Software written or acquired outside of IT’s purview is software that IT can’t evaluate for security or compliance.