AAI Scenarios
All scenarios

Styrning

Shadow IT on steroids — when Johan's tool wants to scale

An employee built a tool that saves hours every week. Three other teams want it. Nobody knows where the data lives.

Time

40 min

Level

Introductory

Roles

5

Framework

The sanctioning ladder

Read the full scenario

Before you begin

3 minutes of prep for the facilitator

Materials

  • A projector or large screen for presentation mode
  • A notebook for each participant
  • A facilitator (can be someone in the group)
  • Water, coffee — and silenced phones

The room

  • Sit around a table, not theatre-style — the conversation should feel horizontal.
  • Close the door. This is not a meeting to drift in and out of.
  • Decide who will document the group's decisions and reasoning.

Say as intro

"There are no right answers in this scenario — only clearer and less clear reasoning. The value comes from where you actually disagree, not from reaching consensus."

Briefing

The situation

Maria leads a procurement team of eight. Johan, one of her team members, has built a tool on his own that automates supplier follow-up — something IT said would take six months. The tool works brilliantly and saves the team hours every week. Now three other teams have heard about Johan's solution and want it too. The catch: nobody really knows where the data is stored, the tool runs on Johan's personal account, and nobody has checked the GDPR implications. As a leadership team, you need to decide both how to handle this case and what principle you want to set for similar initiatives going forward.

Discussion

Questions to wrestle with

Innovation without the brakes

  1. 1.What signal do we send if we shut Johan's tool down — and what signal if we let it spread as is?
  2. 2.What would have to be true about ownership, data and operations for us to safely let three other teams use it?
  3. 3.What does a 'sanctioned sandbox' concretely look like in our organisation — who owns it and what rules apply there?

The risk we don't see

  1. 1.If the tool leaks supplier data in six months — who would we point to, and is that consistent with today's decision?
  2. 2.Which of our current policies would Johan have had to break to build something quickly — and what does that say about the policies?
  3. 3.What happens the day Johan leaves — do we have a tool, or a problem?

Framework · The sanctioning ladder

To lean on

Idea

Someone spots a need and frames a hypothesis — still on paper, no data is moving.

Sandbox

Build and test in a contained environment with fake or anonymised data — clear time-box.

Pilot

One team uses it for real, with a documented owner, data source and risk assessment approved by IT/DPO.

Product

Brought into normal operations — versioned, monitored, not dependent on a single person.

Sunset

Decommission on plan when the tool is no longer needed or has been replaced by something better.

Decision

Possible paths

  1. AStop the spread immediately, keep Johan's usage for now and start a formal pilot.
  2. BLift the tool centrally: IT takes over ownership, rebuilds it against approved data sources and rolls it out to interested teams.
  3. CAllow continued use in the original team but block any spread until a GDPR review is complete.
  4. DUse the case as the reason to establish a sanctioned sandbox for the whole organisation.

Triggers

Drop in when the discussion stalls

  • One of the interested teams works with suppliers that handle personal data.
  • Johan goes on holiday in three weeks and nobody else knows how the tool works.
  • Your IT team has just turned down a similar request from another business unit.

For the facilitator

Tips to get more out of it

  • Have participants place Johan's tool on the sanctioning ladder individually before discussing — then show the spread of answers in the room.
  • If the discussion gets stuck on 'allow vs forbid', force a third path: 'what would we need to build centrally to make Johan's solution unnecessary?'

Reflection

To take with you

  • "Does our current leadership development prepare managers to meet Johan — and the three teams who want the tool? What's missing?"
  • "What kind of initiative do we want to see more of in the organisation, and what in today's decision sends that signal?"