Risk
Every org has hidden systems — quiet spreadsheets, personal drives, shared folders that bypass controls. Find them, assess their risk, and decide what to fix, formalise or retire. Built for real-world teams who need clarity, not judgement.
Who it's for
Security teams, data protection officers, and operational leaders who suspect (correctly) that the official systems aren't the whole story.
When to use it
Before a major audit, after an incident, or when onboarding a newly acquired team. Also: any time someone says "oh, we just use a spreadsheet for that."
People don't build workarounds because they want to break the rules. They build them because the official tools don't work for how they think, what they need to see, or the assistive tech they rely on. Shadow systems are a symptom — usually of an accessibility or usability failure upstream.
The framework includes a discovery script designed to surface workarounds without triggering defensiveness. Frame the conversation as "help us understand what's working" rather than "what are you doing wrong".
Not every shadow system needs to be killed. Some are sensible. The framework gives you a scoring matrix across data sensitivity, user count, and business criticality so you can decide each one on its merits.
In practice
Run discovery interviews with three to five teams. Promise no blame, mean it.
Log each shadow system against the scoring matrix.
For each, choose: formalise (move into a sanctioned tool), fix (improve the official tool so the workaround isn't needed), or retire (with a migration plan).
Report the count and direction of travel — not the names — to leadership quarterly.
← Previous
Vendor accessibility verification questionnaire
Next →
Vendor security product accessibility assessment
The frameworks are most powerful alongside the case studies, research, and playbooks in the book.
Buy Access Denied →