Colleges are wrestling with an under‑the‑radar risk: shadow data—student information captured and stored outside sanctioned systems. As institutions deploy analytics, cloud services and AI, data frequently flows across departments and third‑party tools without IT oversight, creating gaps in visibility and compliance. Security and privacy leaders warn that shadow data elevates FERPA and state‑privacy risk, complicates incident response, and can turn harmless collaborations into regulatory liabilities. Institutional solutions include stronger data governance, centralized inventories, vendor risk assessments, and training for non‑IT staff who handle sensitive student records. For trustees and chief privacy officers, the imperative is quick: map shadow data flows, close audit gaps, and align analytics programs with legal counsel to avoid enforcement exposures.