By Errin O'Connor — Founder & Chief AI Architect, EPC Group · Microsoft Solutions Partner across all six designations · G2 Leader in BI consulting
At an AI and workforce summit this year, Ethan Mollick told a room of talent leaders something every executive should have tattooed on the inside of their eyelids: the most advanced AI users in your industry are almost certainly inside your organization right now — and they are not telling you. They are curious people who figured out the frontier models on their own, built real workflows, produced real gains — and went quiet. Ask them why and they will point to a policy written in 2023 that bans AI use pending review by a council, and a council that takes five to seven months to grant a hearing on a single use case.
Sit with the economics of that for a second. Your organization is paying consultants to figure out what AI can do — while the employees who already know are hiding it from you, because your governance process punishes disclosure and your incentive structure punishes productivity gains that might make a role look replaceable. You have a shadow bench of your best AI talent, and your own policy built the shadows.
I have watched this exact movie before, and I know how it ends both ways.
SharePoint had a shadow bench too. So did Power BI. I was there for both.
In the mid-2000s, every enterprise had “the SharePoint guy” — the analyst three levels down who built the site the whole department secretly ran on, outside IT's knowledge, outside backup, outside security. In the mid-2010s it was “the Power BI person” with a Pro license on a personal credit card and a desktop gateway under their desk, refreshing the dashboard the VP quoted in board meetings. I was on the Project Tahoe beta that became SharePoint and the Project Crescent beta that became Power BI, and I spent two decades cleaning up what happened when enterprises met shadow adoption with prohibition instead of governance: the shadow work didn't stop. It just stayed unbacked-up, unsecured, unauditable — until the day it broke, leaked, or walked out the door with the employee.
AI shadow adoption is that pattern with the stakes multiplied. The SharePoint guy could lose a document library. Your hidden AI power user is pasting customer data, contract language, and source code into consumer tools on a personal device — no tenant boundary, no sensitivity labels, no retention policy, no audit trail. Prohibition did not stop them. Prohibition just removed your visibility.
Mollick's diagnosis is right. Most companies will botch the prescription.
Mollick's framework for making AI succeed is leadership, lab, and crowd — visible executive commitment, a place to experiment, and the whole workforce brought along. I agree with every word. But I have sat in the meetings where that framework goes to die, and it dies the same way every time: the enterprise responds to shadow AI by creating a committee. The committee meets monthly. The committee requires a business case per use case. The committee becomes exactly the five-to-seven-month council Mollick described — now with better branding. The shadow bench looks at the new process, does the math, and stays in the shadows.
The fix is not a committee. The fix is an operating model with two properties most enterprises believe are opposites: centralized governance and decentralized execution. One standing body owns the charter, the risk framework, the approved-model list, the data boundaries, and the audit posture. The business units own the use cases — and can ship one inside those boundaries in days, not months. Governance sets the guardrails once. The crowd drives inside them daily. That is precisely the architecture of an AI Center of Excellence done right — and precisely the opposite of a review council.
The Amnesty Audit: how to bring the shadow bench in from the cold
Here is the move I give clients, and it works because it inverts the incentive that created the problem. I call it the Amnesty Audit, and it has four steps and a thirty-day clock.
Step one — declare amnesty, in writing, from the top. The CEO or CFO announces that for thirty days, any employee can disclose any AI workflow they have built — tools, data, prompts, outputs — with zero disciplinary exposure and explicit credit. Not an email from IT. A message from the top, because the shadow bench is watching who signs it.
Step two — inventory, don't interrogate. Every disclosure gets logged: the tool, the data it touched, the value it produced, the person who built it. You are building two lists at once — a risk register of what left the tenant, and a talent register of who your actual AI pioneers are. Both lists are worth more than any consultant's readiness assessment, including mine.
Step three — replatform the winners. The top disclosed workflows get rebuilt inside the tenant boundary — governed data, Purview labels, approved models, Entra identity, audit logging — with the original builder as the named owner. The pioneer keeps the credit and gains the infrastructure. The enterprise gains the workflow and loses the exposure.
Step four — charter the standing body. The Amnesty Audit ends; the Center of Excellence begins. The pioneers become the lab. The charter guarantees a use-case decision in days. And the policy from 2023 gets formally retired — publicly — because the shadow bench needs to see the old regime buried before it trusts the new one.
What I tell clients to do
One. Assume the shadow bench exists. In every organization we have audited, it does — the only variable is size.
Two. Run the Amnesty Audit before your next security review, not after. Discovery you invite is an asset. Discovery a regulator or attacker forces is a liability.
Three. Measure your governance process in days-to-decision. If a use case takes longer to approve than to build, your process is manufacturing shadow AI.
Four. Charter the Center of Excellence with decentralized execution written into its founding document — or don't bother. A CoE that hoards decisions is just the 2023 council with a better logo.
Where I land
Mollick is right that your most advanced AI users are already on your payroll. The question he leaves on the table is whether your operating model makes them colleagues or keeps them fugitives. Every quarter you run the old policy, the shadow bench compounds — more workflows, more data, more risk, more brilliance you can't see. Bring them in from the cold. Give them guardrails instead of hearings. The enterprises that win this decade will be the ones whose best AI users stopped hiding — because someone finally made honesty the smart career move.
The data behind this (sources and verification)
- Mollick (Valence AI & the Workforce Summit, 2026) — The most advanced AI users are inside organizations, hiding, because 2023-era policies and councils take five to seven months per use-case hearing.
- Microsoft Work Trend Index — Large majority of AI users bring their own AI tools to work (BYOAI). [VERIFY exact current figure before quoting a number; cite by report name.]
- EPC Group field observations (shadow adoption pattern) — Consumer-tool paste-outs carry no tenant boundary, labels, retention, or audit trail — same exposure class as the delivery-partner perimeter analysis.
Third-party figures above are attributed to their named sources as of the Last verified date. EPC Group audit figures are directional findings from client engagements. Items marked [VERIFY] must be confirmed before external quotation.
Frequently asked questions
Is amnesty legally safe?
Structure it with counsel — scope the immunity to policy violations disclosed in the window, not to independent legal violations. The CEO memo must be precise about what is covered and what is not, and the 30-day clock and the credit promise must be explicit.
Won’t amnesty encourage more shadow AI?
The opposite: shadow AI is caused by disclosure being irrational. Amnesty plus a days-not-months CoE makes honesty the smart career move. When the incentive structure rewards transparency instead of punishing it, the shadow bench surfaces — and the shadow activity stops accumulating.
What’s the difference between a CoE and an AI council?
A council reviews use cases one at a time and typically takes five to seven months per hearing. A CoE sets guardrails once — approved-model list, data boundaries, BYOAI policy, escalation path — and lets business units ship inside them. Centralized governance, decentralized execution. The council is the problem. The CoE is the fix.
What do we do with the risk register after the Amnesty Audit?
Rotate exposed credentials, notify per policy where legally required, and prioritize replatforming by data sensitivity. The risk register is remediation input, not a punishment list. Using it punitively will destroy the trust the amnesty built and drive the next round of shadow adoption underground.
How fast can a CoE stand up?
A working charter, approved-model list, and decision SLA can be operational inside a quarter. Maturity compounds from there. The founding document must include decentralized execution in writing — a CoE that hoards decisions becomes the 2023 council with a better logo.
Ready to act on this?
Start with the practice most relevant to your estate, or reach out directly for a senior-architect conversation.
📧 contact@epcgroup.net · 📞 (888) 381-9725
Multiple models. One truth.
