The governance of artificial intelligence within organisations is frequently imagined as a problem of adoption: how to encourage uptake of approved platforms, demonstrate return on investment, and build organisational capability. What this framing systematically obscures is a parallel phenomenon unfolding beneath official governance structures, one in which employees across seniority levels and functional domains are already using AI, extensively, invisibly, and often in ways that carry material risk. This paper concerns itself with that phenomenon: shadow AI.

Shadow AI refers to the use of AI tools, including large language model (LLM)-based chatbots, browser-integrated AI copilots, application programming interface (API)-connected automations, and self-hosted open-source models, outside the knowledge, approval, or oversight of an organisation's IT, security, legal, or governance functions. As a concept it extends the established literature on shadow IT (Silic & Back, 2014; Zimmermann et al., 2017) into a qualitatively new domain: one where unauthorised tools do not merely store or transmit organisational data, but interpret it, synthesise it, generate new content from it, and in some configurations, act upon it.

The scale of the phenomenon is significant. Survey data indicate that while only approximately 40% of surveyed enterprises have purchased a formal LLM subscription, employees at more than 90% of those organisations report regular personal AI tool use (Bennett Jones, 2026). Approximately 68% of employees who use generative AI at work do so through personal accounts on publicly available platforms (CloudSphere, 2025), and 55% report using unapproved generative AI technologies in their work (CloudSphere, 2025). In Australia, a jurisdiction with active regulatory development around both AI and privacy, nearly one-third of organisations report shadow AI activity even as 30% still lack a formal AI strategy (PA Consulting, 2025).

These figures reveal not merely a compliance gap but a fundamental structural tension between the imperatives of organisational control and the realities of individual productivity-seeking behaviour in a period of rapid AI diffusion. Employees are not waiting for governance to catch up; they are already experimenting, adapting, and embedding AI into their work practices in ways that formal structures neither anticipated nor currently constrain.

This paper makes three principal contributions.

1. It develops a theoretically grounded account of shadow AI as a sociotechnical governance failure, rather than as a simple instance of individual rule-breaking.
2. It advances the concept of the "governance drift zone" as a mechanism through which shadow AI emerges and persists.
3. It argues for a reconceptualisation of AI governance, from prohibition and control toward what we term controlled enablement, grounded in an honest reckoning with the structural causes of shadow AI and the ethical complexity of attributing responsibility within diffused sociotechnical systems.

Defining Shadow AI and Its Relationship to Shadow IT

The concept of shadow IT, the use of information systems, devices, software, applications, and services without explicit IT department approval (Silic & Back, 2014), has been a subject of sustained academic inquiry since at least the early 2000s. Research in this tradition has generally found that shadow IT emerges as a rational organisational response to perceived misalignment between employee needs and officially sanctioned technological provision (Zimmermann et al., 2017; Haag & Eckhardt, 2017). Employees experience formal IT as slow, overconstrained, or insufficiently responsive to local workflow requirements; they accordingly seek out tools that appear to meet their needs more effectively, accepting associated risks that they may not fully understand or appreciate.

Shadow AI inherits this basic dynamic while introducing critical discontinuities. The most significant of these concerns the nature of what the unauthorised tool does with organisational data. Conventional shadow IT, an unsanctioned SaaS subscription, a personal cloud storage account, stores or transmits information. Shadow AI, by contrast, interprets it. A generative model ingests organisational content and produces outputs: summaries, analyses, drafts, recommendations, code, decisions. This interpretive and generative capacity transforms the risk calculus in ways that existing shadow IT frameworks are poorly equipped to capture.

Shadow AI encompasses a wide range of practices.

• The most visible category involves the use of consumer-facing LLM platforms, such as ChatGPT, Claude, or Gemini, through personal accounts, often accessed via personal email credentials on organisational devices or networks.
• A second, less visible category involves browser-based AI extensions and plugins that call external LLM APIs as part of routine web browsing or document editing.
• A third category, addressed in Section 9, involves technically sophisticated employees who build and deploy their own AI systems using open-source models, sometimes on personal hardware, sometimes on organisational infrastructure, and sometimes, critically, making those systems accessible to colleagues through informal channels.

Across all three categories, the defining characteristic is absence of organisational visibility and governance.

