What is it?
software/hardware that is not explicitly approved by IT, that lives within an organisations scope. This could be a personal unregistered laptop, website applications that have been used with company data, or even cloud infrastructure bought with a teams budget.
Why is it mentioned?
an organisation must minimise the risk of different endpoints being compromised, one way of introducing some threat vectors, is by including untracked software which could be missing important updates, or be deprecated altogether. By tracking software, IT has a better indication of whether known threat vectors are dealt with.