Fashionably Late
I was at a Gartner local event Tuesday morning at the Brightwood in Dartmouth. It was pissing buckets and still there was some dude out there on the greens. I admire the dedication, yet fail to understand the compulsion.
The topic of the sessions was AI, as it always is these days. Gartner always brings their game. In one session, the presenter made the case for defined pilots and strong governance first. Good slide. Reasonable pitch.
He was riffing on the bullets and said something almost offhand: sometimes governance gets prioritized ahead of the business, and it’s often a mistake. Then he continued on about clean metrics and measurement.
I sat with that for a minute, then asked about it. Something was off. My read was different. That most AI adoption wasn’t coming through defined pilots at all. AI is coming through every door, any open window, down the chimney, through every porous opening it can find. It doesn’t wait for a defined pilot. The business is very much ahead of governance, especially with AI.
He said he’d misspoken. But we all knew I was right. He knew it too and he acknowledged it a few minutes later when he noted that the ROI for most AI initiatives isn’t financial. It’s efficiency. And efficiency is hard to measure in knowledge work.
That stuck with me.
The Policy Arrives After the Proof
Shadow AI is the new Shadow IT and its resurgence has caught enterprise IT off-guard. It’s so pervasive and so quick and the risks are still being discovered, let alone mitigated.
To be clear, Shadow AI doesn’t happen because employees are reckless. It happens because the workflow was broken and the tool fixed it.
Someone has a document to summarize, a draft to clean up, a meeting to prep for. The institutional tool either doesn’t exist, doesn’t work well enough, or takes six months to procure. The personal account is right there. So they use it. The work gets done. They use it again.
And that value is almost entirely invisible. The ROI isn’t financial. It’s efficiency. Time saved. Cognitive load reduced. Shorter meetings. You can’t put that in a business case without the bean-counters rolling their eyes. You can’t measure it in a KPI/OKR dashboard. Not really anyway. It just doesn’t show up anywhere governance is looking.
By the time governance shows up, with its approved vendor list and acceptable use policy and training requirements, the experiment has already run. The results are in. But the results are in someone’s head, not in a spreadsheet. The value is proven to the person who felt it. Nowhere else.
Governance isn’t safety at that point. It’s paperwork after the fact.
Put it another way: governance arriving first looks like obstruction. Arriving after looks like infrastructure. The difference isn’t the policy: it’s the timing. One shape earns legitimacy from proven value. The other asks you to prove value to earn permission.
Both can be “governance.” Only one shows up on time.
This Isn’t an Argument Against Governance
The absence of governance has a cost. Anyone whose been in the muck for a while knows what happens when the fit hits the shan. And it will, eventually, like an unpaid debt.
AI tools deployed without a validation layer, without an owner, without metrics – those fail quietly. The confident wrong answer makes it into the report. The summary that missed the point gets acted on. Nobody catches it because nobody was watching for it.
When the ROI is efficiency and efficiency is invisible, so is the loss. You don’t notice when the time-saver quietly starts costing you time. You don’t see the compounding errors in the outputs you stopped double-checking.
A mentor told me early in my career: “If you do a favour three times, it becomes an obligation.” He was talking about people. It also applies to tools. Do the thing with the AI three times and it’s no longer a workaround. It’s how the work gets done. The informal pilot that never had a name is now the rollout someone has to pay for and IT has to support. Operational fixes become permanent fixes without anyone deciding they should be.
That’s the drift. And permanent things without owners, without validation layers, without anyone watching – those are the ones that quietly embarrass people.
I’ve been on both sides of this. I’ve used tools informally and been fine. I’ve also seen ungoverned deployments slide from “we’re just trying this” to “we depend on this” without anyone noticing the transition.
Governance exists for a reason. The question is never whether. It’s when.
The Timing Problem Is Structural
Governance arrives late because value arrives first. That’s not a bug. It’s the actual sequence every technology adoption follows. Stop resisting and get good with it.
The procurement cycle takes months. The policy committee takes months. The training program takes months. The tool that solves the problem is available today.
So people use it.
Policy arrives to sanction what’s already working.
Email was shadow IT once. So was cloud storage. So were iPads. The pattern isn’t new. Yet AI is different in degree in ways that matter. The outputs are harder to audit, the errors more confident, the dependency deeper and faster-forming. When the gap between adoption and governance widens, that’s where quiet damage accumulates.
Waiting for the governance cycle to complete before letting value prove itself is waiting for the bus that already left. But this particular bus is going faster, and it doesn’t always announce the stops.
The institutions that get this right don’t slow down adoption until governance catches up. They speed up governance until it’s close enough to be useful.
Who Closes the Gap
Here’s the uncomfortable part.
If you’re the person running shadow AI, you’re also the person with the evidence governance needs.
You understand the business workflow: what it looked like before, what changed, where the risk actually lives. You’ve run the experiment. You have a result. That’s exactly what a documented workflow, a named owner, and a baseline metric are supposed to capture.
Top-down governance processes can’t generate that. They can define frameworks and require compliance, but they cannot know the workflow better than the person doing the work. That knowledge only exists at the bottom.
Governance that doesn’t tap it is writing policy about a job it has never actually done.
The gap between when value arrives and when policy arrives isn’t something someone else is going to close. The people doing the work are the ones positioned to close it. Not by asking permission, but by supplying the evidence permission is trying to generate.
Write down what you did. Name what changed. Note where it could go wrong. Hand that upward.
That’s not bureaucracy. That’s how workarounds become policy.
