There is a worry or two
Firstly, even if the employee paid for the work related expense (and hopefully tried to claim it back later, to provide a trace) he has effectively introduced a new IT service or application into the company's infrastructure, which may or may not be a good idea.
Potentially happy scenario and outcomes:
1) Marketing department builds its own web server on Azure or MAAS (after begging for months). Successfully deploys new product offering, which then goes viral, raises revenues and everyone goes home in a Limo. Luddite CIO and board finally relent and define a new policy whereby individual departments will be allowed to use and manage IaaS or PaaS offerings, or even better, the existing IT department gets with the program and starts to successfully manage and deploy solutions for this type of service requirement.
Potentially unhappy scenario and outcomes:
1) A marketing (or other department) does the same as above. Employees then store valuable IP or embarrassing internal correspondance and docs on a poorly secured cloud server. Server gets hacked, company has massive egg on face and hopefully the right idiots are shown the door. CIO and board say "told you so!" and impose massive lockdown and witchhunt for anymore shadow IT. No one ever pronounces the C word again under penalty of death. Needless to say, the company somehow never discovers a way to put cloud services to good use.
Shadow IT and cloud (although I hate that word) technology can be successfully or poorly managed, just like any other tech. The secret is to find out where an XaaS technology or strategy can really add value, design a good solution, deploy it correctly and then manage it.
What makes this so hard to understand?