It is worth noting that the boundary between sanctioned and shadow AI is not always sharp. The Samsung case discussed in Section 6 illustrates how nominally permitted use can shade into shadow AI when the scope of actual usage exceeds what governance mechanisms anticipated or effectively constrained. Similarly, an employee who uses an approved AI tool in an unapproved way, uploading data classified at a higher sensitivity level than the tool's terms permit, for example, occupies a liminal space that existing taxonomies struggle to accommodate. For analytical purposes, this paper treats shadow AI as comprising any AI use that falls materially outside the bounds of what an organisation's governance framework has explicitly or implicitly sanctioned.

The Paradox of AI-Rich yet Governance-Poor Organisations

One of the most striking features of the contemporary AI governance landscape is the coexistence of extensive AI promotion at the organisational and national level with substantial governance immaturity at the operational level. Organisations invest in enterprise AI platforms, articulate AI strategies, and celebrate AI-driven productivity improvements in earnings calls and annual reports, while simultaneously remaining largely unaware of how AI is actually being used by their employees in daily work.

Survey evidence consistently documents this gap. Bennett Jones (2026) reports that while only around 40% of surveyed organisations had purchased a formal LLM subscription, employees at over 90% reported regular personal AI tool use. Zylo (2026) finds that more than half of organisations have at least one unapproved AI application in active use. Perhaps most revealing is the finding that even where approved AI tools are available, approximately 22% of employees in one study still preferred to use personal GenAI accounts (CloudSphere, 2025), indicating that official provision alone is insufficient to close the shadow AI gap.

This paradox has structural roots. Formal AI adoption processes in large organisations are typically slow, risk-averse, and subject to procurement, security review, data classification, and legal due diligence requirements. By the time a tool has been formally approved, the consumer market may have moved on to more capable alternatives, and employees who have been experimenting with those alternatives during the review period may find sanctioned tools comparatively disappointing. The governance apparatus that is designed to protect the organisation can thus inadvertently accelerate shadow AI adoption by creating a systematic capability gap between what employees can access personally and what they can access officially.

There is also a structural incentive misalignment. Organisational narratives around AI, in leadership communications, strategic plans, and performance frameworks, typically celebrate speed, productivity, and innovation. These narratives implicitly reward employees who "find a way" to exploit AI capabilities for competitive advantage. They rarely, if ever, reward employees who decline to use a powerful tool because it has not been formally approved. The consequence is a cultural environment in which shadow AI is not merely tolerated but effectively incentivised, even by leaders who would be alarmed to learn of its prevalence.

Why Employees Turn to Shadow AI: Motivational Architecture

Understanding shadow AI requires understanding the motivational architecture of the employees who engage in it. Research on technology adoption in organisational contexts has consistently found that perceived usefulness and ease of use are primary determinants of adoption behaviour (Davis, 1989). More recent work on generative AI adoption in the workplace finds that perceived effectiveness, enjoyment, innovativeness, and work relevance all significantly influence sustained use, even in contexts where organisational controls are weak (National Cybersecurity Alliance, 2024). Shadow AI, on this account, is not primarily a product of disregard for organisational norms, it is a product of strong, experientially grounded beliefs about tool capability.

Several recurring drivers appear consistently across the empirical literature and practitioner reports:

1. Productivity pressure. Employees facing demanding deadlines and performance expectations perceive consumer AI tools as the most direct route to meeting those expectations, and the cognitive costs of seeking formal approval are experienced as unreasonably high relative to the perceived benefits.
2. Frustration with sanctioned tools. Officially approved tools are frequently perceived as slower, more constrained, and less responsive than their consumer counterparts, even when they are technically more secure.
3. Outcome-focused incentives. Cultural norms and incentive structures often reward the outcomes of AI-assisted work without inquiring into the means by which those outcomes were achieved, creating a moral hazard in which results are visible but methods are not.
4. Habit spillover and lack of training. As AI tools become embedded in personal life (for drafting correspondence, summarising documents, planning travel), the boundary between appropriate and inappropriate use at work becomes unclear, especially for employees who receive no formal guidance. Research from the National Cybersecurity Alliance (2024) finds that over half of employees who use AI for work report having received no training on AI risks. In the absence of such training, employees cannot be expected to reliably distinguish between safe and unsafe use cases, and the burden of any resulting harm falls inequitably on individuals who were never adequately equipped to manage it.
5. Regulatory distance. Employees experience data protection regulations, AI governance frameworks, and information security policies as abstract constraints belonging to legal and IT departments, rather than as concrete realities in daily work. When using a personal AI account feels like a minor shortcut and the consequences of a data breach or regulatory violation feel remote and hypothetical, the rational calculus favours convenience.

