Automation

The Hidden Risk Of Shadow Automation: Scripts, Macros, And One-Off Fixes No One Owns

Somewhere in your business right now, there is a script running that nobody remembers building. Maybe it is an Excel macro that reformats carrier commission statements every month. Maybe it is a Zapier workflow that moves leads from your website to your CRM. Maybe it is a Pyth...

The Lobbi Delivery Team
May 31, 202614 min read

The Lobbi Delivery Team

Operational Systems Engineering

Somewhere in your business right now, there is a script running that nobody remembers building. Maybe it is an Excel macro that reformats carrier commission statements every month. Maybe it is a Zapier workflow that moves leads from your website to your CRM. Maybe it is a Python script on someone's desktop that reconciles two reports every Friday morning.

It works. It has worked for months. Maybe years. And nobody knows exactly what it does, how it does it, or what happens when it breaks.

This is shadow automation. And it is one of the most underestimated risks in modern business.

I am not talking about large-scale IT projects that went off the rails. I am talking about the small, helpful, well-intentioned automations that individual employees or small teams build to solve their own problems. They are invisible to leadership. They are invisible to IT. They are invisible to compliance. And they are load-bearing.

How Shadow Automation Grows

Shadow automation does not start as a problem. It starts as a solution.

Someone on your team gets tired of copying data between two spreadsheets every week. So they record an Excel macro. It saves them two hours. They tell a colleague. The colleague asks them to add a step. The macro grows. Now it processes data for the whole department.

Or someone discovers that your CRM and your email platform do not talk to each other. So they set up a Zapier workflow. It syncs contacts automatically. It works great. Six months later, 400 contacts a month flow through a workflow that nobody documented, nobody monitors, and nobody knows the credentials for.

Or a tech-savvy operations manager writes a PowerShell script to pull data from a carrier portal, reformat it, and load it into the agency management system. It runs on their laptop every morning before anyone else gets to the office. The whole team depends on that data being there when they start their day.

Gartner predicts that by 2027, 75% of employees will acquire, modify, or create technology outside IT's visibility [1]. That is not a future scenario. That is what is already happening. The 75% threshold is just when it becomes impossible to ignore.

McKinsey's 2024 State of AI report shows that AI tool adoption is accelerating across all levels of organizations [2]. This is not just data scientists building models. It is operations staff using ChatGPT to write formulas, marketing teams building no-code workflows, and finance people creating automated reports. Each of these is potentially a new shadow automation.

Why Shadow Automation Is Dangerous

Let me be direct. I am not against people solving their own problems. Initiative is good. Resourcefulness is good. The danger is not that these automations exist. The danger is that they are invisible, unowned, and ungoverned.

Single Points Of Failure

The Fed's 2024 Small Business Credit Survey found that 73% of small firms experienced financial challenges in the prior year [3]. Many small and mid-sized businesses are running lean. They do not have redundancy in their operations. When a shadow automation fails, there is no backup.

I worked with a financial advisory firm where a single employee had built an elaborate system of Excel macros that generated quarterly performance reports for clients. The macros pulled data from three different sources, performed calculations, formatted the output, and saved individual PDFs. It was genuinely impressive engineering for a spreadsheet.

Then that employee left. Nobody else understood the macros. The first quarterly report cycle after their departure was chaos. It took three people two weeks to manually produce what the macros had done automatically. And they found errors in the manual process that the macros had been handling correctly for years.

Compliance Blind Spots

In regulated industries, every process that touches client data, financial transactions, or compliance records needs to be documented, auditable, and controlled. Shadow automations are none of these things.

The NIST AI Risk Management Framework emphasizes the importance of transparency and accountability in automated systems [4]. You cannot be transparent about a system you do not know exists. You cannot be accountable for a process you cannot audit.

Consider a mortgage company where a loan processor has built a macro that auto-populates fields on disclosure documents. The macro pulls data from the loan origination system and fills in a template. It has been working for two years. But last month, a regulation changed that requires a new disclosure field. The macro does not include it. Every disclosure generated since the regulation changed is non-compliant. Nobody knows because nobody is reviewing the macro's output against current regulations.

Data Integrity Risks

Shadow automations often move, transform, or create data without validation. They might overwrite good data with bad data. They might create duplicate records. They might silently fail and leave gaps that nobody notices until weeks later.

Gartner's data and analytics research consistently shows that poor data quality is one of the primary barriers to effective AI and analytics adoption [5]. Shadow automations are one of the most prolific sources of data quality problems because they operate outside of any data governance framework.

Security Vulnerabilities

Many shadow automations use stored credentials. Login information hardcoded in a script. API keys saved in a spreadsheet. OAuth tokens that never expire because nobody set up rotation.

