| Abstract [eng] |
This thesis examines the governance of Shadow Artificial Intelligence in organizations. Shadow AI is mostly understood as the usage of AI tools, models, or AI-enabled features by employees or business units without explicit approval or outside established organizational governance controls. The topic is relevant because AI tools have become easy to access and use in everyday work. At the same time, organizational rules, approval processes, technical controls, and risk management practices often remain unclear or slow to adapt. The study treats Shadow AI as an organizational governance problem with cybersecurity consequences. Its roots are similar to those of Shadow IT, but its risk profile is very different. AI tools can generate content, process sensitive information, support decisions, automate actions, and produce outputs that appear reliable even when they are completely inaccurate. While employees often use these tools for practical reasons: to write faster, summarize information, translate text, support coding, prepare analysis, or reduce repetitive work. Because of this, a governance approach based only on restrictions is unlikely to work. This thesis aims to develop a conceptual framework for governing Shadow AI in a way that supports responsible AI use while managing cybersecurity and information governance risks. The research follows a qualitative two phase design. In the first phase, academic literature, industry sources, and governance standards are analyzed to build the theoretical foundation. The reviewed areas include Shadow IT, Shadow AI, AI governance, IT governance, risk management, compliance, and the balance between innovation and control. Based on this analysis, the thesis develops the Shadow AI Governance Framework (SAIGF). The framework is structured into three layers: governance foundation, core governance mechanisms, and innovation enablement with sustainability. These layers define the main areas organizations need to address, including responsibility, regulatory alignment, risk appetite, visibility, policy, authorization, risk assessment, technical controls, approved AI options, faster approval paths, awareness, culture, and ongoing improvement. The second phase validates and refines the framework through ten semi structured interviews with participants from six organizations. The sample includes managerial respondents involved in governance or AI-related decisions, as well as employees who use AI tools in their work. The findings generally support the framework, but they also show that several areas require adjustment. The empirical results expand risk appetite to include AI cost governance, investment failure risk, and operational dependency risk. They also introduce agentic AI permission governance, embedded AI reassessment, and human oversight of AI supported decisions. One of the key findings is the gap between managerial and employee perspectives. Managers often describe policies, rules, or approval processes as already present. Employees, however, frequently experience the same governance mechanisms as unclear, difficult to find, or detached from everyday work. This means that formal governance may exist, but still fail in practice if employees cannot understand or use it. The thesis concludes that Shadow AI cannot be managed effectively through blocking, generic awareness messages, or policy documents alone - i.e. simple black or white controls. Organizations need to have clearer ownership, proportionate controls, usable approved tools, practical guidance, and governance processes that match how employees actually work. The proposed SAIGF offers a structured way to manage Shadow AI risks while still preserving the productivity and innovation value that makes AI adoption attractive in the first place. |
