Re: Small steps
The real kicker of problematic is people at a company dictating a specific system and or sub-system.
In my experience this is the biggest driver of shadow IT. To take a recent example, our corporate IT group decided to replace the in-house wiki & document-sharing platform that we had been using for years with a different, more modern one. The argument was that it was newer and more supportable. This was simply imposed on the company without consultation (beyond the C-suite).
For many of the basic sales/marketing users who used it to upload plain info, HowTos, etc. it was just the usual pain of learning a new system. No big deal - "they'll get over it". The development organization, however, was a big user of in-house tools, specific to our products and processes, and they produced HTML output. The new wiki system would not render HTML without new plugins which were not part of the deployment, and were clunky & unfriendly to use in any case.
After a few months of trying to adapt, various parts of the development org opted for the obvious solutions, they started to re-purpose lab systems as standalone web servers. They served the HTML and the wiki system just became a front-end to them.
Is this maintainable? Sort-of. In most cases the systems were stood up by the team that needed them, so when someone leaves they rot until someone else figures out how they work, which depends on how well the initial developer of the system documented it. Does it get patched in time? Sometimes, when people remember. Does it respect the in-house security rules? Best-effort, but obviously IT don't audit it. Does it allow the development teams to get on with their core work, and make money for the company? Absolutely.
That's what causes shadow IT.