Gartner's cybersecurity trends report warns about the growing risk of unmanaged technology in the enterprise [1]. Every shadow automation with stored credentials is a potential security breach. If the employee who created it leaves, those credentials may remain active indefinitely. If their laptop is compromised, the attacker gets access to every system those scripts connect to.

The Salesforce 2024 Small and Medium Business Trends Report found that data security is one of the top concerns for SMBs adopting new technology [6]. But most of those concerns focus on the technology they know about. Shadow automation is the technology they do not know about.

The Scale Of The Problem

This is not a fringe issue. It is pervasive.

The World Economic Forum's Future of Jobs Report 2025 projects that technology literacy will be one of the fastest-growing core skills through 2030 [7]. As more employees become technically capable, more of them will build automations. That is generally positive. But without governance, every new automation is a new risk.

Deloitte's 2025 Tech Trends report discusses the concept of "citizen development", business users building their own applications and automations using low-code and no-code tools [8]. Deloitte frames this as an opportunity, and it is. But it is an opportunity that requires guardrails.

In regulated industries, the scale compounds the risk. A single insurance agency might have:

  • 5-10 Excel macros that process carrier data
  • 3-5 Zapier or Power Automate workflows that sync systems
  • 2-3 scripts that generate reports or move files
  • A handful of saved browser automations or RPA bots
  • Several AI prompts that are saved and reused for document generation

Multiply that across departments and offices. Now you have dozens, maybe hundreds, of automations that nobody has a complete picture of. Each one is a thread. Pull the wrong one and something unravels.

Real Examples From Regulated Industries

The Insurance Agency Commission Script

An agency had built a VBA script that downloaded commission statements from 12 different carrier portals, parsed them into a standard format, and loaded them into the accounting system. The script was built by a part-time bookkeeper three years ago. It ran on a desktop computer in the back office.

When the computer's hard drive failed, the script was gone. There was no backup. No documentation. No version control. The agency had to manually process commission statements for two months while they rebuilt the process from scratch. They also discovered that the script had been silently misallocating commissions from one carrier for the past six months due to a format change on the carrier's statement.

The Mortgage Compliance Workflow

A mortgage company used a no-code platform to build a workflow that tracked compliance deadlines, when disclosures were due, when lock expirations were approaching, when conditions needed to be cleared. The workflow sent automated reminders to loan officers and processors.

The employee who built it left. The platform subscription was tied to their personal email. When the credit card on file expired, the platform suspended the account. The compliance reminders stopped. Nobody noticed for three weeks. By the time they did, several disclosure deadlines had been missed, triggering regulatory reporting requirements.

The Healthcare Billing Macro

A medical billing office had a macro that cross-referenced patient insurance eligibility with scheduled appointments. It flagged patients whose insurance had lapsed so the front desk could verify coverage before the appointment.

The macro relied on a specific format for the eligibility data export. When the insurance verification vendor updated their export format, the macro silently stopped matching records. For six weeks, no insurance lapses were flagged. The office saw a spike in claim denials and had to retroactively verify coverage for hundreds of patients.

The Cost Of Shadow Automation Failure

The costs are not just operational. They are strategic.

Direct costs: Rebuilding lost automations. Manual processing during downtime. Fixing errors that accumulated while the automation was silently failing. In regulated industries, add regulatory fines and remediation costs.

Indirect costs: Employee time diverted from productive work. Customer service degradation. Team morale. nothing is more demoralizing than discovering that a process you trusted was broken for weeks.

Opportunity costs: Organizations with ungoverned shadow automation are slower to adopt formal automation because they do not trust the process. "We tried that and it broke" becomes the institutional memory, even though the failure was governance, not technology.

McKinsey's research shows that organizations capturing the most value from AI treat it as a governed capability, not a collection of ad hoc projects [2]. Shadow automation is the opposite of governed. It is the operational equivalent of building on sand.

Gartner's customer service predictions about agentic AI resolving 80% of common issues by 2029 [9] only apply to organizations that have their automation house in order. If your foundation includes dozens of unknown, unowned bots and scripts, you are not ready for the next wave.

How To Find Your Shadow Automations

You cannot govern what you cannot see. The first step is an inventory.

Ask, Do Not Audit

Start by asking. Send a survey to every department: "What tools, scripts, macros, or automations do you use that were not set up by IT?" Make it clear this is not about blame. It is about understanding.

You will not get complete answers the first time. People forget. People do not think of their Excel macro as an "automation." Follow up with department-by-department conversations.

Look For The Signals

Shadow automations leave traces:

  • Scheduled tasks on desktop computers and servers.
  • Active subscriptions to no-code platforms (Zapier, Make, Power Automate) on individual accounts.
  • API keys in use that are not associated with known integrations.
  • Files that update automatically, spreadsheets that have new data without anyone touching them.
  • Processes that depend on a specific person, if one person's absence breaks a workflow, there is probably an automation involved.

