Shadow IT was about unauthorized tools. Shadow AI is about unauthorized autonomous agents making decisions on your behalf. Delegation theory explains why that difference matters.
I wrote two posts about shadow AI a few days ago, and something about them has been bothering me since. In the first one, I argued that shadow AI is the new shadow IT, same pattern, higher risk. In the second one, I worked through Ferneley and Sobreperez's workaround types and Goodhue and Thompson's task-technology fit to explain why employees bypass official tools. Both framings treat shadow AI as a governance and fit problem. I still think those framings are right as far as they go. But they do not go far enough, because they describe shadow AI and shadow IT as different in degree, not different in kind. And I think that is wrong.
Shadow IT meant an employee using an unauthorized tool. Dropbox instead of the corporate file server. WhatsApp instead of the approved messaging platform. Trello instead of the enterprise project system. The employee operated the tool. The employee made every decision about what data went in and what came out. The tool sat there, inert, waiting to be operated. Shadow AI is not that. When an employee gives a consumer AI agent a task, the agent makes decisions on the employee's behalf. The employee is not operating a tool. The employee is delegating a task to an autonomous agent. That agent has its own endowments, its own preferences, and it can occupy its own role in the relationship. Baird and Maruping (2021) built their delegation framework around exactly this distinction, and I think it is the one that makes shadow AI categorically different from shadow IT.
In the shadow IT framing, the construct that matters is use. The employee uses an unauthorized system. The organization measures it as a policy violation, a compliance gap, a data leakage risk. All of those are real problems. But "use" assumes the human is the one doing the acting. The system receives input and produces output, but it does not decide, initiate, or pursue its own objectives. Baird and Maruping argue that when the system has agency, when it can "perceive and act" and "decide and act autonomously" as they put it, the right construct is no longer use. It is delegation. The human transfers rights and responsibilities for task execution and outcomes to the agent. That transfer is what makes shadow AI fundamentally different from shadow IT.
Consider what actually happens when an employee uses unauthorized Dropbox. They drag a file. They share a link. They control what goes in, who sees it, and when it comes out. Now consider what happens when an employee pastes a client revenue forecast into a consumer AI agent and asks it to generate a strategic analysis. The employee delegated a task. The agent exercised its own endowments, its knowledge base, its reasoning model, its training data, to produce output. The agent also exercised its own preferences. Baird and Maruping define preferences as decision models and goals, and they argue that agentic IS artifacts have them. The AI agent chose which analytical framework to apply, which data points to weight, which conclusions to draw. The employee did not make those choices. The agent did. And Baird and Maruping make the preference alignment problem explicit: if the agent optimizes for its own objectives rather than the human's, you get outcomes the human did not intend. The thermostat analogy they use is sharp. If the thermostat optimizes for its own longevity, it sets the temperature very low because running less saves the hardware. The human wants comfort. If the AI agent optimizes for output plausibility rather than accuracy, you get a confident analysis that is wrong in ways the employee cannot see. In shadow IT, the employee was always in the loop. In shadow AI, the employee has stepped out of the loop and let a system with its own preferences make decisions.
Three properties of shadow AI under delegation make it categorically different from shadow IT, and I think they are the ones the field is not yet taking seriously enough.
The first is invisibility. In shadow IT, there was at least a trace. Procurement records. Expense reports. Login logs. The workaround produced a signal. Shadow AI under delegation can be invisible in a way shadow IT never was, because delegation itself can be reflexive. Baird and Maruping define reflexive delegation as automatic, routine transfer without deliberation. The employee does not consciously decide to delegate every time. They type a prompt out of habit. The agent responds. The employee accepts the output. No procurement ticket. No expense entry. No login to an unapproved platform that IT can flag. The delegation is reflexive and therefore unobservable by any governance mechanism that was designed to detect unauthorized tool use. You cannot monitor what you do not recognize as a decision.
