Colleges are confronting a growing layer of ‘shadow data’—student and institutional information captured, stored or shared outside approved systems—raising new FERPA, privacy and compliance risks. As universities expand cloud services, analytics and AI pilots, unsanctioned datasets and spreadsheets migrate across departments, creating gaps in IT visibility and accountability. Campus legal and IT leaders warn that shadow data can trigger regulatory exposure and reputational harm if personally identifiable student data is mishandled. The story calls for governance frameworks that map data flows, enforce sanctioned tools, and train staff on privacy rules; otherwise institutions risk audits, enforcement and damage to student trust.