Map The Dependencies

For each shadow automation you find, map what it connects to:

  • What systems does it read from?
  • What systems does it write to?
  • What credentials does it use?
  • What data does it transform?
  • What happens downstream when it runs? When it does not run?

This map will show you which shadow automations are critical and which are nice-to-have. Focus your governance efforts on the critical ones first.

Bringing Shadow Automation Into The Light

Once you have your inventory, you need to decide what to do with each automation. There are three paths:

1. Retire It

Some shadow automations are no longer needed. The problem they solved has been addressed by a system upgrade, a process change, or a new tool. Turn them off. Revoke their credentials. Document that they existed and why they were retired.

2. Adopt It

Some shadow automations are genuinely valuable and should be brought into the governed environment. This means:

  • Assign an owner. A named person who is responsible for the automation's function, maintenance, and compliance.
  • Put it in version control. Even if it is a Zapier workflow, document its configuration in a format that can be tracked and rolled back.
  • Add monitoring. The automation should report when it runs, what it processed, and whether it succeeded or failed.
  • Add a rollback path. If the automation breaks, what is the manual fallback process?
  • Review credentials. Replace personal credentials with service accounts. Set up rotation.
  • Document it. What does it do? Why does it exist? What are its dependencies? What business process does it support?

3. Replace It

Some shadow automations solve the right problem in the wrong way. The business need is real, but the implementation is fragile, insecure, or unmaintainable. In these cases, rebuild the automation in a governed environment using proper tools, proper credentials, proper monitoring, and proper ownership.

Building Governance Without Killing Innovation

This is the balance you need to strike. You do not want to discourage people from solving problems. You do want to make sure their solutions do not create bigger problems.

Deloitte's research on citizen development emphasizes that the most successful organizations create enablement frameworks, they give employees tools and guardrails, not prohibitions [8]. Ban shadow automation and people will do it anyway, just more secretly. Enable it with guardrails and you get the innovation benefits without the risk.

Here is what a practical governance framework looks like:

A registration process. Before anyone builds an automation, they register it. Not a 40-page form. A simple entry: what it does, what systems it touches, who owns it, what credentials it uses. Five minutes.

Approved tools. Designate a set of approved platforms for citizen automation. Power Automate, Zapier, whatever fits your environment. Support those tools. Train people on them. The approved tools should have built-in logging and version history.

Credential standards. No personal passwords in automations. Service accounts only. API keys managed through a central process. Rotation on a schedule.

Quarterly reviews. Every automation on the registry gets a quarterly review. Is it still needed? Is it still working correctly? Has anything changed in its dependencies? This takes an hour per quarter and saves weeks of crisis response.

A clear escalation path. When someone's automation gets too complex or too critical for citizen development, there should be a clear path to hand it off to a professional team for hardening and production deployment.

The World Economic Forum's data on skill transformation [7] suggests that the workforce is becoming more technically capable every year. That is a good thing. Governance is not about limiting capability. It is about channeling it safely.

The Path From Shadow To Governed

Here is a realistic timeline for getting your shadow automation under control:

Month 1: Inventory. Survey departments. Identify shadow automations. Map dependencies. Prioritize by risk.

Month 2: Triage. Decide which to retire, adopt, or replace. Start with the highest-risk items, the ones that touch client data, financial transactions, or compliance processes.

Month 3: Adopt The Critical Ones. Assign owners. Add monitoring. Document. Move credentials to service accounts.

Month 4: Build The Framework. Create the registration process. Designate approved tools. Set credential standards. Communicate to the organization.

Ongoing: Review And Evolve. Quarterly reviews. New automation registration. Continuous improvement. Celebrate the people who build useful automations within the framework.

The Bigger Picture

Shadow automation is not a technology problem. It is a governance problem. And it is a symptom of something deeper: your team has needs that your official systems and processes are not meeting. Every shadow automation is evidence of a gap.

When you find them, do not punish the builders. Thank them. They identified a real problem and solved it with the tools they had. Your job is to make their solutions sustainable, secure, and scalable.

The NIST AI framework, Gartner's cybersecurity research, McKinsey's AI maturity studies, they all converge on the same point. The organizations that will thrive in an AI-driven world are the ones that can trust their own systems. Shadow automation undermines that trust. Bringing it into the light restores it.

If you are looking at your operations and suspecting that there are more scripts, macros, and one-off automations than you realize, you are probably right. We help businesses find them, assess them, and build the governance framework to manage them. No disruption to what is working. Just visibility, ownership, and control.

Book a discovery call at thelobbi.io/discovery.

Topic clusters

Ready to see where the friction is?

The Lobbi's Operations Discovery maps your workflows, identifies your highest-impact bottlenecks, and gives you a clear picture of what's possible.

← All insights