Shadow AI on Campus Is a FERPA Problem. Here Is What to Do About It.

Released on

Thursday, June 11, 2026

Nate Milewski

5:38

56% of higher education staff are using SaaS and AI tools their institution has not approved. That is not just a productivity issue — it is a FERPA exposure risk. Here is how IT leaders are closing the gap.

The Productivity Tools Your Faculty Are Using Are Not on Your Approved List

You already know the number of SaaS applications running across your campus has grown faster than your team can track. What you may not know is how many of those are AI-powered tools your faculty, staff and graduate researchers adopted quietly — through a personal credit card or a free tier that never touched procurement.

Research from Gartner found that a significant share of enterprise employees use AI tools their organizations have not sanctioned. In higher education, where departments operate with high autonomy and IT visibility into shadow tools is often limited, that exposure is amplified. One recent survey found that 56% of higher education staff report using AI tools not approved by their institution. Every one of those tools is a potential FERPA liability. By the way – FERPA stands for the Family Educational Rights and Privacy Act. It is a U.S. federal law enacted in 1974 that protects the privacy of students’ education records.

FERPA does not care whether the tool was free. It does not care whether the faculty member thought it was harmless. If student data touches an unsanctioned platform — even incidentally — the institution carries the exposure. And without a centralized view of every active SaaS application on campus, you have no way to know which tools are running, who is using them or what data they are accessing.

The Semester Cycle Makes It Worse

Enterprise SaaS governance is hard enough in a stable headcount environment. Higher education is not that. Every semester, hundreds or thousands of accounts — students, adjuncts, visiting researchers, part-time staff — need to be provisioned, and then deprovisioned again. In most institutions, that process is manual, inconsistent and slow.

The result is predictable: orphaned accounts that remain active well past the end of the semester. Former students with live access to collaboration platforms. Departed adjuncts still on productivity software licenses. Those inactive accounts are not just wasted spend — they are open access points. And in an environment where departments are buying SaaS independently, IT has no reliable way to know what those accounts can reach.

This is not a theoretical problem. It is the operational reality at most institutions right now.

The Governance Gap Most Institutions Have Not Closed

At a well-resourced enterprise, this problem gets solved with ServiceNow or a mature SAM infrastructure. Most higher education institutions are not there yet. License tracking lives in spreadsheets. SaaS discovery is reactive, not automated. And when a department head buys a new tool without going through IT, there is no process to catch it until it shows up in an audit or a breach.

The gap between what your institution actually has deployed and what IT knows about is almost certainly larger than your team estimates. Research consistently shows that 30 to 40% of SaaS usage in complex organizations qualifies as shadow IT. On a campus with multiple colleges, research centers and administrative units all buying independently, that number does not get smaller.

What Centralized SaaS Visibility Actually Solves

The case for SaaS management in higher education is not abstract. It is operational. Here is what changes when IT has a complete, real-time view of every application running across campus:

Shadow AI discovery becomes systematic. Every new tool that appears — whether it came through procurement or not — gets flagged automatically. IT reviews it against FERPA and data security standards before it becomes a problem.
Offboarding becomes reliable. When a semester ends or a staff member departs, account deprovisioning runs through a defined workflow rather than a manual checklist. Orphaned accounts stop accumulating.
License utilization becomes visible. Unused licenses get reclaimed. Departments stop paying for seats nobody is using. That reclaimed spend becomes available for higher-priority investments.
Renewals stop sneaking up. The IT team knows what is renewing, when and at what cost — before the invoice arrives. Negotiations happen with data, not guesswork.

This Is Not About More Bureaucracy

The instinct in higher education is often to resist centralization — and that instinct is not wrong. Faculty and department heads need flexibility. The goal of SaaS governance is not to take that away. It is to give IT the visibility to protect the institution without slowing down the people doing the work.

A well-implemented SaaS management platform runs in the background. It does not require faculty to change how they work. It gives IT the data it needs to make informed decisions — about risk, about spend, about what to approve and what to flag for review. The governance question shifts from 'did anyone check this?' to 'we already know.'

That is the practical case for SaaS visibility in higher education. Not compliance theater. Operational control in an environment that was never designed to be easy to govern.

Want to see what your SaaS footprint actually looks like? Request a demo and we'll walk through the discovery process with your environment in mind.

Frequently Asked Questions

What is Shadow AI in higher education?

Shadow AI refers to AI-powered applications used by faculty, staff or researchers without institutional approval. These tools may be purchased independently, accessed through free accounts or adopted without IT’s knowledge, creating security, compliance and cost risks.

How can Shadow AI create FERPA compliance risks?

If employees enter student information into an unapproved AI platform, the institution may lose control over how that data is stored, processed or shared. Even free tools can create FERPA exposure when they access protected education records.

How does Shadow AI contribute to hidden SaaS costs?

Independently purchased AI and SaaS tools can lead to duplicate subscriptions, unused licenses and unplanned renewals. Because these applications may bypass procurement, IT and finance teams often lack the visibility needed to identify waste and control total software spending.

Why are orphaned SaaS accounts a risk for colleges and universities?

Accounts belonging to former students, adjuncts or employees may remain active after they leave. These orphaned accounts waste license spend and create potential access points to institutional systems, shared documents and sensitive student information.

How can institutions control Shadow AI without limiting academic flexibility?

Centralized SaaS management provides visibility without preventing departments from adopting useful technology. IT can discover new applications, assess data risks, automate offboarding and monitor license usage while faculty and staff retain the flexibility needed to work effectively.