The CFO Archetype: Institutionalised Risk Rationalisation

5.1 Case Construction and Theoretical Grounding

The following scenario is composite and constructed, drawn from patterns documented across multiple enterprise contexts rather than from a single identified incident, but its constituent elements are individually well-attested in the empirical literature and in practitioner accounts of enterprise AI risk. Its purpose is not illustration but theoretical elaboration: to demonstrate the specific mechanisms through which shadow AI transitions from individual behaviour to institutional risk. We use the designation "composite case" in the tradition of organisational case methodology (Stake, 1995; Yin, 2018) to distinguish it from fabrication while acknowledging its constructed character.

5.2 Scenario

A large publicly listed company has made substantial investment in an enterprise AI suite. The platform is integrated into the organisation's enterprise resource planning (ERP), financial planning, and document management systems, and has been approved through a rigorous security review process. Its terms of service prohibit data retention beyond the immediate session; it operates within the organisation's data sovereignty boundaries; and it is covered by appropriate contractual protections. It is, by any reasonable standard, a well-governed AI tool.

The Chief Financial Officer (CFO) operates under intense and continuous performance pressure. She is responsible for quarterly earnings guidance, board-level financial reporting, and ongoing merger and acquisition (M&A) analysis in a complex multi-jurisdictional operating environment. The official AI assistant, while secure, requires VPN authentication, multi-factor authorisation, and careful data classification tagging before any query can be processed, a process that, in practice, adds several minutes to each interaction and requires the user to make active decisions about data sensitivity that are not always straightforward.

Over the preceding months, the CFO has developed sophisticated personal proficiency with a consumer LLM platform, which she uses at home for a variety of tasks. On the platform, she can paste text directly, ask open-ended analytical questions, and receive sophisticated, conversational responses without friction. She has found it particularly useful for stress-testing financial narratives: identifying logical weaknesses in a line of argument, anticipating questions a board member or analyst might raise, and rapidly iterating on the framing of complex financial scenarios.

On the evening before a scheduled board meeting, facing a deadline for finalising her presentation materials, the CFO is working from home. The board pack includes performance commentary on divisional earnings, sensitivity analyses for three strategic scenarios, and a preliminary assessment of options in a prospective acquisition. The official enterprise AI platform is technically accessible remotely but she finds it significantly slower and less capable for open-ended analytical dialogue than the consumer platform she has been using. She makes what she experiences as a pragmatic decision: she uploads extracts from the board pack, including the performance commentary, the sensitivity analyses, and the M&A options assessment, into her personal account on the consumer platform, and uses it to refine her talking points and identify potential vulnerabilities in her arguments.

5.3 The Governance Anatomy of the Incident

From the perspective of the individual actor, the decision appears rational and, in important respects, prosocial: the CFO is working late, seeking to do her job better, and using the best available tool for a cognitively demanding task. She has not acted maliciously; she has not sought personal gain; she has not been negligent in any conventional sense of that term. Yet from a governance perspective, the incident represents a serious and potentially irreversible breach.

The material uploaded to the consumer platform is, in technical terms, material non-public information (MNPI). Performance commentary prepared for the board but not yet released to the market, sensitivity analyses for strategic scenarios under active consideration, and, most critically, any reference to the prospective acquisition constitutes information whose unauthorised disclosure could constitute a breach of continuous disclosure obligations, trigger securities regulatory inquiry, and expose both the organisation and individual executives to civil and criminal liability under market manipulation and insider trading provisions.

The consumer AI platform's data handling practices, by contrast with the enterprise platform, are not governed by organisational contract. Depending on the platform's terms of service, which the CFO has not read in their current form, the content uploaded may be used for model training, retained in server logs accessible to platform staff, subject to legal process in a foreign jurisdiction, or inadvertently exposed through a security vulnerability in the platform itself. None of these pathways requires malicious intent by any party to produce material harm.

