When employees spin up unauthorized cloud accounts and build their own tools, they are being intrapreneurial. The question is whether organizations can harness that without losing control.
The teams that build the most interesting things inside large organizations are often the ones that stopped asking for permission. They found a cloud credit, or used a personal card, or spun up an account under a project budget that IT had not gotten around to reviewing yet. They built something, showed it to their manager, it worked, and now it is running in production on infrastructure that the security team does not know about and the CIO has never approved. This pattern has a name in enterprise IT: shadow IT. It also has a name in organizational theory: intrapreneurship.
Gifford Pinchot coined the term intrapreneur in the early 1980s to describe people who act entrepreneurially within existing organizations. I want to be upfront that I did not find Pinchot in my local study materials, so I am drawing on the broader innovation management literature here, but the concept has been around long enough to have a reasonably stable meaning. The intrapreneur is someone who recognizes an opportunity, takes initiative, and builds something new without waiting for the organizational process to authorize them. They use organizational resources, they operate within an organizational context, but they behave with the urgency and ownership of an entrepreneur rather than the permission-seeking of a bureaucrat.
The IS version of this is interesting because the technology itself has made intrapreneurial IS behavior much easier and much harder to control simultaneously. In the era of on-premise infrastructure, shadow IT was physically constrained. You needed servers, space, and power, and those required facilities management involvement. The cloud removed that constraint. Today, a developer with a credit card and fifteen minutes can spin up infrastructure that would have required a capital expenditure request and a months-long procurement process in 2005. The same forces that made cloud computing the dominant infrastructure model also made it dramatically easier to bypass IT governance. The capability to build is now in the hands of anyone with technical skills and a payment method. The capability to govern is lagging.
The internal hackathon is the organizational attempt to acknowledge this reality without fully ceding control of it. Run a hackathon, give people twenty-four or forty-eight hours to build something, award prizes, celebrate the winners, post about it on LinkedIn. The hope is that you capture the intrapreneurial energy in a bounded, visible, governable event. Some of the hacks get productized. Most don't. But the hackathon signals that the organization values innovation and gives the people who would otherwise go rogue a sanctioned outlet for that energy.
The problem with hackathons as an intrapreneurship strategy is that they are episodic. Intrapreneurship is not episodic. The person who builds something interesting in a forty-eight hour hackathon is also the person who, three weeks later, is back at their normal job with the normal backlog and the normal priority stack, and the thing they built in the hackathon is sitting in a repository that nobody is maintaining. The hack proved the concept. The organization's governance structures proved they could not productize it quickly enough to prevent the enthusiasm from dying. This is the innovation lab problem at smaller scale. The output of creative energy is visible and real. The organizational mechanism for converting that output into sustained capability is either absent or too slow.
The tension this creates with IT governance is not a failure of governance design. IT governance exists because uncontrolled infrastructure creates real security, compliance, and reliability risks. The team that spun up their AI tool on a personal cloud account has also, potentially, sent customer data to an unvetted API, created a vendor relationship with no contract, built a dependency on a service that has no SLA, and generated audit exposure for the organization. The governance team that tries to shut this down is not wrong about the risks. They are just applying a framework designed for a deliberate procurement process to something that moved faster than the process could track.
The IS research angle that I find most interesting is about organizational design: what structures actually allow intrapreneurial IS behavior without collapsing into either chaos or suppression? The ambidexterity literature, which I have written about separately, is one answer. The idea is that you separate the organizational units, give the exploration unit different rules, different metrics, and different governance expectations, and integrate them at the leadership level. Applied to IT innovation, this would mean something like a venture arm of IT that operates under different governance rules than the core IT function. The venture arm can move fast, try things, and accept higher risk. The core function can maintain reliability, security, and compliance. They share a leadership that makes decisions about when venture arm outputs are mature enough to cross into the core.
Gartner's bimodal IT framework was an attempt to institutionalize this split, and I wrote about the problems with it in a previous post. The short version is that Mode 1 (stable, reliable, traditional IT) and Mode 2 (fast, experimental, agile IT) tend to fight each other for budget and talent. The Mode 2 team attracts the best engineers because it is more interesting work. The Mode 1 team, which is running the systems the organization actually depends on, becomes staffed with whoever is left. Mode 2 produces exciting prototypes that frequently do not make it to production because the governance gap between Mode 2 and Mode 1 is too large to bridge quickly.
The organizations that do intrapreneurial IS best seem to have solved a narrower problem than bimodal IT implies. They have not created two parallel IT organizations. They have created clear, fast, legitimized pathways for moving innovative work through governance. A shadow AI tool built by a marketing team does not have to go through a full procurement cycle, but it does have to go through a security review and a data handling assessment before it touches customer data. That review takes a week, not six months. The team gets an answer. If yes, the tool moves to sanctioned infrastructure. If no, the team gets an explanation and a path to yes that might exist later. The governance does not kill the initiative. It channels it.
That sounds straightforward and it is not. Building fast-lane governance processes requires the core IT and security teams to make real tradeoffs about what they will accept and what they will not. It requires senior leadership to be explicit about where the risk tolerance lies. And it requires the intrapreneurial teams to accept that "fast" does not mean "no review." But those tradeoffs are negotiable. The alternative, which is either sanctioning all shadow IT or suppressing all of it, produces either security chaos or the quiet departure of the people who were doing the most interesting work.
About the author
Share
More notes
Related notes