The second is endowment. Baird and Maruping define endowments as the resources, assets, and capabilities an agent brings to the task. In shadow IT, the unauthorized tool's endowments were known and bounded. Dropbox stores and shares files. WhatsApp sends messages. The tool's capabilities were visible, even to an employee who never read the documentation. In shadow AI, the agent's endowments are opaque. The employee does not know what training data the model was built on. They do not know what reasoning steps it took to arrive at its output. They do not know whether its knowledge base includes the domain they asked about. Baird and Maruping argue that endowments matter because delegation typically occurs when an agent wants to free up resources or when one agent's endowments complement another's. But when the delegating employee cannot see the agent's endowments clearly, the appraisal mechanism, the human's judgment about whether the agent can actually perform the task, is compromised from the start.
The third is accountability dispersal. In shadow IT, accountability was straightforward even if messy. The employee who used the unauthorized tool was the one who made the decisions. The tool did not decide anything. If data leaked through Dropbox, the employee who uploaded it was accountable because they were the actor. In shadow AI, Baird and Maruping's framework shows that accountability disperses across the dyad. The human delegated. The agent executed. The agent's preferences shaped the output. The human's endowments shaped the initial prompt. Neither party in the dyad fully owns the outcome, because delegation, as Baird and Maruping theorize it, involves a transfer of rights and responsibilities. The employee transferred the right to make analytical decisions to the agent. The agent produced output based on its own preferences and endowments. When that output contains an error, a hallucination, a biased inference, who is accountable? The employee who delegated without authorization? The agent that made the decision? The organization that failed to provide better tools? The delegation framework reveals that accountability does not sit in one place. It is distributed, and that distribution is a feature of the relationship, not a bug in governance.
I think the IS field is treating shadow AI as a governance problem with a compliance solution, which is exactly how it treated shadow IT, and I think delegation theory shows why that approach will fail again. If shadow AI were simply unauthorized use, then monitoring, blocking, and writing policies would eventually contain it, the same way those measures partially contained shadow IT. But shadow AI is unauthorized delegation. The employee is not just using the wrong tool. They are transferring decision rights to an autonomous agent that the organization did not vet, whose endowments are opaque, whose preferences are unknown, and whose outputs propagate through the organization without traceability. A blocking strategy that treats the tool as the problem misses the point. The tool is no longer a passive instrument. It is an agent that occupies a role in the delegation dyad, and that role gives it endowments and preferences that shape real outcomes.
I wrote about why use is the wrong construct for agentic systems, and I still think that is the core theoretical move. But I think the shadow AI conversation makes the stakes concrete in a way the abstract delegation argument sometimes does not. When a researcher applies a use construct to measure shadow AI adoption, they are asking whether an employee used an unauthorized AI tool. That question matters for governance. But Baird and Maruping's framework says the better question is what tasks the employee delegated, how the agent's endowments and preferences shaped the outcome, and where accountability settles in the dyad. Those three questions have no analog in the shadow IT playbook. They require a theoretical shift from use to delegation, not just a practical shift from one set of blocked URLs to another.
There is something else that bothers me. Stelmaszak et al. (2025) showed that algorithms can delegate to humans, not just the other way around. In their study of Uber, the algorithm assigns rides, sets pricing, and manages driver behavior, effectively delegating tasks to human drivers. If delegation can run in both directions, then shadow AI is not only about employees delegating unauthorized tasks to agents. It is also about platforms and systems delegating tasks to employees through mechanisms those employees never consented to. An employee who follows an AI system's recommendation because the system's role in the dyad positions it as a delegator, not a proxy, is experiencing something that shadow IT never captured. The power dynamic is reversed. I am not sure yet how far this extends, but I think the bidirectionality of delegation is where shadow AI research needs to go next.
Shadow AI is shadow IT on steroids because the agent doing the unauthorized work is no longer passive. It has endowments the organization cannot see. It has preferences the organization cannot audit. It occupies a role the organization never assigned. And the delegation that connects the employee to that agent can happen without a conscious decision, without a trace, and without a clear line of accountability. Studying this with use constructs and compliance metrics is exactly what we did with shadow IT. It did not work then, and I think it will work even less now.
About the author
Share
More notes
Related notes