Genius

The concept of Citizen Developers complements the Managed AI approach at the personnel level. Citizen Developers are not trained software developers, but rather specialists from various business areas who create their own digital solutions using user-friendly low-code and no-code platforms. They are essentially the formalized successors of shadow IT tinkerers, except that their work now takes place on approved platforms, is documented, and is integrated into the company's IT governance.

The market for low-code and no-code platforms reflects the dynamics of this development. From $21.8 billion in 2022, it is projected to grow to an estimated $187 billion by 2030. Gartner predicts that by 2026, at least 80 percent of low-code users will come from business departments, i.e., from outside the traditional IT organization. Already today, over 70 percent of companies use low-code or no-code technologies for developing new applications.

The key advantage of this model lies in the democratization of software development while maintaining governance. Business departments gain the autonomy to respond quickly to operational requirements, while the IT department controls the platform, security policies, and data integration. Companies can achieve significant benefits: Development costs decrease by up to 60 percent, and time-to-market is reduced by 50 to 90 percent.

The citizen developer approach also addresses the IT skills shortage, which is hitting many medium-sized companies particularly hard. Instead of searching for software developers in the already depleted job market, companies empower their existing specialists to design the digital tools themselves. The learning curve is drastically reduced, and the results are often closer to actual needs than externally developed solutions.

The economic calculation: What doing nothing really costs

The costs of inaction can now be quantified quite precisely. On the one hand, there are the direct losses from shadow IT: security incidents that cost an average of $4.45 million per breach, compliance fines that can reach up to four percent of annual revenue, and productivity losses due to fragmented data landscapes. On the other hand, there are the opportunity costs: companies that systematically use AI achieve productivity gains of 18 to 35 percent. Leading companies exhibit 2.4 times greater productivity than laggards.

The economic benefits of managed AI are already documented in industrial practice. Companies report 5.7 percent better resource allocation and 8.3 percent cost reductions through systematic data optimization. Predictive maintenance based on integrated AI systems drastically reduces unplanned downtime, and AI-supported quality control using computer vision guarantees consistent quality across all shifts and production runs. In the supply chain, AI enables more precise demand forecasts, taking into account seasonal fluctuations, market trends, and external factors that are unattainable with traditional methods.

In contrast, WirtschaftsWoche reports that many German SMEs spent significantly less on AI applications in 2025 than in the previous year. The level of digitalization in the German economy remains at 2.8, and 43 percent of SMEs still lack a concrete AI strategy. This is not a plateau; it is a risky standstill in an accelerating world.

The five-point plan: From shadow to light

Companies that want to transition from uncontrolled shadow IT to a managed AI ecosystem need a structured yet pragmatic approach. Five key areas of action emerge as crucial.

The first step is taking stock. Before a company can address its shadow IT, it needs to know what exists. This means an honest, non-punitive inventory of all unofficial tools, macros, databases, and AI applications. This step requires a corporate culture where disclosing these solutions is not punished, but rather valued as a valuable indicator of optimization potential.

The second area of ​​action concerns the provision of official AI tools. Only 26 percent of German companies currently provide their employees with access to generative AI. This figure drops to 23 percent for smaller companies with 20 to 99 employees, to 36 percent for medium-sized companies, and to 43 percent for larger companies. Providing GDPR-compliant AI tools is the most effective lever against shadow AI because it addresses the root cause, not just the symptom.

The third area of ​​action involves the introduction of governance structures. Clear rules for the use of AI, guidelines for handling company data in AI systems, and defined responsibilities create the framework within which innovation can flourish without jeopardizing the company. The fact that the percentage of companies with AI rules has risen from 15 to 23 percent shows that a shift in thinking has begun, but the pace is far from sufficient.

The fourth area of ​​action is skills development. 82 percent of SMEs report a skills gap in AI. This gap won't close on its own. Structured training programs, the establishment of AI champions within specialist departments, and the empowerment of citizen developers are not optional extras, but vital investments in the company's future viability.

Finally, the fifth area of ​​action concerns integration and scaling. Successful shadow IT solutions should not simply be shut down, but rather treated as prototypes for official applications. They demonstrate where the need lies and what a solution could look like. Managed AI platforms make it possible to transform these prototypes into controlled, scalable, and maintainable systems without removing problem-solving from the people who understand the problem best.

The future belongs to controlled autonomy

The history of shadow IT in German industrial companies is ultimately the story of a conflict between two legitimate needs: the organization's need for control, security, and compliance on the one hand, and the employees' need for effective, readily available tools on the other. For decades, this conflict was decided in favor of control, and employees silently resisted with their shadow solutions. The result is a situation where both sides lose: IT has no real control because it doesn't know what exists in the shadows, and employees work with fragile, undocumented tools that can break down at any time.

Managed AI and citizen development offer a way out of this dilemma because they resolve the conflict not through a victory for one side, but through a synthesis that addresses both needs simultaneously. Business departments gain the autonomy they need to solve operational problems quickly and effectively. IT retains the governance it needs to ensure security, compliance, and system integrity. And the company as a whole benefits because the innovative energy of its workforce is no longer wasted but channeled in a controlled manner.

The shadow IT tinkerers in business departments aren't the cause of problems. They are the most valuable innovation scouts a company can have. With every self-written macro and every secretly used AI, they show precisely where the next wave of automation and digitalization needs to begin. Companies that recognize this and channel this energy into structured processes will win the competition in the coming years. The others will continue to wonder why their expensive official systems are so underutilized while the real work is happening in the shadows.

I would be happy to serve as your personal advisor.

You can contact me at wolfenstein∂xpert.digital or

Just call me on +49 7348 4088 965 .

LinkedIn