What makes this case theoretically significant is not the individual decision but the systemic conditions that produced it. The CFO did not choose shadow AI because she was indifferent to governance; she chose it because the official tool was designed in a way that made legitimate use feel costly and illegitimate use feel costless. This is a governance design failure, not an individual moral failure. The organisation built a secure platform but failed to make it competitive with its unsecured alternatives on the dimensions—speed, flexibility, conversational depth—that determined actual user behaviour.

5.4 Accountability Diffusion and the Governance Drift Zone

A further dimension of the CFO case concerns the diffusion of accountability that shadow AI produces. If a subsequent board meeting leak, regulatory inquiry, or market-moving rumour were traced to the content uploaded to the consumer platform, the organisation would face profound difficulty in allocating responsibility. The CFO acted without malicious intent, under conditions of time pressure, using tools she genuinely believed were adequate for the task. The IT function designed a governance architecture but did not make it usable enough to prevent workarounds. The legal function issued data classification guidance but did not communicate it in terms that were actionable in the context of AI tool selection. Senior leadership celebrated AI-driven productivity without specifying what kinds of AI productivity were and were not acceptable.

This pattern of distributed causal responsibility and unclear accountability is characteristic of what we term the governance drift zone, an organisational space in which formal AI policy exists but is not meaningfully embedded in how work actually gets done (Journal of Strategic Change, 2025). The governance drift sone is not a location in an organisational chart; it is a structural condition produced by the gap between what governance frameworks demand and what work conditions make feasible. In that gap, employees improvise; and shadow AI is, fundamentally, the improvised use of AI in the absence of adequate institutional scaffolding.

It is worth noting that the CFO archetype is not unique to finance. Analogous patterns appear wherever high-cognitive-demand, time-pressured professionals find official AI tools inadequate to their needs: in legal departments preparing complex transactional documents, in HR functions drafting sensitive performance assessments, in clinical settings where practitioners seek decision support for complex cases, and in research and development teams working with commercially sensitive intellectual property. The governance challenge is structural, not sectoral.

The Samsung ChatGPT Incident: When Permitted Use Becomes Shadow AI

The Samsung ChatGPT incident of early 2023 has become something of a paradigm case in discussions of enterprise AI risk, not because it was unique, but because it was unusually well-documented and publicly disclosed, providing a rare empirical window into the mechanics of AI-enabled information security failure in a major corporation.

In early 2023, engineers within Samsung's semiconductor division were permitted to use ChatGPT for productivity purposes, including code debugging and meeting summarisation. Within a short period, at least three documented incidents occurred in which employees uploaded materially sensitive information to the platform (Mashable, 2023; HumanFirewall, 2023):

• Confidential source code for semiconductor chip equipment
• Code for an internal database
• Notes from an internal meeting

In each case, the employees were using ChatGPT in ways they understood to be permitted, or at minimum, not explicitly prohibited, under then-current internal guidance.

What the employees did not know, or did not appreciate, was that OpenAI's then-default terms of service provided that user inputs could be used to improve the model. The confidential source code and meeting notes uploaded to ChatGPT were, under those terms, potentially available to OpenAI for training purposes, and potentially accessible to OpenAI staff through standard platform oversight processes. Samsung's intellectual property had, in effect, been voluntarily disclosed to a third party without organisational authorisation, without legal review, and without any mechanism for remediation.

Several features of the Samsung incident deserve particular analytical attention.

1. The incident was not produced by malicious actors exploiting a technical vulnerability, it was produced by well-intentioned employees making rational use of a tool they understood to be available to them. This is precisely the pattern described in the shadow IT literature: individual rationality producing collective risk (Silic & Back, 2014).
2. The information security failure arose not from unauthorised access to Samsung's systems but from authorised disclosure of Samsung's information to a third party, a risk profile that conventional endpoint security and network monitoring architectures are poorly designed to detect or prevent.
3. The remediation response illustrates the organisational difficulty of recovering governance once shadow AI use has become established: Samsung initially suspended employee access to all external generative AI tools (HumanFirewall, 2023), a measure that is both disruptive and, as noted by security practitioners, likely to drive use underground rather than eliminate it. Samsung ultimately reinstated limited access to external AI tools in 2025, with enhanced controls (SamMobile, 2025), a pattern consistent with the evolution from prohibition to controlled enablement described in Section 11.

