Authors: Rakesh Dondapati
Abstract: The rapid diffusion of generative AI tools and autonomous agents has generated a pervasive and largely ungoverned organizational phenomenon: shadow AI, whereby employees and teams deploy AI capabilities outside formal information technology governance and procurement processes. While shadow AI may generate local productivity improvements and serve as an incubator for grassroots innovation, it simultaneously exposes organizations to compounding risks across data security, regulatory compliance, intellectual property control, and operational integrity domains. This study investigates the dual character of shadow AI — as both an organizational threat and an innovation catalyst — and examines the conditions under which adaptive governance structures enable firms to convert unauthorized AI experimentation into sanctioned strategic capability. Drawing on a multi-source dataset comprising IT leader survey responses, employee-level AI usage telemetry, security incident reports, patent disclosures, and longitudinal firm performance data from 487 firms across seven industry sectors (2022–2026), the study develops and validates the Shadow AI Prevalence Index (SAPI) and the Governance Adaptiveness Score (GAS). Structural equation models demonstrate that SAPI is positively associated with risk exposure (β = 0.48, p < .001) but that governance adaptiveness significantly moderates this relationship (interaction β = –0.27, p < .001), and independently predicts innovation output (β = 0.41, p < .001) and organizational resilience (β = 0.48, p < .001). Six inductively derived qualitative themes from 48 executive interviews illuminate the mechanisms linking governance adaptiveness to shadow AI outcomes. The study advances a theory of adaptive AI governance, provides the first large-scale empirical examination of the shadow AI prevalence-performance relationship, and delivers a practical Shadow-to-Sanctioned AI conversion framework for enterprise practitioners. Findings indicate that the critical governance imperative is not the elimination of shadow AI — which is both practically infeasible and strategically self-defeating — but its structured transformation from hidden organizational risk into visible competitive capability.
DOI: http://doi.org/10.5281/zenodo.20958484
