Security gains from passkey adoption in central IT are negated by uncontrolled shadow IT using weak passwords, presenting organizational challenges for CISOs.