The Samsung case also illustrates the particular risk associated with the liminal category of AI use identified in Section 2: use that is nominally permitted but whose actual parameters fall outside what governance mechanisms effectively constrain. Samsung's engineers were not engaging in shadow AI in the purest sense, they had not been told not to use ChatGPT. But the use they were making of it exceeded what any reasonable interpretation of their organisational role would sanction, and the governance framework had not been designed with the specificity required to prevent it. This liminal zone, where formal permission meets inadequate specificity, may in practice represent a greater risk surface than outright shadow AI, precisely because it lacks the clear normative signal that outright prohibition would provide.

Beyond Samsung, the broader empirical picture reinforces the concern. Security consultancies and technology vendors consistently report that a majority of organisations have at least one unapproved AI application in active use (Obsidian Security, 2025; Zylo, 2026), and that employees routinely, in many surveys, in majorities, report having pasted sensitive customer data, financial records, or intellectual property into public AI systems (CloudSphere, 2025; Rezolve.ai, 2026). These disclosures are not primarily the product of cyberattacks; they are the product of routine productivity behaviour generating systematic information security failure.

The Risk Landscape of Shadow AI

Shadow AI generates a risk landscape that is both broader and structurally different from that produced by conventional information security threats. Because shadow AI typically does not involve external attackers breaching organisational defences, but internal actors voluntarily moving organisational data outside those defences, the threat model is one of authorised disclosure rather than unauthorised access, a distinction with significant implications for detection, attribution, and remediation.

1. Data security and privacy. Employees who input personal data, trade secrets, commercially sensitive analysis, or regulated information into consumer AI tools may expose that information to platform data retention, foreign jurisdictional access, or inadvertent disclosure through platform vulnerabilities. The risk is compounded by the fact that consumer AI platforms are not static: their terms of service, data handling practices, and technical architectures change over time, and employees who made informed decisions about data risk at one point in time may find those decisions retrospectively undermined by platform changes they did not monitor.
2. Regulatory and legal exposure. Unauthorised processing of personal data through AI tools can engage obligations under privacy legislation including the Australian Privacy Act 1988 (as amended), the European Union General Data Protection Regulation (GDPR), and sector-specific regimes governing financial services, health information, and telecommunications. The cross-border data flows inherent in the use of AI platforms operated in foreign jurisdictions raise particular regulatory complexity. A legal risk taxonomy for generative AI developed by Rezolve.ai (2026) identifies additional risk vectors including unlawful automated decision-making, discrimination through biased model outputs, and breach of professional confidentiality obligations, all of which can be engaged through shadow AI use in contexts such as HR, legal, financial planning, and medical practice.
3. Decision quality and the propagation of misknowledge. Generative models produce plausible outputs that may be factually incorrect, analytically biased, or based on outdated information, and busy professionals under time pressure may not apply the critical scrutiny required to identify and correct such errors. When shadow AI outputs are incorporated into board materials, legal documents, clinical assessments, or credit decisions without adequate verification, the errors they contain can propagate through organisational decision-making in ways that may not become apparent until consequential harm has been done.
4. Structural accountability gaps. When decisions are informed or generated by unauthorised AI tools, the evidentiary record of the decision-making process is distorted: official records may not reflect the actual basis for a decision, making retrospective accountability, whether through internal audit, regulatory inquiry, or litigation, difficult to achieve. This gap between official record and actual process is not merely an integrity concern; it is a governance pathology that undermines the ability of organisations to learn from failures and improve.
5. Cultural and ethical consequences. Persistent shadow AI use has cultural and ethical consequences that are difficult to quantify but arguably of foundational importance. When rule-bending to access better tools becomes normalised, when the most productive, ambitious, and technically capable employees are the heaviest shadow AI users, the signal sent to the broader organisational community is that formal governance is a constraint to be circumvented rather than a framework to be engaged with. This normalisation of workaround behaviour can erode the ethical climate of an organisation more broadly, weakening norms around confidentiality, professional judgment, and the responsible exercise of delegated authority.

Shadow AI as Ethical Ambiguity, Not Individual Defiance

Perhaps the most significant analytical error in practitioner discussions of shadow AI is the implicit framing of the phenomenon as a problem of individual non-compliance, a problem, that is, of employees who know the rules and choose to break them. This framing is not only empirically inaccurate in many cases; it is also analytically counterproductive, because it directs governance attention toward the symptom (individual behaviour) rather than the cause (structural misalignment).

