The IT Department Is Already Dead
It still has a head count, a budget line, and an office on the second floor. But the function it used to perform has been quietly dismantled by the rest of the business, and nobody has told the people sitting in it.
Walk into any mid-market British business and the IT department is still there. There is a head of IT. There is probably a service desk. There is a Microsoft licence agreement, a backup system that someone is meant to be testing, and a meeting in the diary about the next Windows rollout.
This is the corporate equivalent of a Victorian gentleman's club whose membership has died off but whose porter is still polishing the brass. The function is preserved. The work has moved.
The work has moved to your sales director, who bought three CRM extensions on a credit card last quarter. To your finance team, which is running a custom GPT through ChatGPT Enterprise against your management accounts. To the marketing manager who connected an AI agent to your customer database to "tidy up the data." To the operations lead who's been quietly piloting a workflow tool that, on inspection, has the same permissions as a domain administrator.
The IT department doesn't know about any of this. The numbers say so.
The audit nobody asked for
In 2026, between 30 and 40 percent of enterprise IT budget now runs through shadow IT — software bought, deployed, and used without the formal involvement of the IT function (Gartner, cited in USU, 2025; Dashlane, 2026). Shadow IT accounts for around 34 percent of the average organisation's SaaS portfolio by application count, while contributing only 4 percent of formally recognised SaaS spend, because almost all of it is buried in departmental expenses (Zylo, 2026).
Fifty-five percent of employees now adopt SaaS applications without security's involvement (BetterCloud, 2026). The average company runs 106 SaaS applications, and the rate at which organisations are consolidating that sprawl has dropped from 14 percent year-on-year to 5 percent. The pile is growing faster than anyone is removing things from it (BetterCloud, 2026).
And the most damning figure of all, the one that explains how the function got dismantled while the org chart stayed the same: only 12 percent of IT departments follow up on staff requests for new technologies (Dashlane, 2026).
That is the entire story. When your sales team asked for a tool and waited three weeks for an answer that never came, they did what any rational employee does. They bought it themselves. Then they did it again. Then their colleagues did. And IT became, by attrition, the place where ideas go to die and where the rest of the business goes around.
Then AI arrived
Whatever residual authority the IT function had over the technology stack, generative AI has now finished off.
Torii's 2026 SaaS Benchmark Report found that AI tools now account for the majority of newly unmanaged applications inside enterprises (Dashlane, 2026). Fifteen percent of employees routinely use unsanctioned generative AI tools, often connecting them to corporate data through OAuth permissions that they neither understand nor are equipped to evaluate (BetterCloud, 2026).
A marketing manager who would never install software on a corporate laptop without permission will, without hesitation, connect an AI plugin to Google Drive, Slack, and the CRM with three clicks of an "Allow" button. The permissions granted in those three clicks are often more powerful than anything the formal procurement process would have agreed to in three months. The plugin is not malware. It is doing exactly what the marketing manager wants. It is also, in the eyes of the regulator, the auditor, and any competent attacker, a new front door.
The IT department does not know the door exists. It cannot, because no one told them.
Who runs technology now?
The honest answer is: nobody. Or rather, everybody, which is the same thing.
Technology at a mid-market British business in 2026 is run by whoever in each department had the energy to set something up. Procurement happens on expense cards. Integration happens through whichever automation tool the most enthusiastic person in the team learned this quarter. Security happens through hope. Compliance happens through a folder of out-of-date policy PDFs that nobody has read since the day they were signed. Governance happens at the moment of the breach, the audit failure, or the regulator's letter, and never before.
This is not because the people in the IT department are bad at their jobs. Most of them are very good at the job they were hired to do. The problem is that the job they were hired to do no longer exists.
The role of "the person who keeps the servers running and approves new software" has been comprehensively eaten by cloud, SaaS, AI, and the unstoppable economic logic that a finance team will buy a £200 monthly subscription faster than IT can write a procurement memo. The thing that survives is a service desk with a Jira queue and a head of IT in difficult quarterly conversations with a board that has noticed something is wrong but cannot articulate what.
What the business actually needs is a function that did not previously exist in most mid-market companies. Someone who governs the AI permissions before they become a breach. Someone who audits the SaaS portfolio quarterly. Someone who can tell the CEO which of the 106 applications are actually being used, which are paying twice, which are exposing the customer database, and which agent is currently quietly emailing the supplier list to a Google Workspace account in someone's personal Drive.
This is a technology leadership role. It is not an IT operations role. The mistake most mid-market businesses are making in 2026 is asking the existing IT function to take it on, as if the same people who were optimised for keeping the lights on could pivot into governing an explosion of unmanaged tooling with the same headcount and the same budget.
They cannot. The shadow IT figures alone prove they have already failed. Not because they were incompetent, but because the structural relationship between the business and its technology has changed underneath them, and the org chart has not caught up.
What replaces it
The next version of the IT function looks almost nothing like the current one.
It is small. Most of the headcount in a traditional mid-market IT department was running infrastructure that now lives in someone else's data centre. That work has gone, or is going, and the headcount should follow.
It is senior. The remaining technology decisions are governance, integration, risk, and architecture. These are not service-desk skills. They are CTO-grade skills, and very few mid-market businesses can justify a full-time CTO at their headcount level. The fractional CTO model, the embedded technical advisor, or the retained engineering consultancy has gone from niche to obvious for businesses below the £100 million revenue line.
It is technically literate about AI specifically. The biggest single risk surface in 2026 is not malware. It is unmanaged AI permissions. Anyone running technology for a mid-market business who cannot articulate what an MCP server is, how OAuth scopes work in agentic AI, or how a retrieval-augmented system might leak HR data is not equipped for the actual job.
It is independent. The Big 4 will sell you a "digital transformation programme." Your incumbent MSP will sell you another five seats of the platform they were already deploying. Neither of them has any incentive to tell you that 40 percent of your SaaS bill is waste and that your AI rollout has just opened a permissions hole you could drive a small lorry through.
Where Neurotic comes in
The end of the traditional IT department is not a crisis. It is a structural shift that is happening to every mid-market business simultaneously, and most of them are pretending it isn't. The ones who acknowledge it first will pay less, run a tighter stack, expose less data, and spend their time on the actual work of the business rather than on internal arguments about who owns which subscription.
Neurotic's technology audit, cybersecurity audits, and data governance work are built precisely for the moment a business realises its IT function has been eaten without anyone noticing. We do the audit, we name the gaps, we put a governance model in place, and we leave behind something that the existing team can actually run. Independently, engineering-led, without the overhead.
If the description above sounds uncomfortably accurate, that is because it is. The fix is not heroic. It is overdue.
Talk to us → neurotic.co
References
Cloud Security Alliance State of SaaS Security Report (2025)The Big List of 2026 SaaS Statistics That You Should Know. [online] Available at: https://www.bettercloud.com/monitor/saas-statistics/ [Accessed 2 June 2026].
Dashlane (2026) SaaS Sprawl: How to Manage Shadow IT. [online] Available at: https://www.dashlane.com/blog/saas-sprawl-shadow-it-management [Accessed 2 June 2026].
Gartner, cited in USU (2025) SaaS Management: Stop Shadow IT Before It Disrupts Your Business. [online] Available at: https://www.usu.com/en/blog/stop-shadow-it-before-it-disrupts-your-business [Accessed 2 June 2026].
Torii (2026) 2026 SaaS Benchmark Report. Cited in Dashlane (2026) above.
Zylo (2026) 2026 SaaS Management Index. Cited in Zylo (2026) What Is Shadow IT? [online] Available at: https://zylo.com/blog/what-is-shadow-it [Accessed 2 June 2026].
