Shadow AI is no longer a fringe issue. AI is moving digital solution development into the business functions, and central IT must create freedom while making sure what gets built holds up. A role that demands more than reviews and approvals.
Why earlier IT transformations didn’t reach the business
Cloud, DevOps and platform engineering reshaped central IT organisations. Infrastructure became consumable on demand, platform services replaced in-house builds, and the path from code to operations got shorter. Code, workflows and integrations stayed with technical teams, while business functions defined requirements and signed off solutions. The paradigm shift driven by these technological innovations rarely reached into the business functions’ day-to-day work.
AI is shifting that boundary. Not every professional becomes a software developer with AI. But more professionals can now shape digital work directly inside their own work: workflows, analyses, scripts and applications are being built where IT used to be commissioned. Claude Cowork, Copilot, Gemini and ChatGPT Enterprise are now in everyday use across Finance, Legal, Sales and Operations, no longer just as a chat assistant, but as the foundation of autonomous workflows. Where employees once had to adapt to the technical constraints of legacy systems, they can now use AI to tailor digital solutions to the way they actually work.
A prototype proves feasibility, not durability
The McKinsey State of AI Report 2025 shows the gap between use and scale: companies are reporting cost or revenue impact from AI across functions, yet almost two-thirds have not yet begun to scale AI across the enterprise. The value is being created close to the work.
What matters is the speed and reach of individual tools. A chat workflow with CRM access via a connector or MCP server can change hundreds of records in seconds. Clicking through screens used to be the brake. Bulk changes went through admin tickets. AI closes the gap between need and execution, but it creates new risks.
The risk becomes critical when a personal helper turns into a tool for teams or business processes. At that point, questions about data quality, permissions and accountability stretch beyond the individual user. Who is accountable if a workflow that’s in permanent use fails? Often, that responsibility lands back with central IT.
Why more reviews won’t fix shadow AI
The obvious reaction is: more reviews, more approvals, more rules. For critical applications, scrutiny may seem indispensable, but as an operating model this approach scales badly. If every new workflow is treated like a classic IT project, the queue that AI was supposed to shorten reappears.
Central IT ends up in a contradiction. It is meant to enable innovation safely, but it becomes the place where even small decisions wait for sign-off. The result is a new wave of shadow AI. The MIT report “State of AI in Business 2025” shows the gap: only around 40 percent of companies have bought official LLM subscriptions, while employees from over 90 percent of the companies surveyed report regular AI use. Not out of bad intent - teams just want to stay productive.
Platform, not gatekeeper: four levers for governing decentralised AI
The answer lies in tiered AI guardrails: personal work aids need different rules than business-critical workflows or production-relevant applications. For guardrails to avoid becoming a bottleneck, governance has to live inside tools, platforms, data access and logging, not just in documents or review boards. That matters even more when systems take autonomous actions inside other systems.
Many of the answers aren’t new: platform engineering, DevOps, self-service and product teams. What’s new is the pressure to apply them rigorously. AI has too much impact for decentralised AI development to be organised ad hoc. Rather than building or approving every solution itself, central IT has to create a durable framework without becoming the bottleneck. Four levers help IT organisations enable decentralised AI solutions in a controlled way.
First: provide the building blocks. Business functions need AI tools, model access, data connectors, APIs, templates, identity management and logging. If these are missing, decentralised AI solutions will appear anyway, just outside any controllable structure.
Second: classify the solutions. Personal work aids, team workflows, business-critical solutions and production-relevant processes differ in risk and significance. How autonomously the solution operates matters too: does it just inform, does it prepare decisions, or does it trigger actions on its own?
Third: clarify operations. As soon as a solution is used regularly, it needs a lifecycle: owner, data source, permissions, cost control, monitoring, support and versioning. Decentralised AI solutions without a lifecycle become invisible inventory: opaque costs, security gaps and compliance risks that often only surface when something goes wrong.
Fourth: scale or stop. Recurring patterns should be consolidated into a portfolio. Some stay as local templates. Others turn into reusable capabilities. A few become strategic platform components.
IT becomes more important
The new job for central IT is sorting: personal stays local, recurring becomes reusable, critical goes into operations. Solutions get boundaries; orphaned applications get shut down. That’s the difference between shadow AI and productive decentralised AI.
Central IT has to decide: does it stay an inspection authority, or does it provide the inspection mechanisms themselves as self-service, and get out of its own way?
AI forces central IT to rethink its role. The IT function doesn’t lose relevance. It becomes more important when it makes fewer decisions itself and creates safer decision-making spaces for everyone else.
Sources
McKinsey & Company: “The State of AI in 2025: Agents, Innovation, and Transformation”, November 2025 (survey of 1,993 respondents, June–July 2025).
MIT NANDA / MIT Media Lab: “The GenAI Divide: State of AI in Business 2025”, 2025.