The ethical complexity of shadow AI is better captured by the concept of moral ambiguity in sociotechnical systems: a condition in which individual actors face genuine uncertainty about the ethical valence of their actions, because the normative frameworks available to them, organisational policy, professional ethics, personal moral intuitions, do not converge on a clear answer. The CFO who uploads board materials to a consumer AI platform is not indifferent to her obligations; she is acting on an implicit ethical judgment that her duty to prepare the best possible board presentation, in the time available, outweighs the uncertain and abstract risks associated with using an external tool that she understands to be capable and has experienced as safe. That judgment may be wrong, but it is not irrational, and it is not the product of moral indifference.

The ethical literature on distributed responsibility in sociotechnical systems provides a more adequate framework for analysing this situation (Nissenbaum, 1994; Winner, 1980). When harmful outcomes are produced by the interaction of individual agents, organisational structures, and technical systems, none of which alone would have produced the harm, the moral responsibility for those outcomes cannot be cleanly assigned to any single node in the system. An adequate ethical account must apportion responsibility in proportion to each party's causal contribution and their capacity for foresight and prevention.

On such an account, the individual employee who uses shadow AI under conditions of inadequate training, absent or unclear policy, and organisational incentive structures that reward outcomes over process bears some moral responsibility, but so does the organisation that failed to provide adequate training, the governance function that failed to make policy sufficiently specific and accessible to be action-guiding, the IT function that designed official tools that were insufficiently competitive with their shadow alternatives, and the leadership that celebrated AI-driven productivity without attending to the means by which that productivity was achieved.

This distributed ethical account has practical implications. Governance strategies that focus exclusively on employee-level controls, monitoring, sanctions, mandatory training, without addressing the structural conditions that generate shadow AI are not only likely to be ineffective; they are also, on a distributed responsibility account, ethically inadequate, because they concentrate the costs of governance failure on the actors who bear the least institutional responsibility for producing it.

DIY and Self-Hosted AI: The Governance Opacity of Internal Shadow Systems

Shadow AI is not limited to the use of consumer-facing platforms. A distinct and in some respects more technically complex variant involves technically sophisticated employees who build, deploy, and operate their own AI systems, using open-source model repositories, local inference infrastructure, and custom data pipelines, entirely within the organisational perimeter but entirely outside formal governance structures.

A representative scenario might involve a senior data scientist who deploys a locally-hosted open-source LLM on a high-performance workstation, fine-tunes the model on departmental datasets (including historical project documentation and internal analytics outputs), and exposes the resulting system through a simple web interface that colleagues begin using informally for analytical queries. From a data sovereignty perspective, this system has significant apparent advantages over consumer platforms: data does not leave the organisational network, there is no third-party data retention risk, and the system can be specialised to the domain in ways that general-purpose platforms cannot easily match.

Yet the apparent advantages of on-premises deployment can be misleading when the system operates outside formal governance.

• Without model evaluation protocols, the system's accuracy, bias characteristics, and failure modes may be unknown.
• Without logging and audit infrastructure, the system's use cannot be reconstructed for accountability purposes.
• Without integration into organisational incident response processes, failures may not be detected or reported.
• Without clear ownership and maintenance responsibility, the system may become a single point of failure dependent on the continued presence and goodwill of its creator.
• Without legal review, the intellectual property and privacy implications of fine-tuning on organisational data may not have been considered.

The governance challenge presented by internally-built shadow AI systems is structurally distinct from that presented by consumer platform use. Consumer platform risk is primarily a data exfiltration risk, the concern is that organisational information has been transmitted to an external party. Internal shadow AI risk is primarily an opacity risk, the concern is that consequential decisions or work outputs are being generated by systems whose properties, limitations, and failure modes are not visible to the organisation. Both risk profiles are real; neither is adequately addressed by governance frameworks designed for conventional shadow IT.

Shadow AI and the Future of Knowledge Work

Studies of generative AI in knowledge-intensive roles suggest a profound and ongoing restructuring of how knowledge work is performed, with AI tools taking on tasks previously understood as requiring human expertise: drafting, summarisation, analysis, synthesis, and, increasingly, elements of judgment and decision-making (Wang, 2025). Wang's (2025) analysis of the new normal in AI-mediated knowledge work identifies particular concerns around worker mental health, confusion about production processes, and the proliferation of misknowledge, confident but inaccurate AI-generated content that circulates as organisational knowledge.

In this context, shadow AI is not a peripheral or temporary phenomenon. It is, rather, one of the primary sites at which the future of knowledge work is being actively prototyped: informally, at scale, and in ways that produce real organisational learning as well as real organisational risk. The employees who are most intensively engaged in shadow AI are frequently, for structural reasons, the organisation's most capable, most time-pressured, and most innovation-oriented knowledge workers. The governance implication is significant: a prohibition-oriented response to shadow AI does not merely constrain risk, it suppresses the very experimentation through which organisations might learn to use AI effectively and responsibly.

A more productive framing treats shadow AI as an empirical signal: evidence about where official AI provision is failing to meet the actual needs of knowledge work, what kinds of AI capability matter most to employees in practice, and where governance frameworks need to be redesigned to be both more effective and more workable. On this framing, the question for organisational leaders is not only How do we stop this? but What is this telling us, and how do we shape it?

From Prohibition to Controlled Enablement: A Governance Framework

The emerging consensus among both practitioners and governance researchers is that prohibition-oriented responses to shadow AI are both unrealistic and counterproductive. They are unrealistic because the accessibility, usability, and rapid improvement of consumer AI tools make sustained enforcement of a ban technically difficult and organisationally costly. They are counterproductive because prohibition drives shadow AI use deeper underground, reducing organisational visibility without reducing organisational exposure, and because it forfeits the organisational learning that comes from engaging seriously with how AI is actually being used.

The governance framework we propose, controlled enablement, is grounded in the insight that shadow AI thrives in the gap between what governance demands and what work actually requires. Closing that gap requires redesigning both governance and tooling, not merely tightening controls on the former. Controlled enablement has six interconnected components.

1. Principle-based policy architecture. Governance frameworks oriented around specific tool lists or platform names are inherently and rapidly obsolete in a period of rapid AI capability development. More durable frameworks articulate governing principles, such as "no regulated personal data shall be processed through AI tools not covered by an organisational data processing agreement" or "all AI involvement in consequential decisions must be disclosed in the decision record", that provide employees with frameworks for reasoning about new tools as they emerge, without requiring governance functions to enumerate every possible use case in advance.

2. AI registry and lightweight approval processes. Shadow AI frequently flourishes not because employees are determined to circumvent governance but because the formal path to approved AI use is perceived as prohibitively slow or opaque. Lightweight, transparent processes for proposing and approving AI tools, with clear criteria, published timelines, and genuine responsiveness to business-unit needs, can substantially reduce the gap between what employees want to use and what governance has formally assessed, without compromising the integrity of the assessment process.

3. Risk-tiered governance architecture. Not all AI use presents equivalent risk, and governance frameworks that apply equivalent scrutiny to all use cases will be experienced as disproportionate and will incentivise evasion. A risk-tiered architecture applies the most stringent controls, mandatory disclosure, independent review, ongoing monitoring, human-in-the-loop requirements, to the highest-risk use cases: AI systems involved in consequential decisions about individuals, in the processing of regulated information, or in safety-critical operations. Lower-risk use cases, query-only interactions with non-sensitive information for personal productivity, can be subject to lighter governance that does not impose costs disproportionate to the risks involved.

4. Substantive AI literacy training. The evidence consistently indicates that the majority of employees who use AI at work have received inadequate training on how generative models work, where they fail, how they can be exploited or misused, and what regulatory obligations apply to their use (National Cybersecurity Alliance, 2024). Effective training goes beyond tool demonstrations to build genuine conceptual understanding, of prompt injection attacks, of hallucination and misknowledge risks, of the implications of data residency and terms of service for information security, that enables employees to make genuinely informed decisions about AI use in novel situations.

5. Governance-competitive internal AI provision. The most effective structural constraint on shadow AI is the availability of internal AI tools that are sufficiently capable, fast, and easy to use that employees do not experience them as meaningfully inferior to consumer alternatives. EY's centralised enterprise AI platform (EYQ) is frequently cited as an exemplar of this approach: a first-class AI experience that embeds governance controls without imposing them as visible friction, reducing the structural incentive for shadow AI use. The governance implication is that IT and security functions cannot simply veto AI tools that do not meet their risk standards, they must also be accountable for providing alternatives that meet user needs.

6. Incentive and cultural realignment. No governance framework will be effective if organisational culture and incentive structures continue to reward outcomes achieved through opacity and to treat governance compliance as a constraint on productivity rather than as a dimension of professional competence. Leaders must explicitly and consistently signal that transparent, governed AI use is valued at least as highly as speed and output, and must be willing to create genuine organisational space for employees and teams who surface shadow AI practices and work collaboratively to bring them into governance.

Implications for Practice and Future Research

For organisational leaders, the primary implication of this analysis is a reframing of shadow AI from a compliance problem to a strategic intelligence problem. Shadow AI reveals, with unusual clarity, the specific dimensions on which official AI provision and governance are failing to meet the realities of contemporary knowledge work. Treated as a requirements document rather than a disciplinary problem, shadow AI can be a productive driver of governance improvement, AI platform development, and organisational learning about AI risk.

For governance and legal professionals, the analysis underscores the importance of developing accountability frameworks that are adequate to the distributed causal structure of AI-enabled harms. Traditional frameworks that locate responsibility in identifiable individual decision-makers are poorly suited to situations in which harmful outcomes emerge from the interaction of inadequate training, absent policy, structural incentive misalignment, and rational individual behaviour. AI governance frameworks, regulatory instruments, and professional liability regimes need to develop the analytical vocabulary and institutional mechanisms required to allocate responsibility in a more distributed and structurally adequate way.

For academic researchers, shadow AI presents a rich and largely under-theorised empirical field at the intersection of organisational behaviour, information systems, ethics, law, and human-computer interaction. Several specific research agendas are particularly pressing.

1. There is a need for longitudinal empirical research on the organisational conditions that most strongly predict shadow AI prevalence, identifying, with more precision than current survey data allow, the governance characteristics, cultural factors, and tooling conditions that either facilitate or constrain shadow AI.

2. More theoretically sophisticated ethical analysis is needed of distributed responsibility in sociotechnical AI systems: the existing philosophical literature on responsibility in complex systems (Nissenbaum, 1994) was not developed with AI-specific considerations in mind and requires substantial extension.

3. Regulatory and legal scholars need to engage with the specific challenges that shadow AI poses for existing frameworks around data protection, professional liability, and organisational accountability, frameworks that presuppose a clarity of authorisation and decision-attribution that shadow AI systematically undermines.

Finally, for scholars of technology and society, shadow AI poses a fundamental challenge to control-oriented models of AI governance. If the most capable, ambitious, and time-pressured knowledge workers are already integrating AI into their work practices beyond the reach of organisational oversight, then the governance agenda cannot be simply one of constraining AI diffusion until governance frameworks are ready. It must be one of building governance frameworks that are adequate to the pace, the character, and the human motivations of AI diffusion as it is actually occurring, not as governance architects might wish it to occur.

Conclusion

Shadow AI is not a marginal IT compliance issue, nor a simple problem of individual non-compliance. It is a structural symptom of fundamental misalignment between the formal governance architectures organisations have built and the lived realities of knowledge work in a period of rapid AI capability development. It arises in governance drift zones where formal policy exists but is not meaningfully embedded in practice; it is sustained by incentive structures that reward outcomes while remaining indifferent to means; and it distributes accountability in ways that existing governance frameworks are not designed to manage.

The CFO who uploads board materials to a consumer AI platform and the Samsung engineers who pasted source code into ChatGPT are not primarily stories of individual failure. They are stories of governance frameworks that were not designed for the behavioural, organisational, and technical realities they now face. The appropriate response is not simply to tighten controls on individual behaviour, but to redesign governance architectures, AI tooling, training programs, and organisational incentive structures in ways that make safe, transparent, and accountable AI use the path of least resistance rather than the path of greatest friction.

Doing so requires, above all, a willingness to engage seriously with shadow AI not as a scandal to be suppressed but as a signal to be interpreted, an empirical record of where formal AI governance is failing and what a more adequate governance architecture might need to address. The organisations and governance frameworks that develop the capacity to read that signal intelligently will be significantly better positioned to capture the genuine productivity and innovation benefits of AI while managing its risks in a genuinely accountable way.